Insiders, Malicious or Careless

August 23, 2021

I have written extensively about insider threats and I always touch on it when speaking about cyber-financial security. I am usually rebuffed by small business owners when I urge them to consider insider threat security and mitigations efforts. The counterarguments are usually something along the lines of “I only have 10 employees” or “We're like a family, I don't employ anyone I don't trust”. Their feelings quickly change when I explain that not all dangerous insiders are malicious. The term “threat” has such a harsh connotation that most people assume the insider had serious and deliberate intent to do the business harm. In most cases though, the employee that caused the damage just did something stupid. They clicked a link, were socially engineered by a phone caller, or published proprietary code to an open Github repository. I usually ask them about the receptionist who is a little too chatty with visitors or the bills payable clerk who has failed the phishing simulation audit every single time.

When it comes to small business security, the most dangerous employee can sometimes be the least suspected. And really good employees can become threats at any point. What about the employee who suddenly falls on hard times or has a minor surgery that leads to drug dependency. What about the employee that didn't get the promotion? These employees would never have considered acting against their employer if it would not have been for their unfortunate life situation. But drug addiction, financial distress, relationship turmoil, or animosity from discipline can make people act out of character.

Every business, no matter the size, needs to have an insider threat program. Even if it is just the business owner or a manager monitoring employee behavior and attitudes. Sally is going through a bad divorce. Bob is spending a lot of time at the casino and looks like he hasn't been taking care of himself. Jane is really, really, mad she didn't get that project manager position.

External attackers are constantly seeking to turn these otherwise complacent employees bad. Case in point, the Abnormal Security team recently reported on a cybercrime group that is actively recruiting people who are willing to infect their employer's computer network. The group is willing to pay the turncoat 40% of the collected ransom payment. The solicitation noted that a 2.5 million dollar ransom payment would net the insider a million-dollar commission. All they have to do is click the link in an email or plug in a USB thumb drive. That might be an offer too good to resist for someone who has life challenges or is seething with resentment.

In June, the LockBit Ransomware Group kicked off a campaign to spread its updated malware, LockBit 2.0. The group specifically sought insiders who could provide remote desktop protocol (RDP), Virtual Private Network (VPN), or email credentials to corporate networks they had already compromised. The intent of the effort seems to ensure that the group maintains a backdoor into the network even after the attack is remediated.

And just to show that no organization is immune from dangerous insiders, the Conti Ransomware group was attacked by one of their own. In early August, an affiliate of the group posted several confidential training documents to a Russian forum. The insider revealed IP addresses linked to the group's infrastructure and copies of internal chat logs. The disgruntled employee alleged financial exploitation by the leaders. I guess that's irony.

There can be a fine line between intently malicious and careless. Some say the line is even finer between careless and stupid. Regardless, any one of an organization's employees can become an insider threat. And at any moment. The leader of an organization that claims they are too small or too tight-knit to suffer a betrayal is too naive to lead.

I usually end my conversations with the question “Do you have an employee that wouldn't trust your pets with?” If the answer is yes, for any reason, then you have insider threat potential.