Insider attacks are one of the most serious cybersecurity threats organizations face today. The vast majority of insider attacks are not malicious— they usually take the form of increasingly sophisticated phishing attacks.
For this reason, phishing awareness training is becoming a more and more important part of employee training. However, this may not be enough for the future. It appears that ransomware gangs are trying to recruit employees to help them infiltrate networks.
Some ransomware gangs are offering sums as high as millions of dollars for anyone willing to betray their employers. This tactic is relatively new, and so far has mainly been used by Lockbit 2.0. However, other threat actors have also used similar tactics— one Nigerian threat actor reportedly sent emails to employees offering 40 percent of a $2.5 million ransom if they helped install DemonWare ransomware.
This presents a real conundrum for all kinds of organizations. Employee burnout is a real problem, and if hackers are standing by offering to pay multiple years salary in exchange for simply inserting a USB stick into a computer or handing over some login credentials, it presents a real security risk. Even the biggest cybersecurity budget cannot protect against this attack vector.
So what can be done to protect against this danger? Here are a few tips on how to reduce the risk of insider attacks.
Implement the Principle of Least Privilege
The biggest step that any organization can take to reduce the risk of insider attacks is implementing a sound access management strategy. This is sometimes called “the principle of least privilege.”
In many networks, employees have far more privileges than they need to do their job. These privileges mean that they have access to parts of the broader network which ransomware hackers need to infiltrate to launch an effective attack.
By limiting the number of accounts with administrative privilege, the attack surface of your network becomes much smaller, making it much easier to vet employees and prevent potential insider attacks.
To implement the principle of least privilege:
Regularly audit all account privileges to make sure privileges match duties.
Set all accounts to the minimum level of privileges by default.
Separate accounts with higher privileges from those with lower privileges.
Implement “just in time” privileges (ie. one time passwords).
Increase Reliance on Monitoring and Detection
Many companies understandably focus on trying to prevent hackers from penetrating a network with firewalls, antivirus software, and staying up to date with updates and patches. This is an essential part of a comprehensive cybersecurity strategy, but it’s only the first line of defense.
A second line of defense is to continuously monitor both internal and external network traffic to detect any unusual behavior. In this way, it’s often possible to catch a breach early and stop it before the attacker is able to escalate their privilege and spread through the network.
A growing number of managed detection and response (MDR) services are offering this service remotely, so there are some options even if you can’t afford it in-house.
Prevent Lateral Spreading
The more of a network a ransomware attack can infect, the more effective it will be. If hackers can only encrypt part of a network, they may not even be able to freeze a company’s operations. Even if they are able to demand a ransom, less encrypted data usually means the ransom demand will be much lower.
Setting up strong measures for preventing lateral spreading can be an effective means of damage control in the event that your network is breached.
Make Actions Traceable
User IDs and one-time passwords can make it easier to trace the origin of an attack. Even if data is encrypted and you choose not to pay a ransom, in some cases, free decryption tools are released for ransomware later on.
Data can later be analyzed for forensic data which could help to implicate an employee involved in an insider attack. Making sure all actions are connected with a specific user can act as a deterrent, because employees contemplating an insider attack will understand that it can be traced back to them.
Last, but certainly not least, it to keep a good relationship with employees and foster a good workplace culture. If people like their job and colleagues, they will be much less likely to want to help attackers infiltrate the network.