There are insiders who are on a mission to cause problems for a company. It could be a disgruntled current or former employee. It could be someone who gets themselves hired (or assigned as a temporary employee) to gain access for the purpose of causing problems. A motivated disrupter with appropriate access can cause tremendous damage. For example, a disrupter who is in an IT position could cause backup files to be replaced with useless files, and could then damage live files that have no usable backup. This is why monitoring software that can detect suspicious or unauthorized activities is so important.
An IP compromiser has a mission of stealing intellectual property (IP). IP can be valued at millions or even billions of dollars. Stealing a software source code can jump-start a foreign competitor’s capabilities.
Like an IP compromiser, a data compromiser is up to no good. He or she wants to steal data that can either be turned into money (for example, by selling it to a credit card number distributor) or released, directly or indirectly, to embarrass a target organization.
Insiders can also be responsible for incidents without intending to do so. They can also be divided into two broad groups: victim and error maker.
An insider can be targeted by a perpetrator to take an action to help carry out an attack without realizing that they are doing so.
- Phishing: Phishing emails have become ubiquitous. They have the objective of getting the recipient to either click on a link within an email that leads to the deployment of malware, or to give up log-in credentials, credit card numbers or other valuable data. Even though some organizations offer anti-phishing training to employees, this scheme still works on a small percentage of the targeted population.
- Social engineering: Criminals will use the phone to induce an insider to reveal non-public information. In one method, the caller pretends to be from the company’s IT department and needs to log in remotely to fix a problem, which requires getting the employee’s log-in credentials. Some people fall for it and provide the information.
- Business email compromise: A perpetrator sends an email to a targeted employee, sometimes using an email address very similar to that of the targeted organization, pretending to be a senior executive. The bogus senior executive needs the employee to help with a secret deal by wiring funds (sometimes millions of dollars, or the equivalent) to a specific account. Most people now recognize this for the fraud that it is, but sometimes it works, and the funds are transferred.
- Work-at-home dupe: An individual can be induced to take part in what they believe to be a work-at-home opportunity that turns out to be part of a sophisticated theft scheme. The work-at-home worker may turn out to be supporting money laundering, sanctions evasion or other crimes.
Sometimes, an individual simply makes a mistake that leads to a data compromise. For example, a systems developer may inadvertently misconfigure a cloud-based storage container and leave it open to access through the internet, leading to the data stored in the digital container being compromised. Similarly, something as simple as an email sent to an incorrect address (or a fax message sent to the wrong fax number) can cause the compromise of highly sensitive information. This can be caused by accidentally entering the wrong email address, or deliberately (but unknowingly) directing an email to an address set up by an adversary with a very similar address to that of the real organization.
It is important to point out that cyber perpetrators may also use automated tools to look for companies whose systems exhibit vulnerabilities that leave them open to attack. Thus, a company may be targeted simply because the attacker has the capability to successfully carry out an attack. These attacks use tools called scanners that, in effect, test sites for the presence of specific weaknesses that render the site vulnerable to penetration.
An extract from the first edition of The Guide to Cyber Investigations. The whole publication is available at Global Investigations Review.