They’re Calling from Inside the House: Surviving Insider Threats
In the spirit of Halloween, this blog series examines CSO survival techniques and relates them to horror movies. Why? Because if cyber security isn't done correctly, it can be quite scary.
One of my favorite opening scenes to a horror movie is from the 1996 smash Scream.
Since Scream came out 20 years ago, here’s a refresher: the beautiful Casey (portrayed perfectly by Drew Barrymore) is home alone and making popcorn on the stove, prepping to watch a scary movie. The phone rings. The innocent Casey has a playful back and forth with a raspy-voiced caller who asks her a stream of seemingly normal questions.
At first, she thinks it’s a prank. But the tone of the conversation shifts and things quickly turn bad. It becomes threatening. Terrifying. Casey breaks down. And less than 90 seconds later we see Casey dead on the front lawn, as her potential saviors, in this case her parents, literally walk right by -- she was mere seconds from safety from the masked killer. And the popcorn continues to pop atop the stove.
I’ve left out a few gory details for the sake of brevity, but that’s the main gist. It’s disturbing, even for a slasher flick fan like me.
The 13-minute scene is heralded as one of the best openers in horror history. And for good reason. It’s chilling and unexpected. It was a bold move to kill off the film’s biggest star before the opening credits roll. What’s even more frightening is the revelation that the murderer was calling from inside the house (in an excellent homage to When a Stranger Calls). He had gained access, and young Casey was powerless. The killer had already breached the walls.
It’s a gory scene that makes me think of cyber security stuff. (Yes, I am that type of geek.)
Consider how a malicious insider scenario plays out for a CISO or CSO.
There are often signs that something has been awry for months, if not years (see the most recent government contractor insider threat case). More often than not, when the bad guy -- in this case an insider, not a homicidal dude in a $10 cloak and mask like in Scream -- reaches the “breaking point” in their employment there are clear indicators that things are going to go bad fast. It’s kind of like the breaking point where the ghost-faced killer goes from funny to threatening in the movie. A bad performance review, accesses to information that suddenly appear or are requested, data being stored on USBs or cloud resources outside of the company’s network perimeter, or even the bad guy Googling things like “malware” or “RAT” could all be indicators that something nefarious is afoot.
Then the attack reaches the violent part. In this scenario that’s where the bad guy steals everything that they can, basically bashing through the glass to get what they want and running away into the night (in reality they are usually buying a plane ticket to a non-extradition country as they pack their bags with little more than cheap clothes and stacks of hundreds).
And finally, just like in the movie, the “good guy,” or in this case the CISO/CIO, is left dead, but instead of a knife the murder weapon is the data that shines a light on how these events transpired. Each log entry and data analytic is just another deathblow from the bad guys into the perceived efficiency of the good guys. The good guy, our CISO/CIO, is defenseless thanks to the oversights, and he realizes the technical confusion that aided the bad guy. The last thing our good guy sees is their replacement coming in the front door.
Plan for Survival
The sad truth is that if the good guys had a real plan, and carefully thought about integration, correlation, optimization and telemetry across their environment, they probably would have had a good chance of not ending up gutted.
Something as simple as inspecting all, and I mean ALL traffic in the network for indications of anomalous behavior can be the difference between survival and death. Two-factor authentication and the use of biometrics, as well as privileged access management can reduce the threat space exponentially. Lastly, enforcing security policies that are visible to all employees can help avoid catastrophe. For example, posting a policy on all assets that says the company can inspect and review anyone’s traffic as needed could have helped reveal that the ghost-faced killer was already inside the house and was calling from upstairs.
Doing cyber security and operational security is often more common sense than rocket science. It’s all about making your company or organization a harder target. Most simply put: don’t make it easy to get ripped off, and you’re less likely to get ripped off. Use what you have, but use it wisely and make EVERYTHING work together as it should. Being safe from a malicious insider is a bit tricky, but it’s certainly doable with the right planning.
Poor Casey never stood a chance. She sealed her fate once she answered the phone. There is no such inevitability with cyber threats. We control our fate. And we can change our fate if we act and move on the data and indicators we have available to us. But we have to actually do it. Failure to act is about the surest way to wind up on the front lawn, a victim of the threat that originated from inside the house.