Kognos for MSSPs reduces MTTD/MTTR metrics to mere minutes. Learn More.

Understanding Insider Threats with the Power of Relationships

By Rakesh Nair

With so much focus on external actors, malicious insiders are often overlooked as serious threats. Malicious insiders could be current and former employees, contractors, partners, or service providers who had/have a legitimate reason for using the infrastructure, but have malicious intent. 

The reality is, malicious insiders are one of the hardest groups of adversaries to detect. Firewalls and IDS products are often deployed at the perimeters of an enterprise and are completely blind to people who are already inside and using the infrastructure legitimately. The risks associated with people and companies who have legitimate reasons for using your infrastructure, but who have malicious intent you didn't foresee is very high.

According to IBM’s Cost of Insider Threat Report for 2020:

  • 23% of all incidents hitting the organization result from criminal insiders

  • The cost to remediate these incidents averages $4.08 million per organization

  • The total number of insider incidents averages 4,716. A 300% increase from just two years ago. 

At Kognos, we acknowledge the complexities of discovering and isolating malicious insiders; they are inside your environment and can blend in with the rest of the users. We also acknowledge that incidents and movements of insider threats cannot be identified in real-time without having a complete picture of a given attack that is unfolding in your environment.

This is where the power of relationships is key. When you are looking at the relationship across all of the insider’s activity versus trying to understand events alone, you begin to see the complete attack story. You see whether the malicious insider is mounting shared drives, laterally propagating from machine to machine, or living off the land using legitimate binaries native to the operating systems to evade detection. Given this is all blended with legitimate activity, there is value in understanding these interconnected relationships and closely monitoring them. As Kognos identifies these relationships, we are able to cumulatively aggregate suspicious activity and expose malicious insiders.  

Malicious insiders’ activity is complex, but when taking a relationship centric approach to detection and response, understanding the attack story becomes easier.

Take this case study for example:

In March of 2019, over 100 million people were affected when Capital One suffered a massive data breach. The breach exposed 106 million credit card applications, including names, dates of birth, addresses, phone numbers as well as over 140,000 Social Security numbers and 80,000 bank accounts. Credit score and transaction data were also breached. This was all done by a former Amazon employee. 

Court documents attest this malicious insider created a program to scan cloud customers for a specific Amazon Web Services firewall misconfiguration. While in this case the hacker’s prior role at the company didn't lend any insider access, her knowledge of the web application processes aided in finding the target misconfiguration. Once the configuration was identified, the hacker allegedly exploited it to extract privileged account credentials.

The hacker was then able to exfiltrate data after gaining access to victim’s cloud infrastructure using the already stolen credentials. Further, court documents show how in some cases, she used this access to set up cryptocurrency mining operations using victims' cloud computing power.

This is a massive breach to be done by a single bad actor. Remaining under the radar, they were able to laterally move around the cloud infrastructure, from machine to machine and across environments. It is clear that every event in this breach was related to the others. 

The Kognos autonomous XDR investigator platform is built to trace the subtlest of suspicious behavior. Given we are tracing the entire activity of the user as related incidents, we can cumulatively look at the insider’s activity to bubble up possible threats to see the complete picture of an attack. This is the power of relationships.

Kognos continuously monitors billions of relationships to detect suspicious behavior. Once detected, Kognos uses an AI powered inquiry engine to ask thousands of forensic questions per second to fully contextualize the attack and present the findings as complete attack campaigns, allowing the analyst to respond in real-time.

Contact

Oxygen Icon Box

2064 Walsh Ave, STE C1
Santa Clara, 
California - 95050

Oxygen Icon Box

info@kognos.io

Copyright © 2021 Kognos, Inc. All Rights Reserved.
envelopemap-markercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram