Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:47 PM

Inside Verizon's Insider Threat Data

Verizon Business' latest Data Breach Investigations Report shows insiders as a growing threat -- but increase comes from a selective data set

For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent, while attacks with an external hacker dropped to 70 percent. Incidents involving data theft from the outside still account for the majority of attacks -- with insiders catching up.

The driving factor behind the increase in insider attacks was not the economic downturn -- an oft-argued opinion -- but rather the inclusion of a new data set in Verizon's database, says Alex Hutton, principal of research and intelligence for Verizon Business. The U.S. Secret Service joined much of its caseload data to Verizon's database, adding a large number of incidents where the victim had a better idea of the identity of the attacker and believed the person could be prosecuted. Both factors tend to favor incidents with an insider component. "With the Secret Service [cases], we got exposed to a whole new set of data," Hutton says of the report.

Overall, Verizon still sees external attackers as the major threat, however. When an outsider steals data, he absconds with a massive number of records. In 2009, breaches caused by outside criminals accounted for about 139 million stolen records, while insiders accounted for only 2.6 million records. "A record that has been exposed is 70 times more likely to have been exposed by an external source than in internal source," Hutton says.

Verizon doesn't refute the threat of insiders -- just the assertion that insiders pose the greatest risk. Companies should have defenses that work against insiders, outsiders, and partners, Hutton says. Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers.

"We are not dismissing the insider threat at all," he says. "We are asking people to prioritize their records. If you are the CIO and in charge of security, you should certainly have controls."

Typically, executives, network administrators, and finance staff are the most problematic insiders: They tend to have higher privileges within the company and are less likely to be subject to oversight. While Verizon's report found that half of all IT security incidents were caused by regular workers, privileged employees usually are the ones to target the company's most sensitive data. In many cases, those breaches are not considered IT security issues.

Software developers are another class of privileged employee who companies have not typically scrutinized. At the recent Defcon hacking convention, security firm Fortify Software touted a specialized ruleset for its code-analysis product that aims to catch malicious code inserted into programs by developers. "Developers have access to a lot of sensitive information in the company," says Matias Madou, principal security researcher for Fortify.

In 2008, a financial firm readying a round of layoff for its internal developers approached Fortify for a way to make sure unwelcome surprises were not left behind, Madou says. So Fortify started working on an add-on ruleset that catches time-sensitive destructive code as well as backdoors. "There is a lot of malicious code put in by insiders," he says. "Some of these pieces of code can be dormant for a long time."

Verizon's report ranks software developers as the sixth biggest insider threat (lower than the help-desk staff), with only 3 percent of incidents involving a developer.

One lesson learned from the Verizon report: Check your logs. According to the report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to discover breaches in five percent of cases. "We have little doubt ... that if the organizations we've studied had tuned their systems to alert on abnormalities like this and actually looked into them when alarms went off, that five percent [of discovered breaches] would be a lot higher," Verizon stated in the report.

Finding evidence of an attack is easier when you know there has been a breach, but Verizon points to three flags in log files that indicate an attack has happened: a large increase in logged data, entries in the log that are abnormally long, or an abrupt decrease in log data. Rather than searching for exact signatures in the logs -- the proverbial needle in a haystack -- look for the major characteristics, the company advises.

"It cannot be a pleasant experience to learn that the six months of log data you've been collecting contained all the necessary indicators of a breach," Verizon says in the report, adding, "the value of monitoring -- perhaps we should say 'mining' -- logs cannot be overstated. The signs are there. We just need to get better at recognizing them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.