The Internet is evolving at an ever-increasing velocity. With more internet connected devices being brought online, and always on services being delivered by Wifi hotspots and 4G, the average person is typically connected 24/7.
The boundaries between what is public and private is blurring. Historically, corporates built internal networks to house sensitive data, and published a limited number of services out to the Internet. However, as more data is generated by people and processes, these boundaries are now less well defined. Employee’s access data from their smartphones whilst in the office, consume services from the cloud, and interact with resources that straddle internal and external networks interchangeably and without thought. At the same time, smart devices and an array of mobile apps, collect user data from people throughout the day, whether they are at work, on the road or at home.
Historically organisations thought of cyber threats as ones that were either internal or external. External threats came from hackers and people out on the Internet that in theory had limited knowledge about the organisation itself. Internal threats were often assumed to be employees, contractors or other people that had physical access to internal resources. Frequently we hear of the ‘cleaner’ being suggested as the likely internal threat! Although these threats are undoubtedly still prevalent, the distinction between internal and external has blurred, as the way in which we consume, create and interact with data has evolved.
People, Processes and Technology
We often talk about Cyber Security as something that is based around people, process and technology. Despite this widely accepted truism, it is very common for organisations to allocate disproportionately more focus in to technology, with people and process getting much less consideration. As a consequence external threat actors, that previously focused on technical vulnerabilities have for a while been turning their attentions to people and process. They recognise that humans are frequently the weakest link in an organisations defences, and they know that if they can compromise a user, they can then abuse the users’ processes to give them access to sensitive data. The approach often results in a user being targeted by an attacker and having their local machine compromised by an external attacker. Once the users’ machine is compromised, the attacker leverages the users internally provisioned access rights, effectively abusing the organisations internal trust model. The attacker will scour the local machine for titbits of sensitive information that hold credentials, process manuals, or how-to guides that provide details on the types of services that the user is able to consume. The attacker will then widen their nets, and conduct reconnaissance activities across the users e-mail, centralised file shares and corporate intranet services all in the hope of finding sensitive data, or process documents that describe how sensitive data or resources can be accessed.
The challenge is – that this doesn’t look like the external threat we were faced with five years ago. Five years ago, the threat looked like it was external and it smelt like it was external. Today, through compromising users, and leveraging their trust networks, the threat now looks like an internal user. And that means one thing. Organisations have to start building layered security controls, and they have to be able to distinguish normal user behaviour from that of what could be abnormal or malicious.
As the boundaries between internal and external threats being to blur, so organisations need to adjust their assurance practices. Instead of simply conducting Pen Testing against external infrastructures and applications, it is imperative that they start understanding the security posture of their internal systems and datasets. Instead of purely focusing on defence alone, organisations have to assume that their users will inevitably be compromised. As a consequence, containment, and a focus on detection and response will become a key area for security programs and strategies to readjust their focus towards.
As GDPR and wider industry regulation beckons, organisations will be forced to do more to protect users’ data. As the threat landscape evolves, so it is likely that an external threat will essentially appear as if it is an insider, leveraging process failures and appearing as if they are a legitimate corporate user. There really are very few network borders that separate inside from outside. Organisations need to step up and take note. The internal threat has become sophisticated, it has become self-aware and has become persistent in its approach and nature!