The Insider, the Outsider and the Threat
The guys from Detexian came to me a few weeks ago and asked if I could write a guest blog about any security topic I liked – I said to them I would, and the topic I selected was Insider Threats. The reason for this is because the insider threat is still an immature risk – not many organizations understand how to manage it and as a result they downplay the risk.
The topic is sensitive and as such is taboo – the assumption is if you discuss it, it means you have no trust in your employees or worse still - no control over their actions. One other reason why I feel it’s an important and under-represented security topic is that in my opinion the effects of a successful insider attack are devastating – they will most certainly destroy a business.
By my definition the insider is an employee or contractor – they are typically placed in key roles, they are trusted, and they are knowledgeable with the organization’s business processes.
What makes the insider that much more dangerous than your garden variety cyber criminal is that they have deep seated knowledge of your business processes, and as such they know how to avoid or bypass security measures. Their favorite method of attack is what is known as Business Process Compromise (BPC) – this is what makes detection and prevention extremely difficult. Try stopping an adversary that knows everything about you!
There is one additional threat actor to consider – The Outsider, this is your ex-employee, or a 3rd party service provider – they too have intimate knowledge of how your business operates. The thing which makes the outsider much more difficult to manage is that they are almost impossible to monitor.
Let’s look at a few real-world insider cases and learn what went wrong and what could have been done to prevent or stymie the attack.
The SocGen Rogue Trader - Jérôme Kerviel ($5.47B losses)
This was the worst case of insider attack I have ever read about - he single handed lost USD $5.47B on unauthorized derivatives trading for the French bank Société Générale between 2006 - 2007.
The results of this insider attack were the bank requested a “mini-bailout” from the French government, the CEO and Chairman were sacked and the French government fined the bank for gross negligence.
What’s more interesting is how this “insider” managed to pull of this attack – have a look at this:
He worked in multiple areas of the bank including settlements, risk and front- office (trading desk)
Accumulated access privileges over the years while changing roles
Developed deep knowledge of the bank’s risk management processes
Developed IT skills with the administration of risk management and trading systems
Knew exactly where risk managers and auditors would look for fraud
Ok, so this guy was extremely good at finding business process weaknesses, and as such devised a plan to exploit them – which he did successfully, the question remains though - why did he accumulate access privileges? We get it, he bypassed risk management controls, something that cannot be easily detected or prevented, but user accounts and privileges should have been reviewed as he changed roles. I guess the French tax payer and bank shareholders are on the hook for this breach!
Former Cisco employee deletes 456 virtual machines for Cisco’s WebEx Teams application
Former Cisco systems engineer Sudhish Kasaba Ramesh admitted in court that in September 2018 after he resigned from his job at Cisco, he connected remotely to Cisco’s cloud and ran a script which deleted 456 virtual machines hosting WebEX which resulted in 16,000 user accounts being deleted. The company suffered a 2 week WebEX shutdown, which cost USD $1.4M to restore platforms, and a further USD $1M was paid to customers as compensation.
This is pretty interesting as I suspect one of a few things happened here for this attack to be successful:
Cisco probably uses multiple identity management platforms - somehow access to the WebEX platform was missed during the employment termination process.
The employee planted a backdoor user account which was difficult to find.
The employee found vulnerabilities in the WebEx hosting platforms and remotely exploited without the need of a user account.
They did not implement robust user activity monitoring or intrusion detection.
Cisco having pivoted over the years from a networking hardware manufacturer to a “cloud security” company, will have a tough time convincing customers and investors that it has it’s shop in order.
Capital One Hack
This is truly an interesting case of the outsider breaching their client’s network to steal data. Paige Thompson was a former AWS employee when she breached the network of financial services firm - Capital One to steal 106 million customer records in July of 2019. What made her attack damaging was that she stole credit card and loan applications. These can then be resold to criminal gangs for wider fraud.
During her time at Amazon Paige worked on Capital One’s AWS environment, where she discovered they had an open source Web Application Firewall (WAF) which was incorrectly configured. She exploited the WAF which in turn gave her access to the wider AWS environment and as such let her commit the data theft. The net loss for Capital was in excess of USD $200M in terms of regulator fines, security remediation work, and the re-issuing of loan applications.
You’re probably wondering what could have been done to prevent this type of outsider attack – I would say from the outset that Capital One should revisit vulnerability management – I would think a comprehensive penetration test should be performed annually. With regard to 3rd parties and vendors, they should initiate stricter policies with information sharing and pre-employment screening.
Canadian Pacific Railway & the IT Admin
This one is somewhat a funny case – it makes you laugh but also gives you a cold sweat it – you pray it never happens to your organization.
So the story goes like this; Christopher Victor Grupe worked at Canadian Pacific Railway as an IT administrator back in December 2015. He was not doing well at work so his manager advised him he will be let go. Rather than lose face at being let go, he asked if he could resign on his own terms so that he can move to another employer.
So, he walked out of the office after signing a resignation letter. He also agreed to return his laptop, remote access authentication token, and access badges. Before he returned his laptop, he remotely connected to the rail platform switches and deleted key files and changed all the admin accounts. No one was the wiser when he returned his work equipment, but then suddenly a few weeks later they realized they could not login to the railway switches which control the rail network. Long story short he got caught and landed in prison for 12 months, and yes he did provide the user accounts to unlock the devices.
What can you do to prevent this happening again? How about disabling all user accounts of terminated employees as soon as possible. Also, what about implementing segregation of duties so that one single employee does not hold the company to ransom!
You have me worried, now what?
Ok, so we walked through a few real world cases and saw how devastating the insider and outsider threats truly are, now the million dollar question is what can we do about it? Well, not all hope is lost – there are a few things you can do to detect, prevent and contain an attack:
Listen to employee concerns in regard to insecure processes and systems.
Perform criminal and employment history background checks on new employment candidates, this includes contractors.
Perform security due-diligence on vendors.
Monitoring employee movements - in some industries employees are asked to detail their travel plans.
Monitoring of employee wealth - cases of financial theft have been identified by employees living beyond their means.
Perform regular physical and cyber security testing. (Yes, physical security too!)
Perform auditing of employee access to facilities - both CCTV footage and electronic access card logs.
Human resources should be vigilant with employee behaviour in particular with repeat offenders that don't respect company policies, this includes executives. They should consider bringing in private investigators as they can help identify employees at risk.
Use a cloud-based auditing platform like Detexian to identify security configuration vulnerabilities with your SaaS applications.
References: BBC News. 2019. Arrest After Capital One Hack Exposes 106M People.
Krebs, B., 2019. Capital One Breach — Krebs On Security.
O'Donnell, L., 2020. Ex-Cisco Employee Pleads Guilty To Deleting 16K Webex Teams Accounts.
Thomson, I., 2018. Rogue IT Admin Goes Off The Rails, Shuts Down Canadian Train Switches.