Hacking Book | Free Online Hacking Learning


2017 sans internal threat survey

Posted by agaran at 2020-03-08

(1) Summary

Main findings

45% of respondents did not know that internal threats were related to potential economic losses, and another 33% could not value the losses.

18% have formal incident response plans, including internal attack response plans, and 49% are in the process of developing such plans.

62% of the respondents thought that they had never had an internal attack, but 38% admitted that their detection and prevention capabilities were not very effective.

40% think that malicious insiders are the biggest threat they face, and 36% think that accidental or negligent insiders are highly destructive.

When evaluating attack vectors, studying competitors and measuring the threat of organized crime or foreign enemies, it is easy to conclude that external attacks should be the main focus of defense. This conclusion is wrong. The key factor is not the source of the threat, but its potential damage. From this perspective, it is clear that although most attacks may come from outside the organization, the most serious damage is often caused by internal personnel. The survey stressed that managing internal threats is the only way to win over cybersecurity.

Even advanced external opponents will try the simplest way to attack. Organizations pay more and more attention to the powerful border and locking system, which makes it more difficult for their servers to be attacked, and makes internal personnel the simplest attack vector. Because organizations usually have more internal staff than servers, and may just click on the wrong link or attachment. In order to attack an organization, adversaries pay more and more attention to insiders as the main target. The purpose of this investigation is to better understand the latest status of internal attacks and what measures can be taken by the organization to prevent the potential major threats existing in most organizations.

Here are some key elements of this survey:

• organizations recognize the importance of internal threats

The survey results are very good, indicating that the organization has regarded internal threats as the most potential threat component. Interestingly, most organizations have not readjusted their budgets and staff to keep up with this trend.

• losses due to internal threats are largely unknown. A relatively small number of respondents were able to quantify actual or potential losses due to internal threats. If the organization is unable to quantify the loss, it often does not spend money. This can explain why internal threats are a concern, but not a major focus.

• event response is not for insiders. While recognizing that insiders are a common and vulnerable point of attack, less than 20% of respondents said they have a formal response plan for incidents involving internal threats. The main focus of event response is to recover from the attack event.

• detection of internal threats remains ineffective. More than 60% of respondents said they had never experienced an internal threat attack. This result is very misleading. It's important to note that 38% of respondents said they don't have an effective way to detect insider attacks, which means that the real problem may be that the organization doesn't detect internal threats correctly, rather than not.

• organizations must deal with malicious and unintentional internal threats. When most people hear about internal threats, they usually think that they are malicious insiders who deliberately cause organizational harm. While this type of insider will always be a problem, the greater threat to most organizations is unintentional insiders - a legitimate user whose login name has been stolen, or an attacker using it to allow an attacker to enter. Respondents may not see these insiders as part of the internal threat. The survey found that malicious employees were the top concern (43%). Interestingly, however, the number of unexpected or negligent insiders is second (39%), which means that the organization is focusing more resources on the right areas.

(2) Status of internal threats

The respondents come from a wide range of organizations. The scale of the organization never exceeds 100 people, to more than 100000 people. The largest group includes organizations with more than 100 employees and less than 10000 employees. Most of the feedback came from companies in the United States. Figure 1 represents the industry.

It is not difficult to find that industries with more key intellectual property rights (such as banks, governments and high-tech) are more aware of the risk of data loss of insiders, so they are more likely to participate in the investigation of this topic. An important thing to remember is that any organization, regardless of its business or number of employees or intellectual property rights, can be attacked. Experience tells us that organizations with less investment in network security tend to be more vulnerable to attack because they think their data has lower value. If something is considered low value and unprotected, then it's easier for the opponent to attack and harder to detect when an attack occurs.

Capability maturity

From the perspective of capability maturity, the survey shows that organizations begin to recognize the importance of internal threats and invest more resources in establishing appropriate event response processes. Forty nine percent of respondents said they were making plans, but 31 percent still had no plans and did not focus on internal threats, as shown in Figure 2.

