Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Gartner: ‘Insider threat is alive and well on the dark Web’

Tim Greene | June 15, 2016
Gartner says to spot low-level insiders who have gone bad security pros should look for keywords they search for and IP addresses and URLs they seek out on the Dark Web

Corporate employees who help carry out cyberattacks are increasingly being sought and are seeking criminals to hire them, a Gartner analyst told a group at the consulting firm’s Security and Risk Management Summit.

A group of 60 CIOs and CISOs she worked with say this recruitment is more active and becoming a larger concern because of their use of the Dark Web to sell their services, says Gartner analyst Avivah Litan.

She showed a screenshot of a Dard Web chat room in which a bank employee was seeking help to acquire and distribute a banking Trojan. An established criminal was trying to recruit the employee into a larger scheme.

“There’s lots of disgruntled employees out there,” she says. “They log onto TOR and make their service available.”

She introduced Rich Malewicz, the CIO Livingston County, Mich., who uncovered a ring of county employees pirating movies and stealing county data that included his own IT manager. The manager, who was actually leading the investigation into the piracy, and three others were caught and fired.

He caught on to the criminal activity because an employee notified him that when she came in in the morning her computer was on and she had turned it off when she left. It had also been moved.

He discovered via logs that an IT tech, who had been coming in late, leaving early and playing video games on county time, had come in at 3:30 to use the machine.

He used a tool from Observeit to track and record activity of the criminals, leading to their firing and criminal charges.

But catching insiders requires a range of tools and methods starting with scrutinizing personal interactions. Litan says she knows of a nuclear power entity that does quarterly three-hour interviews with key employees to monitor their personal situations. Have they been arrested for drunk driving? Are they getting divorced? Has the quality of their work slipped? These can indicate someone ripe for insider abuse.

Beyond that, businesses have to use detection and analysis tools to track these threat actors, she says. It’s data driven by monitoring structured and unstructured data, email, and chats on the Dark Web.

Analysis falls into four categories: descriptive, diagnostic, predictive and prescriptive. The first two try to answer what is happening and why. The third tries to project what will be stolen or tampered with and how that will happen. The final analysis tells what to do about the problem to prevent actual attacks.

About 80% of these insiders can be caught using rules and monitoring employees’ behaviors and the pressures they face in their personal lives, she says. The other 20% can be uncovered using anomaly detection tools that reveal how they stray from their routine, authorized use of the network.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.