7. Insider and External Threats – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_7

7. Insider and External Threats

Morey J. Haber1 
Heathrow, FL, USA

The threats facing an organization can either originate internally through trusted employees, contractors, or temporary workers or through external threat actors attacking and penetrating your resources. Realistically, once either breaches your environment, the attack is internal even though the source of the incident is external. To that end, we need to explore how the personas for both external and internal threat actors apply to your organization.

Insider Threats

By now, most security professionals are tired of hearing about insider threats. Years ago, these attacks occurred regularly, but did not have the same labels or stigma they have today. I am not saying they were acceptable back then either. We just need to be realistic about what an insider threat is and acknowledge that it has been going on in various forms for hundreds of years.

By definition, an insider threat is an internal persona behaving as a threat actor. Figure 7-1 is an illustration of this based on the privileged attack chain we have been discussing.
Figure 7-1

Insider Threats

Regardless of the techniques they are using, insider threat actors are not behaving in the best interest of the company. They’re potentially breaking the law, and likely exfiltrating information they do not have permission to possess, or performing other damaging actions. An old-school example of this type of threat is client lists. It’s an insider threat that’s still relevant today, by the way. A salesperson, executive, or others who are planning to leave an organization may have photocopied or printed client lists and orders before leaving the organization to have a competitive edge when they start with a new employer. The volume of paper would probably have to be substantial to make an impact, but leaving with confidential information on printed paper is still an insider threat. Obviously, they were not leaving with file cabinets of material, but today, with electronic media, and the Internet, that volume of data could easily be egressed without anyone noticing. And, as a reminder, that file cabinet of sensitive information can easily fit on a USB thumb drive in a person’s pocket. Therefore, we now have a label for this type of threat, and insider threats are becoming more relevant. It still makes security professionals sick to their stomachs because the crime is old, but the methods and volume are now something to consider and require a new strategy to protect against.

Insider threats occur for a variety of reasons. This includes aspects of a human persona looking to hurt or gain an advantage against an organization. Regardless of their intent, it’s the digital aspect of an insider threat that warrants the most attention. Human beings will do the most unusual things in the direst of situations, but if they are not permitted to, many of the risks of insider threats can be mitigated.

As we consider privileged attack vectors and insider threats, how does the following impact your business?
  • How many people have access to sensitive information en masse?

  • Who can export large quantities of information from a query or third-party system?

  • Are all the active accounts valid?

  • Are all accounts related to people that are still employed or third parties?

  • How do you identify rogue or shadow IT accounts?

  • How often do you change the passwords for sensitive accounts?

  • Do you monitor privileged access to sensitive systems and data?

So, in fairness, answering those questions could be opening Pandora’s box. Nonetheless, you should answer them if you care about insider threats. Here is why:
  • Only administrators (not even executives) should have access to data en masse. This prevents an insider from dumping large quantities of information, or an executive’s account being hacked and leveraged against the organization.

  • No user should ever use an administrative account for day-to-day usage, like email. This includes administrators themselves, in case their accounts are compromised too. All users should have standard user permissions.

  • All access to sensitive data should be for valid employees only. Former employees, contractors, and even auditors should not have access daily. These accounts should be removed or deleted per your organization’s policy.

  • Employees come and go. If the passwords are the same as people leave and new hires are onboarded, the risk to sensitive data increases since former employees technically still have known passwords to the company’s sensitive information.

  • Monitoring privileged activity is critical. This includes logs, session monitoring, screen recording, keystroke logging, and even application monitoring. Why? If an insider is accessing a sensitive system to steal information, session monitoring can document their access and identify how they extracted the information and when.

If you think that if you follow all of these steps to protect against insider threat you will be safe, you are mistaken. The preceding steps assume the threat actor is coming in from the front door to steal information or conduct malicious activity. Insider threats can also evolve from traditional vulnerabilities, weak configurations, malware, and exploits. A threat actor could install malicious data-capturing software, leverage a system’s missing security patches, and access resources using backdoors to conduct similar types of data-gathering activity. Insider threats are about stealing information and disrupting the business, but depending on the sophistication of the threat actor, they can use tools that are traditionally associated with an external threat. Therefore, we need to realize insider threats pimarily come from two sides: excessive privileges (covered earlier) and poor security hygiene (vulnerability and configuration management). To that end, all organizations should also enforce these practices and perform these tasks to keep their systems protected:
  • Ensure antivirus or endpoint protection solutions are installed, operating, and stay up-to-date.

  • Allow Windows and third-party applications to auto-update or deploy a patch management solution to apply relevant security patches promptly.

  • Utilize a vulnerability assessment or management solution to determine where risks exist in the environment and correct them in a timely manner.

  • Implement an application control solution to ensure only authorized applications execute with the proper privileges to mitigate the risk of rogue, surveillance, or data collection utilities.