It is very important to develop an incident response plan to address internal threats. At the same time, it is also important to establish defense measures to prevent and detect attacks in a timely manner. Ensuring that the plan is effective requires measuring and tracking the security control process, determining its effectiveness, and focusing on dealing with the right threats.

It would be interesting to associate the number of organizations that lack internal threat programs with the number of attacks and data breaches. Unfortunately, organizations that lack effective internal threat plans and are unable to detect attacks in a timely manner make correlation difficult to quantify. However, from the author's experience, there is a direct relationship between the entities that ignore the problem and the entities that have major events.

Maximum threat vector

The results show that organizations have begun to realize that the potential for damage of internal personnel is greater than that of external threats. Unintentional and malicious internal threat behaviors are higher than external threats (36% and 40% of the people think that they are the most destructive), of which only 23% think that external threats are the most destructive attack types (severity 1), as shown in Figure 3.

Sources of internal threats

• malicious / intentional insiders - people who knowingly steal, damage or disclose information, causing damage and damage to the organization

• accidental / unintentional insiders - users who have been cheated or manipulated to cause harm, or who have been stolen by phishing credentials, or users in other user centric vulnerabilities, resulting in the attacker becoming legitimate

However, many organizations rank malicious internal threats ahead of unintentional internal threats, which indicates the lack of maturity of network security, because in reality, for most organizations, the most harmful threat is unintentional insiders. Malicious insider behavior is a concern, but with proper access control, isolation and monitoring, risk can be minimized.  

If an opponent infiltrates the network and is not detected, unintentional insiders may cause greater risk and more harm.

Losses caused by internal threats

We predict that the largest category of economic loss will be "unknown" (the organization does not know how much loss is caused) or "worthless" (the organization does not assign any potential loss). This is because most organizations do not have adequate monitoring and reporting mechanisms to determine the real impact of attacks using insiders. Figure 4 shows the potential loss.

For example, an internal attack that is subtle enough may reveal product plans to competitors without being detected. The subsequent failure of the product may be due to market conditions or other factors, rather than someone "stealing". In my experience, many organizations may blame external factors, and only after a detailed investigation can we find that the real reason may be internal personnel.

(3) Focus

Organizations tend to invest where they think the return on investment is high. Most people don't put money on issues that aren't identified as a threat or that prove to have negative consequences. Therefore, how organizations view internal threats has a direct bearing on their costs.

General concerns

The first question the survey participants asked about internal threats was about attacks on customer information (63% of the options). Customers are often the organization's most important asset. Losing customer trust can mean losing them and eventually losing business. The attack of privileged account information and the leakage of trade secret information were 49% and 41% respectively. See Figure 5.

It is important to point out that every organization has "customers" and that even government agencies have access to funds, and the parties that provide them should also be considered customers. It's easy to find out after the government is attacked. The project has been cancelled or the funds have been reduced many times.

All concerns are related to data and intellectual property. In the end, anything that could affect a company's short-term or long-term success is a concern.

Attention: the input time of employees

While organizations spend some time on internal threats, investment is still low. The largest percentage of respondents (27%) estimated that they spent one to four hours a month on internal threats. In the author's experience, it can take 30 to 40 hours to investigate and follow up internal threats.

Focus: passive, not active

Only 29% of respondents have a dedicated team focused on internal threats. 60% use existing employees, and surprisingly, 7% don't know how to deal with the threat of insiders, as shown in Figure 7.

Focus: budget support

The results of the budget support survey are probably the most interesting and frightening. The results fit the old paradigm: the rich get richer and the poor get poorer. It is disturbing that 28 per cent of organizations do not have a budget to deal with internal threats, compared with just 16 per cent in the next 12 months. Organizations that do not see internal threats as a high priority are currently spending 5% or less of their IT budgets on prevention and plan to spend less next year, as shown in Figure 8.

If you only detect or prevent internal threats in a small amount, you may not see the value of protecting internal threats. If you don't see value, you may continue to spend. Organizations that spend a lot of resources on internal threats are able to identify the behaviors of threats and defend them, so they can see the value. Therefore, they will continue to invest to obtain more and more value. If you don't see the threat, you can't deal with it; if you can't resist it, you won't get a positive ROI.

