Companies  need  to  assess  if  they  have  given  their  people  too  many  permissions  and  not  enough
            safeguards  when  it  comes  to  cybersecurity  policy.  This  is  especially  true  for  industrial  and  critical
            infrastructure  targets,  as  well  as  utilities  and  energy  infrastructures,  which  have  vast  networks  of
            connected  devices,  both  new  and  legacy,  and  numerous  personnel  to  manage  them  who  need
            credentials. Here, we’ll answer a few questions about how insider attacks threaten our infrastructures.



            What makes insiders so dangerous to industrial and manufacturing targets?


            All it takes is a single unsecured device or a single worker to make an error or be manipulated. Insider
            attackers often already know where valuable information is kept, understand how it can be used, and
            know what’s normal (or not normal) to do so that alarms aren’t triggered. They also have legitimate
            credentials, which means they may not need to do much “attacking” at all. This makes them difficult to
            detect until it is too late, at which point many industrial and manufacturing targets are tempted to concede
            to certain demands in order to keep operations moving. Stopping operations is a last resort, both because
            of the financial and reputational ramifications. Insiders understand this and exploit it for leverage.


            With the new and increasing abilities of AI in fields of massive content production including text and deep
            fake voice clones, human manipulation is becoming significantly harder to identify, thereby raising the
            risks of cyber events to a new level.




            Why haven’t we heard more about insider attacks?

            Though recent research and reporting have shed a light on the rising tide of insider attacks, we historically
            have  not  heard  much  about  these  sorts  of  incidents.  This  is  because  for  the  companies  who  are
            victimized, these incidents can represent “dirty laundry” that they’d rather not air to the public. There’s
            also often a threat, implicit or implied, that the hack will get worse if authorities are involved,  impacting
            negotiations and decisions on whether to pay a ransom or not and potentially requiring disclosure of
            sensitive information to the authorities.

            Insider attacks can also be easier for people to tune out because these incidents frequently stem from
            mundane mistakes. Simple human error is a huge source of insider attacks, but news and entertainment
            typically prefer to show a master hacker in a remote van rather than a technician simply forgetting to log
            out.

            For a high-profile example of an insider manipulation attack using a compromised credential, look no
            further than the Colonial Pipeline incident. In response to a ransomware attack sourced from an insider
            breach of their IT network, they shut down operations for their entire pipeline system.



            How can we improve reporting?

            Organizations are often lax with their implicit trust of employees and partners, as well as the fact that they
            will be reluctant to report incidents when they occur. A lack of transparency from targets of insider attacks




            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          100
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.