Organizations are facing increasingly complex and international threats — from trade-secret exfiltration from countries like China in furtherance of economic espionage and academic advantages, to criminal gangs intent on installing malware on networks to extract hefty ransoms. While the exploits themselves are not new, the pace, the breadth, and the incentives are enhanced, creating heightened concern at the highest corporate and governmental levels. With trade secrets, valuable IP, reputation, and shareholder value on the line, what are best-in-class security teams doing to protect themselves against advanced threat actors?
Know And Protect Your ‘Crown Jewels’
Identifying the ‘crown jewels’ of an organization is often a reasonable first step in understanding how best to protect these treasures, especially for enterprises with mature security teams leveraging threat intelligence, red team, threat hunting, trust and safety, and incident response capabilities. Key customer lists, intellectual property descriptions, business strategy documents, board materials, and network access lists form the basis of corporate value. Understanding where these jewels exist and how they are being protected is critical in protecting them, according to Nisos co-founder Landon Winkelvoss, who worked within the intelligence community fending off nation-state actors.
A flat network where an adversary has natural access or can move laterally to pick up jewel after jewel creates an absolute windfall for the intruder. Reverse this game of cyber ‘pick-up-sticks’ by segmenting critical areas of the network and using creative, customized, and cost-effective monitoring solutions so that intruders are limited in their ability to gain access to and proceed through the corporate bounty.
Develop An “Open-Door” Security Culture
A culture of security awareness is a healthy ecosystem where employees feel empowered to come to a security team or legal department with concerns that a heist is underway. According to the Federal Bureau of Investigation, organizations that ward off intellectual property theft the best do so through cultural and systematic controls which include the following measures:
- Educate and regularly train employees on security or other protocols.
- Ensure that proprietary information is adequately, if not robustly, protected.
- Use appropriate screening processes to select new employees.
- Provide nonthreatening, convenient ways for employees to report suspicions.
Insider Threat Program Manager for Tesla, Charles Finfrock, believes that the highest return on investment for an organization comes from transforming a workforce into a ‘sensor network’ through rigorous training and building rapport so the workforce is comfortable bringing unusual activity to the security team. This culture of heightened awareness and collaboration yielded extraordinarily high dividends for Tesla this summer in uncovering a Russian crime gang’s plot to infiltrate the company’s network to install ransomware via a USB drive. The hero in this incident was a company employee who turned down the $1 million lure and instead reported the event to the security team resulting in the would-be attacker being arrested by the FBI.
According to Finfrock, an effective insider threat program is not so much about having a complex network monitoring solution to ‘boil the ocean’ and find the needle in the haystack as cultivating an ethos of trust and transparency within the workforce.
Indicators Of Compromise
An employee who appears disgruntled, works odd hours, has unexplained absences, and unreported foreign travel may be an insider threat, according to the FBI. Any combination of these may point to a spy in your corporate ranks, and bears investigation. Additional indicators of insider threats include the following:
- Changes in work hours
- Changes in computer asset usage
- Excessively large downloads
- Usage of log clearing software/methods
- Increase in visits to file share or intranet sites
- Installation of high-risk software
- Spikes in inbound/outbound email traffic volume
- Frequent external/personal recipients on emails
- Attachments sent to suspicious recipients
- Removable media alerts
- Modification to remote file share folders/file accesses
- Bursts in printing on weekends and holidays
- Notice of resignation or termination
- Declining performance reviews
- Disciplinary action
- Increase in visits to job search sites
- Increase in outbound email to competitors
- Social media posts
- Financial duress
- Privileged user activity
- Access levels/permissions
- Changes in remote network connectivity/VPN Endpoint behavior alerts
- Sharing passwords or unauthorized use of credentials
- Attempts to access resources outside of job role
- Noncompliance with training requirements
- Policy violations
Like taking apart and rebuilding a plane in flight, organizations cannot simply deconstruct and rebuild their workforces and networks. But rethinking security awareness and empowering security teams to shore up on professionals with high emotional quotients and other characteristics which allow them to gauge the trustworthiness of, and garner the trust of their teams, can be extremely impactful –- not just for organizations and their stakeholders, but for our nation’s technology and its critical infrastructure.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com