Malicious and unintentional insiders

When asked how their budgets for dealing with internal threats were allocated between malicious and unexpected threats, most (56%) said they did not know. This is not surprising because organizations that do not have formal processes and focus teams on internal threats often do not track the resources they spend on malicious and unintentional internal people. See Figure 9.

(4) Internal threat visibility

Visibility of internal threats

Many organizations have experienced attacks caused by insiders, but they are difficult to detect because they do not have appropriate visibility. As a result, many people are not only facing internal threats, but have actually been attacked, just unaware of it.

End users have become the entry point for external attackers. According to the "sans threat situation survey" in September 2016, 80% of the respondents have experienced phishing attacks; 75% have experienced explicit and influential attacks caused by email attachments, and 46% of the attacks are triggered by users clicking on the Internet link in the email.

Attacks are more complex, but end users are increasingly vulnerable: 48% of attacks bypass terminal defense through user error, 38% through social engineering.

According to the author's experience, if your organization has existed for several years, the possibility of internal personnel causing attacks is almost 100%.

It's not surprising that most organizations are overconfident in security. Only when they find security attacks do they realize that their security is not as effective as they think. Therefore, the use of appropriate tools and techniques is essential to ensure the visibility of issues.

(5) Tools, techniques and methods

When evaluating tools and technologies, it's important to understand the problems the organization wants to solve. Interviewees believe that malicious insiders are more harmful than unintentional insiders, as shown in Figure 11.

The focus area for preventing internal threats is to ensure that critical data is protected. Organizations that spend money on internal threats tend to focus on the wrong areas and not align with the most important. In Figure 12, 65% or more of the respondents chose strategies, procedures, and audits, which are at the top of the list of tools and technologies to prevent insider attacks.

(6) Damage and exposure

The good news is that more and more organizations are recognizing the importance of internal threats. The bad news is that universal detection and response is still in its infancy. As shown in Figure 14, the time span for detection and mitigation reported by respondents is large.

Adversaries need access to the system to attack critical information and cause harm. This is no doubt that the account credentials chosen by 36% of respondents are the first to be affected by internal threats (see Figure 15). The next few are all about key data and information.

For one reason, most countries have data protection laws: stolen data can cause harm to customers. The more active an organization is in controlling and managing its critical data, the more effective it is in reducing the impact of internal threats. The more an organization understands its employees' normal behaviors and uses their data patterns legally, the more abnormal behaviors can be found.

Such as reputation impact and customer loss are difficult to measure, and more difficult to attribute to specific reasons. According to the author's experience, most organizations overestimate their own defense ability and underestimate the impact of attacks when they involve internal threats.

(7) Conclusion

In the pursuit of security, it is important to look at objectives and focus on the most important areas. To determine where to focus, ask yourself: what's the difference between a major security incident and a minor incident? The answer is simple: leaked or corrupted data. The data being destroyed or accessed ultimately determines the impact of the attack on the organization. Because insiders have direct access to critical data, it is much easier to attack and / or use insiders to gain access than to perform external attacks.

The following is a list of available internal threats:

Identify the most important data for your organization. Think from the attacker's point of view and consider what data the attacker is attacking.

Determine who currently has access to the data. Identify internal people who have direct or indirect access to sensitive data.

Restrict who needs access to information. Verify who really needs to access the data and remove any unnecessary access to reduce the attack surface.

View user behavior. Understand users' use of sensitive data and make sure they are not attacked.

Understand the threat, make a threat mapping, identify unintentional and malicious insiders, and the most likely threat to cause damage.

Understand the vulnerability. Determine which vulnerabilities will be exploited with the greatest impact.

Identify countermeasures to minimize or reduce threats. Common protection methods for internal threats include data isolation, application white list, data protection and data classification.

As attack power continues to increase, it is important to focus on the cause of damage: internal threats. If you win, focus on internal threats.