Our previous articles provided a deep dive into remote nation-state threat actors and methods to better detect and circumvent their operations. In this post, we will dive into more alternative approaches that may be required.
Companies like Google and Microsoft are learning they need to take offensive measures in cybersecurity. These measures involve proactive actions to disrupt potential threats. This proactive approach is a response to the basic economics of insider threats and the entire fraud ecosystem. These operations are typically heavy in human capital and take a long time to place specific actors in jobs. The way to manage this is to periodically cut off sources of income and cause general disruption to their entire setup.
Now, this doesn't mean companies will start randomly DDoS-ing and zero-daying any suspected threat; instead, meticulous surgery should be applied with tailored solutions. This minimizes any collateral damage from offensive actions and should be done in a waterfall approach where evidence compounds, creating a verifiable chain of events. In the end, governments are the ones who can make the most impactful changes, and offending a nation-state actor or above is risky business.
First, companies need to accept that they either have an insider threat or will eventually have one. No large organization can maintain an impenetrable defense, and every single one has been exploited by a threat at one point. The people and companies that stave off insider threats do it by creating trust levels that require lifetimes to build up and keeping everything compartmentalized, which is not feasible for many.
However, the critical factor is how you react to threats, which determines how well you fare in the aftermath. For example, a common reaction to an insider threat might be immediately firing them or raising many alarms. Instead, one might leave them in place to observe and "reverse-recond" their entire infrastructure, allowing for seemingly random future disruptions. 'Reverse-recond' here refers to the process of understanding and potentially disrupting the insider's plans and operations.
One example of this action that can be built upon is if you hire a suspected North Korean threat actor for a remote job, you can further disrupt them by reporting their financial accounts. Freelancer platforms are rife with insider threat actors. Even essential positions, such as virtual CISOs, can be filled with bad actors.
AI has become a crutch for some of these actors, and the ones that use it fall for unsuspecting tricks. In one case, an insider might be attempting to complete multiple jobs using AI, which sets them up for failure during time crunches. Adding a sense of urgency or modifying requirements at the last minute can detect insiders using AI to masquerade their language skills. Another tip is not to inform them of their identification; with social engineering, they might expose which financial accounts they used to set up their fake profiles. Unfortunately, financial platforms, contracting firms, freelancer sites, and more have little incentive to identify these threat actors. They also will never share any information due to privacy concerns, so handing off these cases to the proper authorities is critical.
Creating a reconnaissance operation is also tricky. For example, if you are Google, you can't try to hire insiders purposefully with your own name. You need to take a similar approach to the threat actors and use seemingly benign companies or people that require services to work up the ladder. A startup has a much easier time catching an insider because those are the ones that threat actors target when they are less skilled. Targeting lower-level insider threats and using them as a backdoor to map out an entire operation is much easier.
Also, the threat actor needs to feel in control and appear as if they are orchestrating the situation. For example, in the freelancer case, allowing them to withdraw the funds and approving the order opened up the opportunity for them to expose their financial accounts. Sometimes they won't link their finances until they are very close to getting the funds, so you must put the cake in front of them and take it away at the last second. Even if the work was poor, the real value is seeing how they move finances and communicate with their broader team.
Maintaining backdoor access and reconnaissance is even more difficult for these insider threats as they constantly obfuscate their identities. Most companies don't have access to the tools for persistent monitoring. Hidden PDF exploits and other keyloggers would be prohibited for corporate use, but many options are available for governments to monitor any threats.
Ephemerality is another crucial concept to use when taking offensive actions. Nation-state actors run counter-insider threat programs and trigger reactions based on anything they detect. For example, if they suspect they are being monitored, they might cut off the entire operation to avoid it being linked back to higher-up sources. You wouldn't want it to be discovered if you deploy a zero-day or other monitoring tools. Having advanced logic that self-deletes or leaves no trace of exploitation allows for longer-term infiltration campaigns.
Another technique to detect insider threats is having baited information and exposing non-material or AI-generated data. Once you catch one insider, it is better to hold off casting your net until a swarm is detected. You can learn their motives and interests by leaving breadcrumbs to vital information to see what interests them. It also might trigger them to involve a more skilled threat actor, who will provide more value with their higher access levels. Setting up different mazes or dead-end traps allows for careful management of any insiders.
Many insider threats are very patient, so you need to take that same approach to counter them over a long period. One of those methods is identity proofing, which requires them to complete a comprehensive identity analysis that is nearly impossible to change. Very few insider threats will try to change their face, fingerprint, or other biometrics. Instead, most use proxy people to fulfill any biometric requests. Using this information allows for easy identification of insiders who attempt to be hired at a company over long periods. Also, it helps build up key identifiers that allow for quicker detection times in the future, enabling pre-recognition during any hiring process.
Again, this could be where you allow them to slip through and put them in a safe sandbox to observe. The one caveat is that they know there is an observation period, so they might not act until it is over, which makes this a risky strategy.
As seen, we provided more options for handling insider threats. The solution for effective insider threat management is not always more tools and technology. While they are critical in your stack, the simplest way to counter these threats is to exploit the human element in the operation. A person's identity directly correlates with identity and access management, a core strategy for securing an organization. Using supervised remote identity proofing is one of the components that allows for further identification of insiders. Even if they use a real identity and pass biometric checks, many passive technical signals and exploits are available during the verification process that help validate an insider's case.
In review, organizations will have a greater role and responsibility to actively hunt for insider threats instead of letting them come to them. Passive scans and alerts are no longer enough to defend against the next generation of insiders. Also, it's essential not to unleash any powerful offensive capabilities, which could eventually allow insiders to reuse them for their own purposes. Some threat actors will feign their capabilities only to use them when necessary, so it isn't easy to size anyone up. The reservation of offensive attacks is still for the government, but if companies start that journey, the first steps begin with recon and following the legal avenues set up in their respective country. Instead, the safer path forward will be to continue disruptions that strain the operators in every facet possible—financial, time, human, and more—to make insider threats an endeavor not worth pursuing in the long term.