Photo by Jefferson SantosOriginally Posted On: https://www.bestructured.com/7-it-service-internal-cybersecurity-threats-and-how-to-defend-them/
Cybersecurity threats are the Internet’s version of digital terrorism and whatever the circumstances that the planet is undergoing, they will always be a threat to a peaceful Internet world.
1. Account Misuse or Abuse
2. Compromised Accounts
3. An Infected Host
4. Internal Network Reconnaissance
5. Lateral Movement
6. Insider Fraud
7. Data Exfiltration
In today’s world of technology, we see greater, more elaborate attacks every day. What’s worse, many times these threats don’t even come from an outside source. It’s like the classic horror film, “When a Stranger Calls,” when the victim is told by authorities that the scary calls she keeps receiving are actually traced to coming from inside her house.
So reassessing your cybersecurity strategies, especially in terms of how you defend against internal network threats, is paramount to keeping you cyber safe which is stressed by executives at Be Structured, a Los Angeles-based Managed Service Provider.
Many organizations dedicate the bulk of their network security strategies to mitigating the risk of external cyber threats without realizing that a comprehensive threat intelligence platform also accounts for the threat of internal cyber-attacks. In fact, 60% of companies experienced cyberattacks that were generated from inside the company itself. That means many businesses are actually at a higher risk of falling prey to an internal threat than to an external one, and even more, aren’t doing enough to stop insider attacks in the first place.
But what exactly is an internal cybersecurity threat, and how can you stay protected in 2020 and beyond?
What Is an Insider Cyber Security Threat?
Most people think of cyber attacks as something that targets a network from the outside, but an insider threat circumvents barriers to entry altogether by attacking a system from within. As a result, insider threats mostly frequently originate from an employee, former employee, or a malicious actor. If your network isn’t structured properly, they may have been granted network access or they may have found a way to gain entry into your network without being detected. If your business is trying to manage these risks on your own, it will pale in comparison to partnering with an MSP to mitigate risk.
Some insider threats are intentional; others are due to negligence, but ultimately they involve using your system against you. Internal cybersecurity threats can be categorized into seven general types based on how they originate.
1. Account Misuse or Abuse
Account misuse occurs when an authorized network user performs unauthorized network functions. This misuse can happen intentionally or unintentionally. If users realize they have access to valuable parts of your network, they may use that as leverage to benefit themselves or threaten your organization. When this occurs, it becomes account abuse. On the other hand, users may have access to sensitive data on your network but not realize it. As a result, they may accidentally delete data, reconfigure network settings, or even leak confidential information.
Account misuse and abuse threats may arise for a multitude of reasons, including:
Nonexistent, loose, or poorly configured user access controls
Storing company documents, files, and folders on a universal server
Not updating user access as roles and responsibilities within the company change
Scaling cloud services without reassessing user access
Because most instances of account misuse or abuse stem from access control, the best strategy for protecting your network is to start by establishing clearly defined user permissions. From there, it’s critical to review access controls periodically to ensure they align with your network security measures.
The best way to delineate user access is by following the “need-to-know” rule. If an employee doesn’t need to have access to specific data or parts of your network to complete their daily tasks, they likely shouldn’t have access to it. After all, it’s easier to grant access when required than it is to take access away after a data breach.
2. Compromised Accounts
A compromised account refers to when an unauthorized individual gains access to an authorized account on your network. They can then use that account just as an authorized user would—but with malicious intent. An unauthorized individual on an authorized account can originate from within your organization or from outside of it. When undetected, a compromised account can wreak havoc on a network. As we’ve already mentioned, granting need-to-know access control can be one of the best defenses against a compromised account.
