The recent BCS Information Security Specialist Group conference in Edinburgh focussed on the threat from Insiders. The main focus was on how individuals with authenticated access can do real damage to an organisation. A lot of effort within organisations goes into tackling the threat from Insiders and it is often treated as a separate category of threat. But is this right? Should the Insider threat be treated in isolation?
Defining the Insider ThreatThe insider threat is often defined as someone acting from within an organisation’s internal systems. This is principally treated as an individual with authenticated access and stands in contrast to an external attack which originates outside of the organisation and does not have permission to access to the network. These definitions result in these threats being treated separately and in isolation of each other.
The idea of there being a difference between an insider and outsider is predicated by the assumption that there is a clear boundary between the internal network of an organisation and the outside world. However, in today’s world the reality is very different. There is often a blurred line between what is an internal system and the outside world. The boundary is no longer at the firewall, the real edge of your network is now the user’s device, be it a smartphone, laptop or home pc (using remote access to the organisation). This is because the end user device has Internet connectivity for email or web browsing and in many organisations egress filtering is lacking and services such as instant messaging can be used. This enables organisations’ internal systems to become visible to an external attacker, even where inbound filtering has been implemented. These recent developments in end user devices therefore provide greater opportunities for an external attacker to compromise a device and use it to access an internal system.
External Attack – Inside ThreatHistorically, where an attacker is able to compromise a user’s device, the expected action is to then use this to attempt further compromise of the internal network. This approach can be quite noisy and may prompt internal alerting, but if successful enable the attacker to gain access to internal systems. This method makes it obvious that the external attacker has broken into the network.
However, an external attacker can also choose to masquerade as the user within the internal network and access systems and resources within the context of that user. One approach to achieve this would be for the attacker to use the user’s security token that is stored within the operating system. It is possible to ‘steal’ this token and assume the user’s identity within the internal network. At this point the external attacker can be seen to be an ‘insider’ threat as they are now conducting attacks against the organisations data as an internal user would.
Detecting the Insider – External AttackAn external attack can develop this technique to gain the information required without arousing suspicion. If the user doesn’t have the level of access required the attacker can steal other valid tokens and use this approach to escalate a user’s privileges, even to administrator level. Doing so enables the attacker to then target information held within the network without the need to conduct further hacking or compromises. The key point here is that the traffic generated would look like normal network traffic and access to systems would be as valid users.
Insider / Outsider - Does it Matter?This example demonstrates that an external attack can act as an ‘Insider’ Threat would. Organisations continue to define the Insider threat as the authenticated user within their firewall, however, the recent developments in end user devices has provided greater opportunities for an external attacker to access a network masquerading as an ‘Insider’. The Insider Threat is based on out-moded definitions of what is inside the network and no longer effectively describes the threat. These definitions are no longer relevant. So how do we deal effectively with the ‘Insider Threat’?
As an external attacker could choose to access a network and masquerade as an insider, there is little value in focussing too much on the classic insider / outsider threat categories. Instead organisations should focus their security on what an attacker could do, regardless of their starting point, and look to be able to detect / react to and recover from ‘any’ compromise. By taking this resilient approach to security, organisations are better equipped to identify, respond and recover from an attack regardless of where it originated.