With so much focus on external actors, malicious insiders are often overlooked as serious threats. Malicious insiders could be current and former employees, contractors, partners, or service providers who had/have a legitimate reason for using the infrastructure, but have malicious intent.
The reality is, malicious insiders are one of the hardest groups of adversaries to detect. Firewalls and IDS products are often deployed at the perimeters of an enterprise and are completely blind to people who are already inside and using the infrastructure legitimately. The risks associated with people and companies who have legitimate reasons for using your infrastructure, but who have malicious intent you didn't foresee is very high.
23% of all incidents hitting the organization result from criminal insiders
The cost to remediate these incidents averages $4.08 million per organization
The total number of insider incidents averages 4,716. A 300% increase from just two years ago.
At Kognos, we acknowledge the complexities of discovering and isolating malicious insiders; they are inside your environment and can blend in with the rest of the users. We also acknowledge that incidents and movements of insider threats cannot be identified in real-time without having a complete picture of a given attack that is unfolding in your environment.
This is where the power of relationships is key. When you are looking at the relationship across all of the insider’s activity versus trying to understand events alone, you begin to see the complete attack story. You see whether the malicious insider is mounting shared drives, laterally propagating from machine to machine, or living off the land using legitimate binaries native to the operating systems to evade detection. Given this is all blended with legitimate activity, there is value in understanding these interconnected relationships and closely monitoring them. As Kognos identifies these relationships, we are able to cumulatively aggregate suspicious activity and expose malicious insiders.
Take this case study for example:
In March of 2019, over 100 million people were affected when Capital One suffered a massive data breach. The breach exposed 106 million credit card applications, including names, dates of birth, addresses, phone numbers as well as over 140,000 Social Security numbers and 80,000 bank accounts. Credit score and transaction data were also breached. This was all done by a former Amazon employee.
Court documents attest this malicious insider created a program to scan cloud customers for a specific Amazon Web Services firewall misconfiguration. While in this case the hacker’s prior role at the company didn't lend any insider access, her knowledge of the web application processes aided in finding the target misconfiguration. Once the configuration was identified, the hacker allegedly exploited it to extract privileged account credentials.
The hacker was then able to exfiltrate data after gaining access to victim’s cloud infrastructure using the already stolen credentials. Further, court documents show how in some cases, she used this access to set up cryptocurrency mining operations using victims' cloud computing power.
This is a massive breach to be done by a single bad actor. Remaining under the radar, they were able to laterally move around the cloud infrastructure, from machine to machine and across environments. It is clear that every event in this breach was related to the others.