From inside your organization, compromised accounts can occur when:
- An employee finds another employee’s password written down
- An employee guesses another employee’s password (e.g., a pet or child’s name)
- Organizations use generic, standard passwords for shared accounts
To protect your organization from these risks, outsource your technical support and make it known that employees are never to write down passwords under any circumstances. They should also use complex passwords composed of a series of letters, numbers, and symbols that would be impossible for someone close to them to guess. Similarly, it’s also helpful to enact policies and safeguards that require employees to change their passwords periodically.
From the outside, compromised accounts are most often the result of an employee losing an unsecured device or a successful phishing attack on your network. Even with stringent user access controls, however, a malicious actor can use a compromised account to trick other users on your network into divulging sensitive data or granting unauthorized permissions.
To combat the risk associated with compromised devices, ensure that all devices on your network are appropriately secured and encrypted so they can’t be used against you if they’re lost, misplaced, or stolen. To protect your network from phishing attacks, one of the most effective strategies is implementing an ongoing phishing awareness training program for employees.
3. An Infected Host
An infected host occurs when one of your internal network resources begins behaving abnormally, most frequently due to unauthorized access, third-party control, or malware. Although the source of an infected host generally originates from an external source, it becomes an internal threat as soon as your network perimeter is breached. That’s because an infected host can operate just like any other device on your network.
A compromised host can potentially:
- Send junk, spam, or phishing emails to other systems
- Distribute malicious software on your network
- Distribute network data to other networks
- Collect personal user data, including usernames, passwords, and account numbers
One of the best ways to mitigate the risk of an infected host compromising your network in the first place is with a managed cybersecurity service provider. However, because the scope of this post relates to internal network threats, we’ll focus on what to do after an infected host infiltrates your network.
With an infected host, your security incident response team will primarily be conducting damage control. That’s because some level of data has likely already been compromised; after that, it’s about minimizing the extent of the damage. Implementing an around-the-clock automated network monitoring system is a vital first step to detecting an infected host as quickly as possible.
From there, integrating effective quarantine measures into your network can promptly contain a compromised host until your threat detection and response team can take back control of the device.
4. Internal Network Reconnaissance
Internal network reconnaissance occurs when an authorized user or a malicious actor—having gained undetected network access—researches your network environment from the inside. With a deeper understanding of how your network functions, they’re then able to plan and prepare for future objectives, such as stealing sensitive information or channeling network traffic to a third-party server.
A cybercriminal or malicious insider may perform reconnaissance to find out more about your network’s:
- File sharing systems
- User access controls
- Network diagrams
- Admin accounts
- Network applications
- Anti-virus systems
From there, a hostile user can begin to identify critical network information, download tools to collect additional information, elevate their own user access privileges, move laterally throughout your network, and create an ideal environment for funneling your critical data to a third-party network.
The solution for addressing this malicious insider threat is not quite as simple as with some of the other threats. The first step to counteracting insider network reconnaissance is by detecting any abnormal activity. As with an infected host, automated network monitoring systems can work around the clock to identify any unusual network activity and alert administrators.
Depending on the competence of the attacker, however, they may be able to sidestep your monitoring systems. That’s why early detection is vital. Once you’ve detected a potential recon user, you can deploy a honeypot security service that serves as a decoy to lure cybercriminals away from critical network operations.
Some cybersecurity vendors, such as SKOUT Cybersecurity, have even developed platforms for flagging and tracking suspicious users based on significant network events. These systems are called SIEM’s (Security Incident Event Management) and SOC’s (Security Operations Center). If you want to stay a step ahead of the threat of network recon, a dedicated user flagging and tracking platform with honeypot capabilities is currently your best option.
5. Lateral Movement
Once a malicious actor has infiltrated your network, lateral movement techniques involve using low-level web servers, employee devices, email accounts, and other foundational system features to move within your network. That means most lateral movement threats occur after a network endpoint has been breached by a malicious actor or when an authorized user attempts to circumvent user access controls.
