The Worst Data Breaches Caused by Malicious Insiders
Insider disasters occur when employees, contractors, or criminals misuse compromised credentials. Insider threats are typically categorized into four main types—pawns, goofs, collaborators, and lone wolves.
The motivation of each threat is significantly different, but any insider can cause significant damage, including a data breach. This article defines the four main types of insider threats, examines three notorious data breaches, and explores five best practices that might help you avoid the next data breach.
What Is an Insider Threat?
Insider threats are attacks or abuses of power carried out by employees, contractors, or criminals using compromised credentials. In an insider threat, attackers are often able to move through or remain in a system, undetected, for long periods due to their privileged status as legitimate users. These threats are considered one of the most severe types of cyber security threats because of the extensive damage that can be caused.
Types of Insider Threats
Insider threats differ by the identity of the actor as well as by their intent.
Pawns
A pawn is a staff member or contractor who is tricked or coerced into performing attacks or allowing access to attackers. Often, pawns are identified and manipulated through social engineering or spear phishing schemes, designed to solicit sensitive information. For example, users may unknowingly download malware or provide credentials through spoofed sites or communications.
An example of an insider threat involving a pawn is an incident that happened with Ubiquiti Networks. In this incident, the insider fell for a spear-phishing attack and transferred $40 million to a “subsidiary’s” bank account. They did this in the belief that they were acting under the orders of senior executives.
Goofs
Goofs are insiders who are careless or deliberately perform actions that may be harmful. These users often believe that security policies do not apply to them or that they know better than others how to keep themselves and systems secure.
According to a report from Dtex, up to 95% of companies have users that are attempting to work around security controls. This could involve turning off pop-up blockers, pausing anti-virus programs, or storing sensitive data in unapproved cloud storage for ease of use.
Collaborators
A collaborator is an insider who chooses to work with external attackers, such as competitors or nation states. These users abuse their legitimate privileges to provide information or access to the third-party, typically in exchange for personal benefit.
Greg Chung, an insider who partnered with the Chinese government, is an example of a collaborator. Chung was employed at Boeing and over years he stole information related to the Boeing space shuttle program.
Lone Wolves
A lone wolf is an insider who works independently and maliciously for their own benefit or purpose. These users often have deep insider knowledge of an organization and understand how to take advantage of their insider privilege.
Edward Snowden, a former U.S. Central Intelligence Agency (CIA) employee, is an example of a lone wolf. Snowden used his insider privilege to act as a whistleblower, leaking classified information from the surveillance program run by the U.S. National Security Agency (NSA).
Real Life Data Breaches Caused by Malicious Insiders
There are plenty of examples in companies of all sizes in which insiders contributed to massive data breaches. Below are a few examples from some well known organizations.
Waymo
Waymo is an autonomous vehicle project started by Google. In 2016, a lead engineer in the project left to found a startup, Otto, which was soon after acquired by Uber. The engineer was made head of Uber’s new autonomous vehicle department. This would have been fine except that the engineer stole trade secrets and proprietary information which was consciously used in Otto and at Uber.
The theft happened after the engineer became unhappy with his current position and began trying to recruit others in the project to branch off. However, Google only discovered the breach once Uber was ready to acquire Otto. This is when they realized the engineer had used a personal device to directly connect to a server and copy the information.
The theft represented up to $1.1 billion worth of work. However, the project was able to prove criminal activity and was compensated by Uber in the form of $245 million worth of Uber shares. Uber also agreed that none of the stolen data would be used in their hardware or software.
Anthem
In 2017, Anthem, the second-largest health insurance company in the U.S. experienced a breach caused by a third-party vendor. This vendor, LaunchPoint Ventures, had insufficient security and Anthem data was leaked.
In the LaunchPoint breach, an employee emailed protected health information (PHI) from their work device to their personal email address. This PHI contained the data of around 18.5k customers and included enrollment dates, ID numbers, and Medicare contract numbers. It is unknown whether this information was ever used maliciously.
To remediate the issue, LaunchPoint contacted affected customers and offered two years of identity theft restoration services and credit monitoring. Although the breach occurred through LaunchPoint, the fact that they served as a contractor for Anthem caused reputational damage to the insurance giant.
Capital One
In 2019, a former software engineer for Amazon Web Services (AWS) used their insider privilege to leak information from Capital One, which was using AWS resources. The engineer exploited a misconfigured web application firewall to access over 100 million customer records, including account information and applications for credit. According to Capital One, no credentials or credit card numbers were compromised.
This case was unique because the engineer made no efforts to hide their actions. Instead, they openly explained their methods to coworkers over Slack and even posted information to their personal GitHub account. Because of this sharing, the engineer was arrested and charged with computer fraud and abuse. According to Capital One, the breach cost up to $150 million to remediate.
5 Best Practices to Avoid Data Breaches
Today’s information security landscape provides organizations with a wide range of tools and techniques designed to combat unauthorized access and prevent insider threats. Here are the four main areas you can start with.
1. User behavioral analytics
User behavior analytics (UBA) is a machine learning (ML) technology that can help you spot potential threats from both internally and externally. It doesn’t rely on threat signatures or an idea of privileged behavior but on baselines of “normal” behavior.
If users begin irregularly logging in, accessing data, or uploading files, the user is flagged and investigated. This helps you identify attacks that would otherwise be missed by security systems due to the use of “valid” credentials.
2. Strong password policies
Strong password policies can help you ensure that credentials aren’t compromised through force. Policies can also help you ensure that passwords aren’t reused and that any passwords that may have been exposed are invalidated. You can also use policies to ensure that employees understand credential security and can identify phishing attempts.
3. Two-factor authentication (2FA) and multifactor authentication (MFA)
MFA and 2FA are authentication methods that require a combination of credentials and another means of verification. These methods add an extra layer of security to your user log-ins.
There are two types of authentication factor you can use—possession and inherence. Possession factors are physical objects used for validation, such as cards. Inherence factors are a part of the user, such as a fingerprint or voice.
4. Monitor user activity
Monitoring your user activity is the primary way to detect suspicious actions or events. Without monitoring, you must rely on chance or evidence of harm to identify attacks.
When monitoring there are several tactics you can use, including log analysis, rule-based alerts, and the previously mentioned behavioral analytics. Log analysis involves correlating log data to determine what actions users are taking and when. Rule-based alerts are tools you can use to notify security teams when suspicious or potentially harmful behavior occurs.
5. Endpoint security
Endpoint security is designed to protect your endpoint devices and network perimeter. These are the entry points for external attackers and the exit points for breached data. Monitoring and securing your endpoints can enable you to stop attackers before they enter your system and prevent sensitive data from leaving your system.
In addition to basic firewalls and access controls, you should consider adopting next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions. NGAV solutions can enable you to prevent the installation of or detect malware even if it is unknown. EDR can enable you to more effectively monitor, analyze, and respond to endpoint activities through automation.
Conclusion
Insider threats are tricky to catch, but not impossible. Today, there are tools and practices you can apply to prevent unauthorized access to company resources. UBA is significantly important for this purpose, because these tools leverage ML to distinguish between normal user behavior and malicious activity. To protect credentials, you can also enforce strong password policies, as well as implement 2FA and MFA.