Insider Threat Management

Spies among us: Defending against state-sponsored insider threats

Share with your network!

Many types of organisations can end up finding themselves on the receiving end of nation­state sponsored insider threats as other countries seek to access valuable trade secrets and intellectual property.

At the end of 2018, we predicted that nation-state threats would increase significantly in the year to come, particularly targeting critical infrastructure. Headlines carrying news of data breaches in Singapore and Germany in January instantly confirmed what many had feared and known for a long-time: state systems are extremely vulnerable to cyber security risks, including the insider threat, and compliance isn’t enough to keep data safe.

An inquiry recently concluded that hackers resembling state-sponsored actors were responsible for the biggest cyber-attack in Singapore’s history, which targeted Prime Minister Lee Hsien Loong and saw the health records of about quarter of the population stolen. Meanwhile, police investigations confirmed that a disgruntled 19-year-old IT worker was responsible for leaking personal data and documents belonging to hundreds of German politicians, including Chancellor Angela Merkel. These high-profile events remind us of why we need to also look inwards – as well as outwards – to protect critical data and infrastructure.

The Centre for Strategic and International Studies provides an illuminating and worrying timeline of significant cyber-incidents going back to 2006, focusing on cyber-attacks on government agencies, defense and high tech companies. It makes it clear that state-sponsored threat actors and high-level hackers are constantly on the lookout to gain access to the critical infrastructure of nations worldwide, with the intent of hitting some of our most valuable systems -- national security, public health, emergency communications, and more.

Spies might seem like they belong more to TV dramas and films than the real world, but the reality is that many types of organisations can end up finding themselves on the receiving end of nation-state sponsored insider threats. Insider theft is just one way that other countries can gain access to valuable trade secrets and intellectual property.

Privileged users and super-admins - with their access to troves of sensitive and confidential data - have long been a focus of concern for cyber-security specialists. However, it’s increasingly likely that key business executives or those working directly for government leaders will become the next target for state- sponsored threats, eclipsing more traditional privileged users.

Their access to high-value information makes them a key target for credential hijacking. Even worse, they could be lured into revealing secrets in return for cash. It’s worthwhile remembering that, given state assets and communications are controlled and encrypted, cyber-attackers often leverage compromised credentials together with rogue keys and certificates to gain the access they want.

It is also important to consider the motivations and behaviours that drive malicious activity by insiders. Often, insider-led breaches are motivated by financial problems or organisational issues. When it comes to nation-state actors, they are typically motivated by politics. When we think of the role of suspect, foreign online influence in recent high-profile elections, state-backed cyber-crime should worry us all.

Legacy security tools such as data loss prevention (DLP) are not always able to spot changes in user behaviour that could indicate compromise and prevent data exfiltration from those on the inside. Because they are solely focused on data, not on user behaviour, nor are these tools able to suss out the context of an insider threat.

Similarly, UEBA tools are unable to effectively detect risky behaviours and to help piece together what happened before, during and after an insider threat incident. Unfortunately, without visibility into both user and file activity, it will be impossible to know and detect if trusted insiders – employees, vendors or consultants – are maliciously or inadvertently compromising sensitive information, to what end and for whom.

Ultimately, by targeting high-tech businesses, government and defense agencies and others, nation-state insider attacks will continue to be one of the biggest threats to information assets in the year to come. As the landscape of cyber- crime continues to shift, amid continued geopolitical uncertainty, it’s high time we all set out to get insider threat protection right. Only with more visibility into user behaviour, plus an understanding of the context and intent behind an incident together with a real-time alerting system can even the earliest signs of an insider threat be picked up – and a breach caught in motion and stopped before the consequences spiral out of control, with significant and long-term damages.


Article originally published on 22-2-19 by SC Media.