Line blurs between insider, outsider attacks

Underground forums provide insider access to enterprises

The insiders strike again. But this time it's not the malicious insider, but insiders' access to corporate data, and it is for sale in the cybercrime underground.

Security experts have been saying for years that while technology is a key element in protecting enterprises from online attacks, human insider carelessness, vulnerability or hostility can always trump it.

One of the most destructive examples of that in recent months was the cyberattack in August on the state-owned oil company Saudi Aramco, which erased the data on about 30,000, or three quarters, of the company's corporate PCs using a virus named Shamoon, and replaced it with an image of a burning American flag.

U.S. Defense Secretary Leon Panetta, in a recent speech warning of a possible "cyber Pearl Harbor," called the attack "probably the most destructive attack that the private sector has seen to date."

Nicole Perlroth at The New York Times wrote this week that the attack was made possible through the privileged access of insiders.

"After analyzing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco's network. The virus could have been carried on a USB memory stick that was inserted into a PC," she wrote.

Insider access, involuntary or not, is now becoming commoditized -- a service offered in the marketplace of the cybercrime underground. CSO Online reported this week on security blogger Brian Krebs' findings that "for just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks."

[See also: Tough economy heightens insider threat]

Krebs wrote that he had analyzed one service that was "renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010."

Some studies, including one released this past June by Cyber-Ark Software, have said the malicious insider threat is large and growing, but others pointed out at the time that this ran counter to the results of Verizon's 2012 Data Breach Investigations Report, which found that only 4% of data breaches in 2011 involved insiders.

Krebs and others say that low number was based on the definition of insider. Some are on the inside to start, while those he was writing about hacked their way in. He told CSO Online that he was writing about services that "allow outsiders to become insiders by gaining instant access to behind-the-firewall and perimeter security defenses."

"If the victim organization has architected its network in such a way that lets that insecure system communicate with other portions of the targeted network, then I suppose you could say a service like this could increase the insider threat," he said.

Mark Baldwin, CISSP and principal researcher and consultant for InfosecStuff, agrees. "This is not a case of insider threat," he said. "These systems have been compromised by external actors."

Matt Johansen, manager of threat research at WhiteHat, said traditonal insider threats are not the issue here. "A computer is much more likely to be compromised via the Web, phishing attacks, and malware before an insider," he said. But he added: "Techniques needed to exploit a computer and become an insider to a network yourself are becoming more freely available, easier to master, and therefore lowering the bar to be a black hat hacker."

Adam Bosnian, an executive vice president at Cyber-Ark, said he believes the difference is becoming irrelevant. "We're starting to grapple with the fact that it is a blurry line. The traditional sense of insider attack is somebody who is already an employee who is disgruntled and goes rogue for some reason," he said.

"But it really doesn't matter whether an attack starts on the inside or the outside. It doesn't matter if an insider is malicious or inadvertently compromised [by an outside attack], because the result is the same," he said.

"I think the concept of inside vs. outside will dissolve on its own," Bosnian said, adding that the more relevant key for enterprises is not where the attack originates, but the protection of user credentials.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)