As Twitter release their findings on a high-profile breach investigation which affected prominent figures such as politicians, investor tycoons, technology magnates, philanthropists, as well as corporations such as Uber and Twitter themselves, we are reminded that even the smartest engineers with cutting-edge technology and the juiciest budgets aren’t safe in the new digital era.
How the hackers attacked Twitter from the inside
When the news broke, experts initially suspected that a compromised account was used to enter Twitter’s environment. A reasonable assumption, since about 80% of attacks today use this method.
What was different this time around, is that the hackers didn’t follow the typical pattern of a breach. Even though cybersecurity experts expected the criminals to have run the attack on the well-known pattern of compromise, exploration and data exfiltration stages adding an open back door in case they needed to come back, the breach didn’t follow that sequence.
Instead, the hackers went straight for internal admin tools, which Twitter’s staff uses to reset account passwords. Attackers wouldn’t look for admin tools unless they knew the environment, which points us to an insider threat.
Understanding the insider threat
Verizon’s 2019 insider threat report cites 5 types of insider threat actors, noting that most organisations are vulnerable to the security risks they pose.
- The careless worker. They misuse assets and break acceptable-use policies, including the installation of unauthorised applications (Shadow IT).
- The inside agent. They are recruited, solicited, or bribed by external parties to help data exfiltration.
- The disgruntled employee. Insiders with the objective of harming the organisation.
- The malicious insider. Unscrupulous parties who want to steal information for personal gain.
- The feckless 3rd party. Business partners who compromise security through negligence, misuse, or malicious access.
As most organisations have at least one of the insider threats listed above, they must be prepared to respond to security incidents in different ways than they would for attacks that originated externally.
How to defend against internal attacks
One of Australia’s most cited cybersecurity resources, the Australian Cyber Security Centre ‘s Essential Eight framework of recommendations, includes multi-factor authentication (MFA), which is a great security measure but not very effective against insider attacks. Organisations definitely need to go above and beyond MFA if they want a well-layered security strategy.
As we reflect on the way our organisations are growing now and think about how we, as leaders, employees and law-abiding citizens, would combat insider threats, it is clear the issue is complex. We need a more nuanced solution.
Gartner released an article in September 2019 which covered the principles and benefits of Zero Standing Privileges (ZSP). Amongst the benefits of ZSP are the requirements for anyone in need of elevated privileges to formally request elevation via an ITSM software (i.e. ServiceNow), specify what tasks require administrative access and for how long the elevated access is required.
One could argue ZSP complex or expensive to deploy. Its adoption, from both a labour and software perspective, means it’s not a practical option for every situation. While ZSP can introduce an extra barrier between the attacker and their objective, there is simply no single catch-all solution to fight insider threats.
Cybersecurity will look different for every organisation
For most organisations, MFA is still one of the best security measures they can take. For companies that can afford it, ZSP practices can be a big security advantage against insider threats that other security tools can’t offer.
Insider threats can also be thwarted by well-rounded Cyber Security Awareness Training programs and best practices. Fostering good cyber-habits is a powerful tool and one of the best security measures you can take. When good cyber practices are combined with Artificial Intelligence and Machine Learning technologies, cybersecurity teams gain reliable predictive strength, allowing them to detect and flag any anomalies detected in your employee and supply chain base.
The insider threat is not going to disappear
2020 has been a hard year. With surging unemployment, continued uncertainty and political instability around the globe, we can expect to see a rising number of parties dabble in criminal digital activities, likely for financial gains, espionage or fun as stated, in Verizon’s Insider Threat Report.
We all need to get serious about getting our cybersecurity up to par because the hackers are out there planning their next move. For all we know, they may already be in our systems, waiting for the perfect opportunity to strike.