The “new” trend in cybercrime: extortion of employees

Attacks on company information systems have evolved to become extremely sophisticated. Cybercriminals currently exploit vulnerabilities in applications, equipment configurations or communication network protocols to seize the data or systems of any organization, but they also extort employees.

In this context, we often read news about the complex mechanisms they use to subvert the behavior of teams and gain control of them. When that happens, we are sure that many people will think about the deep knowledge that these cybercriminals must havecapable of analyzing systems, evaluating their vulnerable points and developing programs and attack models that require sophisticated computer tools.

For that very reason, when we discover that bribery or extortion of employees are a common part of the mechanisms used to access the accounts of privileged users and with them the protected data of an organization, that fascination collapses.. And it is that social engineering techniques are probably the best tool to violate the security of a company.

Some emblematic cases

The ones known as internal attacks they are probably the most serious threat present in today’s organizations. Via unintentional mistakes or intentional actions, the employees of a company represent the access point that can put the entire security of a company at risk. techniques like the phishing, vishing or smshing are currently complemented by actions focused on recruiting employees to help infiltrate corporate networks. Some cybercrime groups even offer exorbitant amounts to those employees who are willing to betray their companies.

Cybercriminals currently exploit vulnerabilities in applications, equipment configurations or network protocols, but they also extort employees

The examples have been, and are, historically very representative. Just a few years ago, it was discovered that a Tesla employee had been lured into exfiltrating secret company information with the promise of $1 million. Ultimately, the bribe was unsuccessful because the employee himself reported it, and the offender, a friend and former colleague, was arrested.

Similarly, last year an employee of Ubiquiti was accused of extorting his company with the information he had stolen months before. Interestingly, before that, the employee himself had been part of the internal team that investigated the aforementioned incident.

In 2019, LockBit, one of the ransomware most active in the market dark weboffered “business relationships” to employees of various companies to share “profits” if they installed their malware within their organizations.

More recently, the cybercrime group LAPSUS$ disclosed, through its social network accounts, economic offers to employees and former employees of some companies to provide them with access credentials to privileged accounts. In fact, it is believed that many of the “successes” of this group lies precisely in the collaboration of internal employees with their victims.

the internal threat

It is very likely that companies have focused their attention on the risks that come from the outside, tiptoeing past those threats that arise within the same organization.

Currently, Almost half of the cybersecurity incidents that occur in a company involve an internal actor. According to analyzes provided by Forrester, the number of cyberattacks through internal actors have grown by more than 8% in 2021. De facto, it is known that large corporations often feel threatened, for example by disgruntled employees who create false identities on the dark web to offer their services to the highest bidder.

Insider threats are a serious problem for any organization: they are difficult to detect, employees have more and more technological knowledge to act without being detected, they have legitimate access to systems and data, they make use of teleworking tools and, above all, they base much of their security on the assumption of regulatory compliance dictated by the company.

For example, according to a study carried out by MITER and the company DTEX, 56% of data theft stems from employees leaving the company to join the competition; each year the number of incidents related to the leakage of confidential data through screenshots of information shared in videoconferencing systems during teleworking triples; and the number of employees who use corporate computers, with confidential data, for personal matters have multiplied by four.

mitigation plan

Combating this type of threat must therefore become a priority for companies. An effective insider threat mitigation program It will be essential and will serve to protect your critical assets and services.

Monitor the behavior of employees to detect those who make illegal use of the resources available to them, assess the level of risk that each employee represents for the company, implement strategies focused on reinforcing the safety of possible victims according to their possible vulnerabilities or involving the employees themselves in the process of detecting, communicating, stopping or mitigating the inappropriate behavior of another employee, are some of the aspects that a Internal Threat Mitigation Plan must cover.

The truth is that there are numerous factors that influence the materialization of an internal threat, including the personal predisposition of the employee, the pressures to which he is subjected (professional, financial, social…), his habitual behavior inside and outside the company or the guidelines for action in the professional tasks entrusted to him. The concept of “burnout” or employee “burnt out” is a good example of a situation conducive to the successful completion of any of these risks. There is no cybersecurity budget to protect against its possible consequences.

recommendations

The development of a Mitigation Plan for internal threats is a complex task in time and form. Even so, we do not want to miss a set of basic recommendations that can serve as a reference when planning the first steps in the right direction:

• Principle of the least possible privilege. This is a very simple, yet important step that a company can take to protect itself from these threats: implement an access management model that only assigns privileges to employees for those services and information that are necessary for their assigned function.
• Monitoring and detection of internal anomalies. Companies often tend to protect their infrastructures with firewall systems, workstation antivirus, operating system version updates, etc. However, they often forget to monitor the traffic within the network. Anomalous behavior on the network is, on many occasions, evidence that shows that something unusual is happening and requires special attention. Sometimes, they are simple accesses to unusual resources, execution of processes after hours, connections of external devices, sending emails to unknown addresses, etc. Any event that breaks with the usual routine of an employee can be analyzed.
• Network segmentation. The attacks of ransomware, for example, tend to spread through the network through lateral movements, so segmenting access to networks will reduce the risk of spreading to other environments within the company’s infrastructure. Well, the same thing happens with employee access: the possibility of accessing departmental subnets by employees who are not related to them can pose a high risk for any company; hence, establishing duly protected segmentations can be a fundamental element to reduce risks.

• Traceability of actions. The correct identification of users, as well as the recording of their activities, can ultimately allow the origin of a security incident to be identified. The data collected can be analyzed both in real time and for future forensic analysis to determine the possible involvement of an employee in an insider attack.
• Code of conduct. Every company must define a code of conduct for all employees in the performance of their duties. Establishing protocols for the use of the resources available to employees can mean the difference when it comes to being able to resort, or not, to data collected to be presented in administrative or criminal complaints. The internal communication processes themselves must be confidential and strict disciplinary rules must be defined against those who violate the code of conduct.

Finally, there is a last recommendation that is not always included in a document but that is perhaps more essential and critical: promote an honest and transparent company culture; Get to know your employees and make them aware of their importance for the future of the company. Perhaps this way you will end up knowing your likes and dislikes a little more, and perhaps this way you can help prevent a malicious third party from taking advantage of them.

By Juanjo Galán, Business Strategy at All4Sec