Page 100 - Cyber Defense eMagazine September 2023
P. 100
Companies need to assess if they have given their people too many permissions and not enough
safeguards when it comes to cybersecurity policy. This is especially true for industrial and critical
infrastructure targets, as well as utilities and energy infrastructures, which have vast networks of
connected devices, both new and legacy, and numerous personnel to manage them who need
credentials. Here, we’ll answer a few questions about how insider attacks threaten our infrastructures.
What makes insiders so dangerous to industrial and manufacturing targets?
All it takes is a single unsecured device or a single worker to make an error or be manipulated. Insider
attackers often already know where valuable information is kept, understand how it can be used, and
know what’s normal (or not normal) to do so that alarms aren’t triggered. They also have legitimate
credentials, which means they may not need to do much “attacking” at all. This makes them difficult to
detect until it is too late, at which point many industrial and manufacturing targets are tempted to concede
to certain demands in order to keep operations moving. Stopping operations is a last resort, both because
of the financial and reputational ramifications. Insiders understand this and exploit it for leverage.
With the new and increasing abilities of AI in fields of massive content production including text and deep
fake voice clones, human manipulation is becoming significantly harder to identify, thereby raising the
risks of cyber events to a new level.
Why haven’t we heard more about insider attacks?
Though recent research and reporting have shed a light on the rising tide of insider attacks, we historically
have not heard much about these sorts of incidents. This is because for the companies who are
victimized, these incidents can represent “dirty laundry” that they’d rather not air to the public. There’s
also often a threat, implicit or implied, that the hack will get worse if authorities are involved, impacting
negotiations and decisions on whether to pay a ransom or not and potentially requiring disclosure of
sensitive information to the authorities.
Insider attacks can also be easier for people to tune out because these incidents frequently stem from
mundane mistakes. Simple human error is a huge source of insider attacks, but news and entertainment
typically prefer to show a master hacker in a remote van rather than a technician simply forgetting to log
out.
For a high-profile example of an insider manipulation attack using a compromised credential, look no
further than the Colonial Pipeline incident. In response to a ransomware attack sourced from an insider
breach of their IT network, they shut down operations for their entire pipeline system.
How can we improve reporting?
Organizations are often lax with their implicit trust of employees and partners, as well as the fact that they
will be reluctant to report incidents when they occur. A lack of transparency from targets of insider attacks
Cyber Defense eMagazine – September 2023 Edition 100
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.