Should Security Controls Be Focused on Internal or External Threats?

Most security teams struggle with where to focus their limited resources. The reality is they can only spread their security "peanut butter" so thin.  Should they focus on compliance or security, user training or automated security controls, network or endpoint security, prevention or detection, or - the focus of this article -  external or internal threats?  Prioritization decisions are hard to make when the macro data seems to conflict. 

For example, the 2017 Verizon Data Breach Report reported that 75% of breaches were perpetrated by outsiders, leaving just 25% involving internal actors.  So, are outsiders the primary problem?  On the other hand, Forrester reported in a recent global survey that only 1% of organizations had no incidents involving insiders, even though nearly two-thirds of firms had experienced a security incident in the past two years.  So, insiders are the primary problem? 

What should security professionals focus on: external or internal threats?

My takeaway is that it no longer matters from a security controls perspective whether the threat actor comes from outside or inside your organization. Whether she or he is one of your people or not is ultimately more a matter for the police or your human resources department.  Defenders need to defend against all threat actors.  Given this reality, security controls, whenever possible, should be independent of the source of the threat.  Just as organizational perimeters have been blurred to the point of near irrelevancy by the Internet, the Web, and the cloud, a strategy focusing on core security controls, which specifically target the source of the threat, makes little sense these days. 

The reality is that external bad actors get inside primarily by compromising the credentials or systems of unaware insiders. Careless insiders do things that they shouldn’t - like sharing sensitive digital content with the wrong people – and, yes, some insiders go rogue for many reasons.  But how do you know the difference between a malicious insider and outsider at the outset?  You don’t. The focus of your security controls should be on preventing or detecting the behavior and not depend on knowing the ultimate source of the attack at the outset.

Let me give you an example of an attack that we are seeing regularly to prove my point. There are many ways to leverage email as an attack vector.  In this example an external attacker starts by sending a spear phish to a few people at an organization. The spear phish is socially engineered convincingly enough that at least one of the targets clicks on the included link and "resets" his Active Directory password via a site controlled by the attacker. Next the attacker logs into the company’s Outlook Web Access site as that user and sends more spear-phishes to other users at the company, with the immediate goal of collecting more credentials. An email which comes from the inside is pretty convincing!

After getting enough log-in credentials for the organization, the attacker switches focus to spear phishing more people to get them to hit a link which causes a drive-by download of remote access Trojan (RAT) malware.  With the RAT up and running in a few places he can remotely access the organization’s internal network to further execute his attack.

From the defenders point-of-view there are a number of points in the chain where the above attack can be prevented or detected – the inbound emails, the internal emails, the dropping of the RAT, the outbound connection of the RAT to its command-and-control site, not to mention help desk reports from suspicious users.  In this case it will take a forensic investigation by the organization to ultimately sort out that the threat actor was a malicious outsider and not an internal one.  But from the point of view of the necessary controls to prevent or detect this attack it doesn’t really matter which they are.

How important is it to have security controls that are specific to the origin of the threat?  Not that much for most organizations.  It is more important to have security controls that work regardless of the direction from which the threat actors originate.