Insider Threat Indicators and Detection: When Employees Turn Ransomware Accomplices

Late December 2021: A company coming off a record year for revenue growth was preparing to ramp down for a week to celebrate the December holidays. However, unbeknownst to the company, just a few days prior, one of its longest-serving employees had been recruited by a ransomware group. The employee had responded to a posting on a computer hacking forum asking for access to corporate networks in return for cash payouts.

Far from rare, this scenario is playing out more often as threat actors expand from tried-and-tested infiltration vectors (think phishing email messages) to directly buying corporate access from disgruntled insiders. For example, according to a recent survey, 65% of respondents had employees contacted by threat actors for access between December 7, 2021 and January 4, 2022; bribes ranged from less than half a million to more than a million dollars.

Kroll’s research has uncovered cash offers for credentials from insiders that will give threat actors access through corporate email addresses, virtual private networks (VPNs) or remote desktop protocol (RDP), a standard used by countless organizations to enable remote access to virtual desktops, applications and servers.
For example, in August 2021, a company’s employees reportedly received emails alleged to have come from the DemonWare ransomware group, soliciting them to become accomplices in a ransomware attack. The threat actor stated that the employees would be paid 40% of a $2.5 million ransom to deploy ransomware on their company’s computers.

Any information at a high level may appear to be nonsensitive or nonsecure until you determine what you’re ultimately providing access to. Organizations shouldn’t take any part of their workforce, or their level of access, for granted.

Insider Threat Detection Tools and Recommendations

Based on Kroll’s experience investigating matters involving insider and ransomware threats, both separately and in combination, the following best practices and controls can help mitigate these risks.

Recommendation: Deploy EDR Sensors to All Endpoints Within the Network

Key Reason
EDR tools are developed and tuned to help ensure malicious/suspicious activity is logged and proper individuals are alerted.

Consideration
Ensure that the email notification for the generated alert is sent to the entire SOC/CSIRT team, including the manager. Do not have it sent to a group mailbox, where alerts are typically overlooked or ignored. A DL notification also creates the risk of a malicious insider within cyber security deleting the email prior to any other individuals reading it and taking action. 

Recommendation: Liaise With Physical Security Operations Centers and/or Investigation Teams to Collaborate and Share Data

Key Reason
Most companies effectively silo their operational investigation teams to provide space and independence between investigation branches. However, when dealing with ransomware-related insider threats, key data may reside with one team and not with the other. By having the information security team work collaboratively with other security teams, more agile decision-making can occur if one side sees something the other has not.

Consideration
An organization’s physical security system should, at a minimum, have the ability to audit entries into any company facility. This type of auditing can be used in conjunction with information security logging or digital forensics from devices to prove intent. In addition, CCTV in common areas and parking lots can aid the investigation team with identifying the person behind the keyboard.

Recommendation: Conduct Robust Logging and Random Auditing of Active Directory or Other Privileged Access Credentials

Key Reason 
Insider threats come from an array of different business roles within a company. This includes, unfortunately, those with privileged access to a company’s network. If these individuals work in any capacity related to information security, or have an inherent knowledge of policies, they may know when—or if—auditing of abuse of these credentials takes place. Randomly timed auditing prevents employees from determining the best time to abuse privileged access.

Consideration
A refined and nuanced anomaly detection program can leverage security information and event management systems, or other log aggregation tools, to perform these searches. Another advantage is that, once tuned, automation and machine-learning implementations can be more effective with alerting.

Recommendation: Disable USBs and Other External Peripheral Devices From Company-owned Devices

Key Reason
Most data exfiltration by an insider is carried out via the use of personal external storage media. From a proactive perspective, the use of these devices cannot be detected without implementing technology such as data loss prevention software. Additionally, after the fact, forensic examination of these devices can be expensive and time-consuming.

Consideration
While controversial in many companies, cloud storage can provide much more secure means of storing data than traditional methods. Employees should be strongly advised to keep all business-related data on company servers or a cloud storage provider. These cloud providers can also offer highly robust security logging. Even after disabling USBs, other peripheral devices such as keyboards and a wireless mouse can still be used.

Recommendation: Use Canary or Honey Tokens Throughout Corporate Infrastructure

Key Reason 
These files work like a typical honey pot within a network environment. If they are tampered with in any capacity, they will create an alert, as determined by the information security team. These files may also assist with the detection of other types of unauthorized access by malicious actors who may be unknown to the company.

Consideration
Name these files and folders after assets or data that would be potentially attractive to an insider threat. Key file names to consider would be financial statements, billing information, bank accounts, taxes or names related to proprietary data, products or projects.

The Insider Attacks That Increase Risk

Two types of insider attacks demand an even more sophisticated response:

Nontechnical Employees Seeking a Quick Payout

These employees lack any type of knowledge of the network, so they will have to do exactly what a threat actor is telling them. Because these employees usually act spontaneously, it is challenging to anticipate or predict their behavior and understand their motives.

Defense strategy
Regularly conduct social media/surface web reviews, along with deep and dark web searches, for any potential indications of future compromise to the company. Proactively scanning for references to proprietary data key terms can help to narrow down insiders who could potentially be co-opted to access and/or leverage trade secrets for their own purposes.

A System Administrator or Cyber Security Employee

This type of employee may know where the blind spots are or could provide direct access through account creation or overtaking dormant accounts.

Defense strategy
Special access must invoke new policies and standards to address the nature of what these accounts may and may not be used for. Human resources and leadership teams should first establish an agreement about the types of screening mechanisms in place for individuals who will be given elevated access to their network infrastructure and a predetermined schedule for regular rescreening. For example, the use of certain keywords or hashtags may indicate the need for intervention.

Similarly, anomaly detection team members should be vetted at significant levels. Additionally, alerts created by anomaly detection teams should not be shared with the larger cyber security team via automated means that potentially could be intercepted and fraudulently resolved by compromised insiders.

Next Steps

Much like physical security, information security requires a checks-and-balances approach to the activity of its staff members, from the most junior employees within IT to the most tenured leaders. Insider threat awareness training for all employees is still considered a best practice. Employees should be encouraged to notice signs of insider threat activities (working outside usual hours, accessing unauthorized projects, etc.) and be provided guidance on how and to whom these incidents should be reported. Empowering employees to escalate a concern through approved channels may assist in stopping a potential insider threat before the attack can even commence.

In the event of networks being exploited, no matter the source, effective logging of valuable data lakes will enable the investigative team to quickly identify which accounts were used for the compromise and if an employee was behind the attack.

As threat actors become more sophisticated in their attacks and continue to target employees, the human and technology defenses of every organization must keep up. The best practices of least privilege policies, data segregation and authentication controls that alert on unauthorized/failed access attempts can help prevent threat actors from gaining unnoticed access to the larger network environment before a response can be mounted. Additionally, leadership and risk assessment teams should determine activities that reflect likely unauthorized or anomalous activities and then build robust investigation and audit programs to respond in a timely way to alerts triggered by the prescribed activity. By understanding where and how insiders can facilitate a ransomware attack, companies can work to preempt, stall or mitigate attacks when employees cross the line from friend to foe.