In the cybersecurity industry we are somewhat fickle—we shift our attention back and forth between insider and external threats based on recent events. In the 90’s and early 2000’s we focused on computer viruses as that was the predominant threat. From 2010-2014, our attention shifted to insider threats when Bradley Manning and Edward Snowden grabbed the headlines. In 2015 we pivoted back to external threats when ransomware became prevalent. In 2017, following WannaCry and NotPetya, we understandably are largely focusing on external cyber threats. However, beware that the pendulum is likely to shift back to insider threats. In addition, with the shifting recent external cyber-attacks from theft to sabotage, we should be prepared for the same shift in insider threats.
"A socio-technical solution based on human detection of significant concerning behavior patterns can trigger an investigation of potential insider cyber sabotage before it’s too late"
Here are a few recent insider cyber sabotage cases in critical infrastructure companies or with potential impact to national security:
In 2017, a former employee of a large aerospace company was arrested for trying to sell rogue credentials he had created for his company’s satellite tracking system to a Mexican drug cartel for $2 million. The system is used by several U.S. government and military agencies for tracking their aircraft—including the Drug Enforcement Agency.
In 2016, an employee of a large financial institution was sentenced to 21 months in prison after sabotaging the company’s network, causing an outage in network and phone access to over 100 branches—90 percent of their branches across the U.S.
In 2016, a large semiconductor manufacturer filed a lawsuit against a former employee who planted a time bomb in one of their systems that disrupted operations after he left the company.
These are three recent insider cyber sabotage attacks targeted at critical infrastructure companies or national security. I spent 13 years researching insider threats at the CERT Insider Threat Center at Carnegie Mellon University. I reviewed hundreds of similar cases. These attacks occurred in every sector, many causing significant damage to organizations and their customers. Yet few companies are actively addressing the insider cyber sabotage threat. Why? Because it’s a tough problem— not easily solved using technology alone. Insider cyber saboteurs are technical employees who use authorized access to set up an attack before they leave the company, and carry it out after they’re gone. Here’s the good news: this is no longer an insurmountable problem.
Who Does This and Why?
The first step in mitigating this threat is to understand it. Who commits these crimes? Happy, satisfied employees? Certainly not! Fortunately, our research found distinct patterns in insider cyber sabotage:
Who does it? Technical employees
Why? Individuals who are very upset or angry about something that happened at work, for example no raise, no bonus, or a new boss they don’t like.
What do they do? They exhibit a pattern of concerning behavior that gets worse over time until it gets bad enough that management approaches Human Resources (HR) for action.
How do they do it? The employee decides they want revenge and sets up their attack, but usually carries it out after leaving the company.
A Socio-technical Solution
Employees who commit cyber sabotage usually carry out their attack without operating outside their daily scope of work. Software developers have planted malicious code in their company’s products and systems using authorized access to source code. System administrators have created rogue accounts using privileged access just like when creating legitimate accounts. Technical controls alone cannot prevent these actions.
On the other hand, a socio-technical solution based on human detection of significant concerning behavior patterns can trigger an investigation of potential insider cyber sabotage before it’s too late. In most of the cases we analyzed at CERT, management contacted human resources for assistance. At Rockwell Automation we enlisted Human Resources as members of our global Insider Risk team. We trained our entire global human resources team in insider risk, and worked with our legal and IT departments to define a formal process for handling potential insider cyber sabotage cases. Employee privacy can be addressed and appropriately protected throughout the process.
Employees usually set up their attack before they leave the company, and carry it out after. If human resources is trained to recognize behavioral patterns associated with potential insider cyber sabotage, an investigation can be triggered before the employee leaves the company. Malicious activity can be discovered and mitigated before sabotage is carried out.
Requirements for success:
• Executive sponsorship in Human Resources and global training of HR staff
• Partnership with legal to ensure privacy laws are followed
• Technical controls for prevention and to support investigations
• Investigative and forensic support capabilities
At a time when multiple nation states are actively conducting cyber sabotage attacks, it is imperative that critical infrastructure companies do not overlook this potential threat. We cannot eliminate the threat, but this article describes a strategy that can be used to mitigate the risk of insider cyber sabotage.