  • Where possible, segment users from systems and resources to reduce “line of site” risks. That is, make sure your network is segmented, not flat.

While these seem very basic, the reality is that most businesses do not do a good job at even the most basic security. If they do, the risk of insider threats can be minimized by limiting administrative access and keeping information technology resources updated with the latest defenses and security patches. Insider threats are not going away. The goal is to stop the data leakage and be aware that an insider has multiple attack vectors to achieve their goals. As security professionals, we need to mitigate the risks at the source. A briefcase of paper is still an insider threat, but probably not as relevant as a USB stick with your entire database of client information. In the end, an insider still needs privileges to steal all this information.

External Threats

Many nursery rhymes have origins that date back hundreds of years. Their meanings have been attributed to political satires to simple educational lyrics that were easy for children to remember. The Humpty Dumpty nursery rhyme is arguably one of the most popular in the English language. The Humpty Dumpty lyrics have evolved from the 1800s when Humpty Dumpty was slang for a person’s short stature and later evolved to mean a brandy and ale cocktail. Today’s well-known Humpty Dumpty nursery rhyme has little resemblance to earlier versions except that it also involves a wall. Let’s now try another interpretation. In relation to privileged attack vectors, Mr. Dumpty works in protecting a firewall, and if he falls off or fails to do his job, neither the information technology team nor executives may be able to put him back together again. Let’s explore why this nursery rhyme has relevance in relation to external threats. Figure 7-2 is a reminder of its placement in the attack chain.
Figure 7-2

External Threats

Not long ago, a firewall was the primary defense for every organization. Mr. Dumpty was responsible for its configuration, building rules, reviewing logs, and reviewing potential security threats. When something needed to be changed, it was his team’s responsibility for getting it done, and done correctly. That still holds true for many organizations today. What has changed is how Mr. Dumpty now has to configure the firewall vs. what he did 10 years ago. He now has to consider mobile workers, business-to-business applications, and connections to the cloud. This is why we hear discussions around the “dissolving perimeter” and revelations on how perimeter defense is no longer truly effective. Mr. Dumpty is no longer sitting on a single firewall, he is walking a chain-link fence protecting the interior with multiple zones from attacks all along the exterior. I use the analogy of a chain-link fence since it is no longer a wall with a few ports open, but rather more of a filtered connection model allowing all sorts of communications in, but keeping a potential threat actor at bay. Regardless, it is no longer a single sturdy wall. It is thinner, harder to balance on, and there are many of them protecting a variety of external locations, all relevant to Mr. Dumpty’s mission and job description.

So how can Mr. Dumpty fall? A firewall is not going to block social engineering attacks, phishing emails, ransomware, and web application vulnerabilities. These are all external threats. A firewall is designed to block traditional traffic patterns (inbound and outbound) and block IP addresses and ports from public exposure. Modern firewalls can also analyze traffic for suspicious content, malware, and even data leakage, but can do very little to protect against something that is considered trusted, or involves unpatched vulnerabilities. With all the zones Mr. Dumpty now has to manage, he needs to trust resources far beyond his control and, potentially, far outside of his perimeter. If any one of these is compromised, and lateral movement is possible, then not even a chain-link fence will help.

In the end, the goal is to protect against privileged attack vectors, that is, to protect against an external threat gaining credentialed access (standard or privileged) and to detect, and optionally block, lateral movement between desktops and servers within the same zone, or across zones. This is especially true when a user explicitly attempts a lateral connection via an unauthorized application or command. Mr. Dumpty’s biggest fear is falling from unwanted traffic, communications, and data traveling through his firewall, or to the cloud, that could easily lead to a breach. If that happens, he could fall (metaphorically, lose his job). This is why protecting against lateral movement is so important. Today’s implementations are no longer stone walls, they now allow traffic to flow almost everywhere between trusted zones. An outsider attacking any of these zones is an external threat and the threat actor’s goal is to gain persistent privileged access.

While this section may have been written partly in jest, the point was to make it memorable. Where else would you find Humpty Dumpty in cybersecurity? External threats are the primary attack vector for privileged incidents. They represent the largest percentage of compromises in the industry. This is the biggest change in the universe for privilege management. The most common external threats include the following:
  • Compromised Credentials: Stolen or guessable, default, reused, and so on

  • Remote Access: Vendor, contractor, or remote employee using an insecure communications path

  • Excessive Privileges: Accounts that should have little to no privileges inappropriately configured to have excessive privileges, and leveraged by a threat actor against a resource

  • Unpatched Vulnerabilities: Missing security patches that have not been installed promptly and pose a risk from data leakage and privileged escalation attacks

  • Misconfigurations: Incorrect installation or hardening of a resource from attacks based on a default or insecure installation

Hopefully, this list helps you see a pattern in our discussions and, as we explore further, a strategy to mitigating these threats within your organization.