Email a colleague    

April 2019

Verizon Insider Threat Report — Summary of Key Findings

Verizon Insider Threat Report — Summary of Key Findings

The Verizon Data Breach Investigations Report (DBIR) is an annual report (published since 2008) that analyzes information security incidents with a specific focus on data breaches.

The 2018 DBIR draws on over 53,000 incidents and 2,200-odd confirmed data breaches, studying the impact of malware, DoS attacks, social engineering and other activities across multiple industries

Now for the first time, Verizon has also published a special report entitled, the Insider Threat Report, free to download and based on research/experiences gathered from investigators at the Verizon Threat Research Advisory Center (VTRAC).

TRI recently attended a webinar given by John Grim, Senior Manager at VTRAC, entitled The Threat is real!  Insider & Privilege Misuse.

We have excerpted parts of John’s commentary and charts from the presentation, enough to whet your appetite for reading the full report.

Summary Research Findings

The presentation opened with some interesting statistics and findings:

  • Size of the Insider Threat — A high 20% of cybersecurity incidents and 15% of data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.
  • The Top Motivators  for conducting breaches were financial gain (48%) and pure fun (23%).
  • Insider threats are Often Tougher to Control because companies often hesitate to recognize, report, or take action against employees who have become a threat to their organization.

The Five Types of Insider Data Breach Threats

There are five main kinds of insider data breach threats:

  1. The Careless Worker is someone who is misusing assets.  When an employee or partner breaks acceptable use policies, mishandles data, uses unauthorized applications or unapproved workarounds, that’s a recipe for trouble.  The careless worker isn’t necessarily nefarious: they are not trying to steal data outright, but their carelessness leads to a cyber security incident or data breach.
  2. The Insider Agent is somebody stealing information for outsiders.  Insiders are recruited, solicited or bribed by external parties.
  3. The Disgruntled Employee is intent on destroying property.  They seek to harm the organization by disrupting data or business activity.
  4. The Malicious Insider is someone who steals data for personal gain.  These are either employees or partners with access to corporate assets.
  5. The Third Party is someone who is a business partner who has some sort of access that compromises security through their negligence, misuse, or malicious access to or use of an asset.

Scenario 1: Insider Agent Working on Behalf of Outside Entity

The Report details a few scenarios to illustrate different types of threat.  Here is the first:

The Situation — A company was downsizing.  They announced unilateral pay cuts, so as you can imagine, many employees were disgruntled at seeing cuts in their paychecks.

External Entity Uses an Employee — An external entity was monitoring the company’s plight and saw an opportunity to gain access.  They offered a janitor extra money to offset their pay cut and all they needed to do was during the evening take an USB device into the office and plug it into certain systems.

Malware Detected — Later on, several systems were suspected to have been accessed by an external entity via malware.  The organization was somewhat confused it didn’t see the entry vector coming in through larger point, so they opened up an investigation.

Investigation — System logs revealed an exploitation attempt was made just after a USB device was introduced to the systems.  At first, it looked like two separate incidents occurred, but they later found a correlation between USB devices being plugged into the system and malware alerts.

Timeline analysis through the logs led to a small number of people in the building at the time when the USB devices were connected to systems.  The janitor in question was then interviewed and confronted with the technical findings.  He confessed and was led out the door and terminated.

Scenario 2: Third Party Hardware — Data Collector Embedded in System Firmware

Situation — A company had purchased systems that reach out to an external IP address.  The organization had conducted malware scans on these systems and discovered nothing out of the ordinary, but they sent the system to one of the Verizon labs for further evaluation.

Results of Lab Tests — In the Verizon Lab, the system was checked to determine what sort of network activity it would start.  Investigations revealed attempts to communicate with a suspicious external IP address, even though no malware was found on the system and there was nothing unusual in the logical space of the system.

The communication was actually being controlled by firmware.  And digging down into the source code revealed an encoded IP address that was unknown to the vendor.

