According to a recent article by Business Insider, hackers in Ireland, stymied by Apple’s information systems security, are taking another approach to gain access to the corporation's data. They are offering Apple employees up to 20,000 euros for valid login credentials. While not all approaches to insiders are so overt, this case nevertheless serves as a great reminder that malicious actors are actively recruiting insiders to exploit their status.
Beyond that, it demonstrates that the insider threat is not just confined to an Edward Snowden type who steals a mass of data in one swoop before leaving the company. Insiders can pose a far more subtle and enduring threat. Because of this, we should think beyond Snowden when considering how insider threats can manifest.
Thinking About Insider Threats
It’s important when considering insider cyber threats to not let the cyber element distract from the basic problem; hacking is still fundamentally theft of information. In fact, I would encourage security managers to think about these insider threats much as they would any other sort of corporate or government espionage.
Certainly, those looking to recruit an insider would love to have access to a systems administrator — essentially the corporate equivalent of an embassy communications officer. Systems administrators normally hold the keys to the kingdom, and in many cases they can access a variety of email accounts and other systems of interest to those conducting corporate espionage, whether they are motivated by ideology, looking to steal proprietary secrets or seeking information for insider trading purposes. That said, company IT staffs are not the only people who could be recruited to help carry out a cyberattack.
In addition to the outright sale of a valid system login, as in the Apple example, insiders can also perform more subtle tasks to help hackers. One is to fill the role that an "access agent" would in traditional espionage: identifying potential sources. Rather than pinpointing and approaching individuals, in the cyber realm insiders can help hackers understand a company's systems and security procedures. They can also provide company organizational charts and examples of company communications. Perhaps more important, an insider has knowledge of who talks to whom and what topics they discuss; they may even pass along sample emails that show how people interact.
There are many ways a non-IT insider can help inject malware into company systems.
This level of detail can be incredibly useful in helping set targets up for a well-crafted and convincing attempt at spear phishing, an email attack tightly focused on an individual user. If a hacker learns that Carol regularly sends text documents or spreadsheets to Bob and even has examples of how Carol normally addresses Bob, including any company or personal jargon, he or she can then craft a highly tailored message spoofing Carol’s email address and with it deliver an attachment loaded with malware.
Access agents can also be used to help spot troubled coworkers whose financial or other vulnerabilities, such as anger at the company or drug use, might make them easier to recruit. Sex also works as a highly effective recruiting tool, and access agents can identify people most likely to be vulnerable to a "honey trap."
Non-IT staff insiders can also be used to introduce malware into a company's computer system. They may knowingly open a spear phishing tool, allowing them to feign victimization later if they get caught. As noted above, they have the knowledge to help craft a plausible spear phishing presentation that can give them the cover of apparent innocence. They could also, for example, steal a thumb drive from a coworker's desk and allow hackers to install malware on it before returning it. There are many ways a non-IT insider can help inject malware into company systems — even sensitive "air gapped" systems, or secure networks separated from the Internet.
Persistent Insider Threat
Insider threats are not limited to one-hit wonders like Snowden. Insider agents who make their actions seem innocuous and maintain plausible deniability can stay in place at the targeted company for a long time. Again, thinking in traditional espionage terms, it was always a great windfall when someone would walk into an embassy and hand an intelligence officer a briefcase full of classified documents. But a good intelligence officer isn't satisfied with just those documents. Sharp officers protect walk-ins and encourage them to continue working; that way, they can provide a continuing stream of valuable intelligence instead of just a single document dump.
But even when we are dealing with a recruited agent instead of a walk-in, the best strategy is to leave the agent in place for a prolonged period to maximize the extracted intelligence. National intelligence agencies running computer intelligence operations will follow the same principles in recruiting sources as they do for other operations. Intelligence services draw little distinction between an asset recruited for cyber and one meant for traditional intelligence gathering, and once recruited, agents can serve both purposes.
Anyone who doubts that intelligence agencies from an array of countries actively recruit sources from within many different types of companies has not been paying much attention. States frequently use false-flag approaches, sometimes presenting themselves as competitors or even criminals rather than intelligence officers.
But even beyond intelligence agencies, it is easy to see how ideologically motivated leakers, competitors and criminals could benefit greatly by having inside sources embedded long-term within a company.
Bad Operations Security
Finally, in addition to knowing collaborators who act intentionally, sloppy insiders also pose a significant threat — and arguably a larger and more persistent one. Whether or not the slip-up is as high-profile as the case of an Apple employee who left a top secret iPhone 4 prototype at a bar, or the case of the Qualcomm CEO whose laptop was stolen shortly before his company reported its quarterly results, there's always the chance that a low-level insider will fall for a clumsy phishing email and introduce malware onto company servers through a personal laptop.
Of course, such negligence can play a role in attacks involving knowing insiders as well. All the potentially threatening actors we've discussed, from intelligence agencies to criminals, can and do pounce on mistakes made by unwitting, inattentive insiders. But compared with recruiting an insider, which requires more effort and is more easily detected, a targeted cyberattack is a low-cost, low-risk method that can be just as effective. Negligence makes those attacks easier to execute. Poor operations security is also not just confined to non-technical employees. Inexperience, laziness or poor practices can make IT staff negligent as well. In short, employees should be well informed and on guard. The threat posed by a Snowden-like insider is grave. But it is far from the only type of insider threat that can harm your company.