3 Tips to Protect Employees From External Exploitation Threats
Not all insider threats are what they appear to be. We are all familiar with the insider who maliciously takes action against their organization, using their access to cause harm. They have their own motivations, usually straight-up financial ones, though sometimes factors like revenge, ideology or other grievances can definitely play a part. But more and more, we are seeing attacks where employees are having their compromised credentials used to carry out what are essentially insider threat attacks.
In this post, we want to look at how credentialed insider attacks work, as well as how to avoid situations where negligence on the part of your users can lead to attacks like these being successful.
Credentialed Insider Versus Classic Malicious Insider Threats
Beyond the obvious, there are a couple of differences that are worth considering between the external and internal threat actors.
Insider attacks are on the rise. In 2022, 67% of organizations experienced at least 21 insider threat incidents.
However, there are still far more people on the outside of your organization that want to cause you harm. If your experience differs here, consult your HR team for much-needed introspection and intervention.
The basic point is that, statistically, you are more at risk from outsiders just based on scale.
However, the reason that the classic insider threat is such a concern is that they have legitimate credentials to be inside your network and resources, raising little to no suspicion to the untrained human eye unless they make a glaring mistake.
Not only are these people harder to detect, but they also know where all the good stuff is hidden. This means that they can move more efficiently toward their target, avoiding the bumbling that an outsider might experience while figuring out where to navigate once they are inside.
Credentialed insiders, by contrast, are external hackers who have taken over an account with legitimate credentials and can masquerade as one of your employees to move about freely.
Let’s start by seeing how these attacks are usually carried out to better understand how to stop them.
How Credential Attacks Work
There are different types of attacks where the adversary has partial information about your credentials, with password spraying, brute force and credential stuffing all falling somewhere on the spectrum between persistence and dumb luck.
For our purposes, we are going to walk through a more directed attack where the adversary has full credentials and has done their research on you to carry out a specific goal.
First, credentials are harvested online in forums. Maybe they were bought in a mass list. Phishing is always possible. Spear phishing is best, but is more resource intensive.
If multifactor authentication (MFA) is not enabled, then it’s Yahtzee for the attackers. With no additional barrier beyond the basic username and password, they can just waltz in without defenses standing in their way.
If MFA has been enabled, as it should be, then the attacker has to get around it. With a little bit of social engineering and some simple web design, in some cases, it’s not that hard to do. You simply have to ask for it.
There are a couple of ways to do this, depending on how much time, effort and resources the attacker wants to invest.
Just Ask For the Passcode
One common method is to try and log in with the compromised credentials. The attacker can then send the victim messages over SMS or other communications asking for the one-time passcode (OTP), which is usually five to six digits.
This often entails the attacker pretending to be from IT or something similar, telling the target that they need the code to fix something for them.
Attacker in the Middle
Another way is to set up what they call an attacker-in-the-middle (AITM; formerly known as man-in-the-middle). This one requires the attacker to set up lookalike web pages that look like the login page and the page where the user inputs their MFA confirmation code.
The attacker will then send the target an email telling them that they need to log in for some reason. A classic example would be pretending to be from your bank and telling you that there is suspicious activity, and you really need to log in with the link in the email to confirm that everything is okay.
That link takes the target to the fake login page which collects the credentials. The attacker puts those credentials into the real bank page, triggering the MFA passcode to be sent. The target then inputs the code into the fake MFA page, handing it over to the attacker.
MFA Bombing for Push Authentication
As many organizations have advanced to push notifications, removing the passcode from the equation and taking advantage of the biometric authentication on devices, attackers have evolved, too (by devolving into sophomoric pests).
In this scenario, the attackers try to get the target to approve the MFA prompt sent to their mobile device by harassing them into submission.
In the case of Uber, the attackers sent their target a wave of push notification requests in the middle of the night. The tired engineer eventually just approved in hopes of getting some peace.
Remember the golden rule of hacking: It’s not stupid if it works.
Once the attacker has made it past the authentication stage, they have access to whatever the real identity does, raising real concerns.
Tips for Stopping the Credentialed Insider
While the risks from this threat actor are significant, there are steps to take to improve our odds of defending our organizations.
Avoid Password Reuse
Credentials leak all the time. More often than not, they make their way onto a variety of paste sites and other spots on the dark web that hackers scrape for use in future attacks.
Hackers will then throw spaghetti at the wall (in password spraying/credential stuffing attacks); they throw their partial bits of information at a whole bunch of sites. Their hope is that people are not following best practices and simply use the compromised password for other accounts.
Do not do this.
Use unique passwords for every account. Better yet, use a password manager to create 22+ character passwords for each account that will take forever and a day to crack and that users do not have to remember.
Think about this as a risk mitigation strategy. While some credential compromise is likely to happen along the way, this tactic allows you to isolate the potential damage.
Don’t Share MFA or Your Password With Anyone
A lot of attacks happen when someone pretends to be from your IT department. They will say something to the effect of, “Hey, I need you to give me your password or approve my login (in cases of push notifications for MFA) so that I can get in and fix X, Y and Z.”
There are a couple of ways that we can deal with these attacks.
First and foremost, simply do not give anyone these details. The risk is too high, and if they really were your IT team, then they would be able to do the backend work without you.
Next is to respond to communications from IT through a different channel.
Report suspicious SMS to your security team. Even if you didn’t fall for this attack, someone else might.
Monitor for Suspicious Activity Outside of the Norm
Unlike our classic insiders, who use similar escalation and exfiltration tactics to carry out their attacks, the credential thief is likely to have to search around a bit and act differently from your legitimate user.
Simply put, they are different people who will not act the same way.
This works to your advantage if you are using the right user behavior analysis tools to establish a baseline of normal behavior and then alert on activity that falls outside of those parameters.
A couple of red flags that should send your team to investigate:
- Accessing files or systems that are not normally accessed
- Logging in from unfamiliar locations or devices
- Attempting to transfer sensitive files, especially a lot of them
In most cases, you might not need to block a user’s access if these actions are detected, but they are indicators that something may be afoot.
Negligent Insiders Versus Standard Human Error in Credentialed Attacks
Where do phishing and sloppy hygiene fall in the negligent insider spectrum?
Attacks happen and user credentials get compromised. That’s just simple math. We also want to avoid victim blaming because it is usually pointless in the aftermath of an attack or breach; the greater value is in learning from mistakes.
Where can we cut out bad behavior on the part of users that makes it easier for a credential attack to be successful? The truth is that there are factors that are inside our control and factors that are not.
We as organizations cannot always control if a malicious actor tricks an employee with a well-crafted phishing email or webpage. Good and regular training on how to spot these risks and filtering can go a long way, but again, the math is not on our side when it comes to stopping 100% of all attacks.
What we can control is enforcing password and MFA policies, as well as having measures in place to alert us when someone has made it past our gates, enabling us to hopefully block their malicious activity in time to prevent damage.
