Understanding and Combating Insider Threat
By Sanjay Aurora, MD of Asia Pacific, Darktrace
Do you know that it takes close to eight months for a company to realise that they have been breached and critical systems compromised? Gone are the days of clear-cut breaches such as information being stolen or websites defaced. In its place are the quiet and unseen attacks – or insider threat – where attacks are perpetrated by someone in the organisation, either inadvertently or with malicious intent, and they change systems at will, or install kill switches ready to be activated.
These attacks are sophisticated, only crossing boundary defences once and never sending information out. Recent headline hoarders from the Panama Papers leak to the hack of the Democratic National Committee’s (DNC) network, all indicate insider threat. These attacks occurred despite the deployment of advanced cyber-security software and policies, underscoring the insidious nature of insider threat. In the case of the DNC breach, the hacker capitalised on Windows vulnerability and remained in the network for allegedly close to a year, outwitting all detection attempts by stealthily relocating his Trojan from one machine to another.
“ new machine learning technology powered by advanced mathematics can act as an enterprise’s ‘immune system ’ ”
The impact of such threats would be even more keenly felt closer to home, with the Asia Pacific (APAC) region a growth driver for many companies. In fact, APAC businesses experienced revenue losses of US$ 81.3 billion from cyber-attacks over the past year, significantly more compared to counterparts in Europe and the States. Furthermore, with the Smart City vision sweeping through APAC from Singapore to Seoul, the importance of a strong cyber security posture cannot be ignored.
Fortunately, such circumstances have not gone unnoticed. APAC organisations have projected cyber security investments to increase to US$ 30.39 billion in 2020. That said, even as reactionary measures are ramped up en masse to combat the increasing deluge of cyber-crime, are resources being channelled in the right direction? The majority of such expenditure is rooted in perimeter-based protection, which defend via pre-defined rules or outcomes based on previously-known attacks.
This does not safeguard against the hackers of this age. They are sophisticated, and pre-emptively change just enough of their malicious code to appear legitimate. The malware they use, perceived as authentic “insiders” by perimeter defences, use machine intelligence to mimic authorised devices and accounts as they gradually infect the network. Embedded in the enterprise, such software can trigger fatal attacks upon a hacker’s command. For perimeter approaches to prevent such devastation, they must have a complete archive of all known and future threats - an undoubtedly impossible feat. This was played out earlier this year, where cyber-criminals under the cloak of legitimate credentials, pulled a US$ 81 million heist of Bangladesh Bank’s accounts. They achieved what was formerly thought impossible, by infiltrating traditionally foolproof methods of financial transactions that were perceived until now as critically secure.
The magnitude of such “insider” sabotage is compounded with the use of social media and the Internet of Things. With 2.3 billion active social media users and a projected 6.4 billion connected “things” worldwide in 2016, any network connection potentially is an attack vector. Maintaining complete vigilance over, or fortifying the borders of such networks, is virtually impossible for system administrators.
With the shadow of insider threat looming over, the mindset that APAC organisations should adopt is to assume the worst – that they already have been infiltrated by attackers. The trick is then to use advanced machine learning and mathematics to join the dots, and understand where a cluster of behaviours might point to malicious activity – which then is escalated to an administrator for investigation and intervention.
This is synonymous with the make-up of our human immune system, which is based on a notion of early detection and intervention. Our body is able to identify viruses because it has learnt a sense of “self” – meaning that it differentiates what is inherent to the body, and what is manifestly ‘anomalous’. The process must be undertaken quickly too, eradicating diseases before they have spread.
Likewise, new machine learning technology powered by advanced mathematics can act as an enterprise’s ‘immune system’. Such technology is able to learn on its own and intervene early in suspicious activity, without looking for pre-categorised threats. Messy, data-rich networks can thus be transformed from big liabilities into valuable troves of insight for such technology to better identify insider threats.
To counter the inevitable onslaught of cyber-attacks in an age where fortifying the perimeter is simply not enough, APAC organisations should strongly consider an immune system approach to detect and combat threats that bypass other security controls.