As with internal network reconnaissance, the goal of lateral movement is not merely to exploit these low-level targets but to use them to gain access to your network’s most sensitive data and operations. Successful lateral movements allow cybercriminals to steal additional user credentials, pinpoint weak network configurations, and even exploit software vulnerabilities that can open your network up to further exploitation. That’s why internal network reconnaissance and lateral network movement often go hand in hand.
To effectively defend against lateral movers on your network, you can proactively solidify your network’s endpoint security measures and user access controls. But once the lateral movement has already been detected on your system, the best strategy is to track and contain movement by deploying a honeypot. After the threat is identified and contained, you’ll be better poised to eliminate any compromised accounts or devices on your network.
6. Insider Fraud
Insider fraud can be perpetrated by any number of malicious network insiders, including:
- A current employee
- A former employee
- A contractor
- A business partner
Insider fraud occurs when one of these individuals intentionally misuses network access to bypass security measures for their own personal gain or to do damage to an organization’s confidentiality, integrity, or information. Most frequently, this happens when network insiders manipulate data and documents for their own financial enrichment.
Because the individuals most likely to commit insider fraud are frequently the ones most closely tied to your day-to-day operations, it can be challenging to detect or prevent the threat in the first place.
One of your best options for mitigating the risk of insider fraud is to reduce or eliminate the opportunities for insiders to commit fraud. Again, user access controls play a critical role in minimizing the exploitation of sensitive data, and following a “need-to-know” data access rule can keep your network protected.
In addition, for areas that are prone to natural attacks in the form of fires or earthquakes like Los Angeles, employing a cloud-based IT support solution can provide backup in case of an attack where the entire network fails and maybe crashes for good.
You can also implement policies for performing periodic audits of data and processes that present a higher risk of insider fraud while heightening monitoring measures related to information access and use. That can include automatically freezing network access when an employee goes on vacation, travels out of the country, or takes a leave of absence. Because many insiders are driven to commit fraud due to financial struggles, initiating a program to help employees experiencing money problems can actually protect your organization in the long run.
7. Data Exfiltration
For many of the internal cybersecurity threats we’ve discussed above, the ultimate goal of a malicious insider is data exfiltration, also known as data extrusion. Data exfiltration occurs when someone on your network transfers unauthorized data to another device or network.
Exfiltration can happen when someone has access to a physical device on your network and manually transfers unauthorized data, or it can be an automated process by which network data is automatically directed to another system. The threat can be the result of a network insider funneling out data, or it can happen when a malicious actor posing as an authorized user reconfigures network settings to redistribute sensitive data. Data exfiltration is what happens when companies fall prey to a large-scale data breach, as happened to Yahoo, Equifax, Capital One, and Home Depot in the past decade.
With Home Depot’s breach, cybercriminals stole a vendor’s login credentials. From there, they were able to move laterally within Home Depot’s computer network to install custom-built malware that posed as antimalware software. The malware infected Home Depot’s point-of-sale (POS) systems, exfiltrating the data of 56 million customers between April and September of 2014, ultimately costing the company about $172 million.
Stopping data exfiltration begins with robust endpoint security. But once data exfiltration occurs, that data may be lost forever. As with Home Depot’s breach, malicious actors often use seemingly innocuous software programs to direct data exfiltration. That’s why it’s a smart idea to block end users from installing new applications on network devices without receiving administrative permission first.
In the event that data has already been extruded, the malware operating on your network needs to be able to communicate with an external server and transmit data. If your incident response team can pinpoint where that unauthorized communication is occurring on your network, they can effectively block the exfiltration of data and from there, focus on damage control.
Los Angeles MSSP (Managed Services Security Provider) and Cybersecurity Experts
How well is your organization prepared to defend against and respond to the ever-present risk of insider threats? If you’re concerned that there’s more you could be doing, the experts at Be Structured can help. From detecting compromised hosts on your network to minimizing the risks of compromised network accounts, we specialize in developing a comprehensive network security platform that protects you inside and out.
Contact our team today to take the first step toward a more secure future.
