The Threat Is Coming From Inside the Network: Insider Threats Outrank External Attacks
There are plenty of reasons to assume that most cyberattacks are the work of far-off bad guys with a political ax to grind or searching for fame and fortune. After all, we hear about them in news reports just about every day, leaving businesses and consumers wondering whether their data can ever be considered safe again. What’s not discussed, however, is that 55 percent of all attacks are carried out by malicious insiders or inadvertent actors, also known as insider threats. In other words, they were instigated by people you’d be likely to trust. IBM Security is releasing two reports to educate the public on these threats: the “IBM 2015 Cyber Security Intelligence Index” and the “IBM X-Force Threat Intelligence Quarterly – 2Q 2015.”
In the Cyber Security Intelligence Index, IBM Security Services reveals insights based on the continuous monitoring of billions of events per year. In 2014, organizations monitored by IBM Security Services experienced approximately 81 million security events, amounting to over 12,000 attacks and 109 incidents for each client. The Index proves statistically that every company is being compromised.
“Unauthorized Access” led all security incidents in 2014. For the two previous years, malicious code and sustained probes or scans dominated the security incident landscape. However, Shellshock and Heartbleed were game changers in 2014, which allowed Unauthorized Access incidents to rise to the top and account for 37 percent of all events in 2014, up 19 percent from 2013.
An Inside Job
The rise of social media, cloud, mobility and big data is making insider threats harder to identify while also providing more ways to pass protected information. If we break out the malicious insiders from the inadvertent actors, we see several profiles: disgruntled employees who exit the company but still have access to old privileges or create back doors before leaving; malicious insiders taking advantage of lax deprovisioning of expired or orphan accounts to attack valuable resources or with privileged access who sell information for financial gain; and the inadvertent insiders who do not mean harm but fall prey to social engineering schemes that grant access to outside attackers. There are even “quasi-insiders” who could be considered trusted third-party contract workers.
In the IBM X-Force Threat Intelligence Quarterly, we investigate how social engineering has turned an annoyance like spam into a legitimate attack vector, with for-profit operators creating and selling spam campaigns to trick inadvertent insiders to open an attachment or click on a link. Although the current volume of spam is comparable to that of 2013, the percentage of spam carrying malware jumped from 1 percent in early 2013 to around 4 percent in 2015, making this a high-growth channel for spreading malware.
The Bottom Line on Insider Threats
As the Index expressed, every organization is under attack. The 81 million security events experienced by IBM MSS clients — a subset of the billions of events IBM Security monitors daily — were filtered down with continual policy tuning by 11 percent to reduce the noise, allowing analysts to focus on true threats. But despite the resulting reduction of noise, the average number of serious incidents held fast to 2013 levels at 2.1 a week.
Through rigorous practices, enterprises can better manage and scrutinize users and networks for both security and compliance. Network forensics can help companies better understand activity coming into and going out of the network, and the ability to reconstruct the activities that took place during a network compromise is essential to securing data and preventing further harm. Furthermore, monitoring privileged access is essential to managing the risk associated with user entitlements to sensitive data.
I encourage you to download and take advantage of the information in both the Index and the Threat Intelligence Quarterly. We’ll have additional information here on Security Intelligence in the coming weeks to continue the discussion. You can also watch our on-demand webinar, “Why Insider Threats Challenge Critical Business Processes.”