System Vendor Contacted — The system vendor was informed and was surprised to learn that the firmware it has purchased for the system was reaching out to an external entity.  So the intrusive firmware was traced back to a fraudulent vendor in the supply chain.  A human being wasn’t involved in this breach — no one was hacking into the system.  Instead the code was embedded in the firmware sold to the victim organization.

Analysis —   To counter problems in hardware supply chains, Verizon recommends an IT manager be responsible for design, testing, and review — and an asset inventory for tracking and accountability be created.

For detection and response, it’s important to monitor for alerts on suspicious network traffic, maintain baseline system images and a trusted process list.  Then when an incident occurs, you can do a differential analysis and narrow down what shouldn’t be on the system in question.

The People and Asset Elements of the Insider Threat

There are two components of the insider threat: the people element and the asset elements.  So, for the asset elements, what you want to do is understand your assets, know what they are, know where they are, have them catalogued, have them identified, and have them tracked.  Then, when you identify the critical assets, you need to take those to the next level and further track those, and learn how to protect them, monitor them, and investigate them.

For the people element, it’s a matter of knowing who your employees are, who your business partners are, who your contractors are, and understanding who has access to your assets — especially your critical assets.

Who truly does require access to those critical assets?  And after you have narrowed your access, then go ahead and vet those employees, monitor them, and know how to investigate those employees in case an insider type of threat incident should occur.  Don’t forget: this is not only an IT security problem.  It is also a human resources problem and a legal counsel problem — plus there are additional stakeholders when it comes to the insider threat.

The Importance of Coordination Among Stakeholders

The stakeholders aren’t just the technical folks who are doing the response, investigation, mitigation, and prevention.  It’s also the human resources and legal counsel that need to get involved.

For example, human resources needs to vet new hires before they come onboard.  Human resources also needs to maintain training for employees throughout their lifecycle with the organization.  Another important goal is sensitize employees to report suspicious activity of their co-workers when it may indicate insider threat.

Finally, there needs to be a strategy when somebody is leaving the organization.  That often means: if they have access to critical data and have been maintaining systems for a number of months, when the employed leaves you should open an investigation.  So this is one example.  Within the report, Verizon provide other guidance and thoughts and countermeasures from its investigative experience.

Eleven Threat Countermeasures

Verizon devised a list of 11 threat countermeasures and peppered them throughout the 69-page Report with explanations on how to use them in insider threat prevention, detection, and investigation.

Verizon Insider Threat Countermeasures

Making Full Use of the Verizon Report

Verizon recommends people take advantage of the 11 countermeasures and other advice in the Report and to tailor that information to your organization’s needs.  For example:

  • Use the scenarios and statistics to create mock tabletop exercises to test your instant response for insider threats, to test your stakeholders and see if you are positioned well to detect, respond to, investigate and — just a important — prevent and mitigate an insider threat.
  • Take your plan and create a playbook specific to each insider threat.  A malware case is very different from denial of service cases.  And make sure to include all the stakeholders specifically in your playbook: folks in human resources, legal counsel, and maybe even physical security.
  • Set up a security awareness program.  Use this insider threat report, the scenarios, and data within it to educate employees and teach them what to do and not do.  Furthermore, you need to sensitize them to recognize and report on the insider threat; and,
  • Use the insider threats and documented countermeasures as a handbook of good ideas and solutions.

Copyright 2019 FraudTech Journal


About the Experts

Verizon VTRAC

Verizon VTRAC

The Verizon VTRAC (Verizon Threat Research Advisory Center) has a investigator response team with first-hand experience dealing with the insider threat.

They investigate for hundreds of global commercial enterprises and government agencies each year.  And these are the same people who put together the DBIR report.

They are involved in the full spectrum of investigative capabilities and network forensics, malware reverse engineering, mobile device forensics, and are experienced in responding to data breaches and cyber security incidents.

The webinar content from which this story was extracted and lightly edited was presented by John Grim, VTRAC Manager.

Recent Articles