22
Jun 16

Rise of Darknet Stokes Fear of The Insider

With the proliferation of shadowy black markets on the so-called “darknet” — hidden crime bazaars that can only be accessed through special software that obscures one’s true location online — it has never been easier for disgruntled employees to harm their current or former employer. At least, this is the fear driving a growing stable of companies seeking technical solutions to detect would-be insiders.

Avivah Litan, a fraud analyst with Gartner Inc., says she’s been inundated recently with calls from organizations asking what they can do to counter the following scenario: A disaffected or disgruntled employee creates a persona on a darknet market and offers to sell his company’s intellectual property or access to his employer’s network.

A darknet forum discussion generated by a claimed insider at music retailer Guitar Center.

A darknet forum discussion generated by a claimed insider at music retailer Guitar Center.

Litan said a year ago she might have received one such inquiry a month; now Litan says she’s getting multiple calls a week, often from companies that are in a panic.

“I’m getting calls from lots of big companies, including manufacturers, banks, pharmaceutical firms and retailers,” she said. “A year ago, no one wanted to say whether they had or were seriously worried about insiders, but that’s changing.”

Insiders don't have to be smart or sophisticated to be dangerous.

Insiders don’t have to be smart or sophisticated to be dangerous, as this darknet forum discussion thread illustrates.

Some companies with tremendous investments in intellectual property — particularly pharmaceutical and healthcare firms — are working with law enforcement or paying security firms to monitor and track actors on the darknet that promise access to specific data or organizations, Litan said.

“One pharma guy I talked to recently said he meets with [federal agents] once a week to see if his employees are active on the darknet,” she said. “Turns out there are a lot of disgruntled employees who want to harm their employers. Before, it wasn’t always clear how to go about doing that, but now they just need to create a free account on some darknet site.”

Statistics and figures only go so far in illustrating the size of the problem. A Sept. 2015 report from Intel found that internal actors were responsible for 43 percent of data loss — but only about half of that was intended to harm the employer.

Likewise, the 2016 Data Breach Investigation Report (DBIR), an annual survey of data breaches from Verizon Enterprise, found insiders and/or the misuse of employee privileges were present in a majority of incident. Yet it also concluded that much of this was not malicious but instead appeared related to employees mailing sensitive information or loading it to a file-sharing service online.

Perhaps one reason insiders are so feared is that the malicious ones very often can operate for years undetected, doing major damage to employers in the process. Indeed, Verizon’s DBIR found that insider breaches usually take months or years to discover.

Noam Jolles, a senior intelligence expert at Diskin Advanced Technologies, studies darknet communities. I interviewed her last year in “Bidding for Breaches,” a story about a secretive darknet forum called Enigma where members could be hired to launch targeted phishing attacks at companies. Some Enigma members routinely solicited bids regarding names of people at targeted corporations that could serve as insiders, as well as lists of people who might be susceptible to being recruited or extorted.

Jolles said the proliferation of darkweb communities like Enigma has lowered the barriers to entry for insiders, and provided even the least sophisticated would-be insiders with ample opportunities to betray their employer’s trust.

“I’m not sure everyone is aware of how simple and practical this phenomena looks from adversary eyes and how far it is from the notion of an insider as a sophisticated disgruntled employee,” Jolles said. “The damage from the insider is not necessarily due to his position, but rather to the sophistication of the threat actors that put their hands on him.”

Who is the typical insider? According to Verizon’s DBIR, almost one third of insiders at breaches in 2015 were found to be end users who had access to sensitive data as a requirement to do their jobs.

“Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%),” Verizon wrote, noting that insiders were most commonly found in administrative, healthcare and public sector jobs. “The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them). At the end of the day, keep up a healthy level of suspicion toward all employees.”

If tech industry analysts like Litan are getting pinged left and right about the insider threat these days, it might have something to do with how easy it is to find company proprietary information or access on offer in darknet forums — many of which allow virtually anyone to register and join.

A darknet forum discussion about possible insiders at Vodafone.

A darknet forum discussion about possible insiders at Vodafone.

The other reason may be that there are a lot more companies looking for this information and actively notifying affected organizations. These notifications invariably become sales pitches for “dark web monitoring” or “threat intelligence services,” and a lot of companies probably aren’t sure what to make of this still-nascent industry.

How can organizations better detect insiders before the damage is done? Gartner’s Litan emphasized continuous monitoring and screening for trusted insiders with high privileges. Beyond that, Litan says there are a wide range of data-driven insider threat technology solutions. On the one end of the spectrum are companies that conduct targeted keyword searches on behalf of clients on social media networks and darknet destinations. More serious and expensive offerings apply machine learning to internal human resources (HR) records, and work to discover and infiltrate online crime rings.

What’s Verizon’s answer to the insider threat? “Love your employees, bond at the company retreat, bring in bagels on Friday, but monitor the heck out of their authorized daily activity, especially ones with access to monetizable data (financial account information, personally identifiable information (PII), payment cards, medical records).”

ladbrokes

Additional reading: Insider Threats Escalate and Thrive in the Dark Web.

Tags: , , , , , , , ,

55 comments

  1. This is rich. Who is the typical insider? According to Verizon’s DBIR 28%. Says a lot about Verizon’s mindset & that of their insiders, not a good sign from the top on down! Gosh what a shock, malcontents & avarice everywhere?

    • There is no such thing as “a typical insider”. That’s like saying, “We sell 1 size fits all [whatever].”

      Look at the moles that have been caught in national security agencies over the years. All of them seem “pretty blah” to me, but they all had a reason or two for doing what they did.

      As Lord Croker said in the movie “The Italian Job”, “Everyone’s bent.”

    • I have a Telecommunication past and I can tell you from experience that Verizon is a miserable SOB to work for. If there ever was a company ripe for payback from their employees, Verizon is it!

  2. Great article,

    Makes me think the another level of security defence is to keep your employees happy!

    • Elliot Alderson

      actually it’s not the employers responsibility to keep employees happy, it’s the employees responsibility. and mature people can do this standing on their heads. And maybe the employees should just shut up and work at what they’re paid to do, instead of being in a constant high school, that’s assuming they did graduate or acquire their GED, mindset 24×7. or they can always crawl back into their safe space in their parents basement and continue wasting their lives away on this stupid vapid social media crap playing their XBOX games.

      • This doesn’t sound very actionable.

      • HappyEmployee

        Seems like you are fortunate enough to never have been taken advantage of by your employers. Most of us work our tails off to make someone else rich while .

        I am fortunate enough to have a great employer that actually cares about my success as well as their own. I have no doubt that a great deal of employees are not so lucky. We live in a business climate where investing is valued above labor. Working people get sick of being taken advantage of, and I have to agree with UrdD. If you don’t want to have disgruntled employees harm your business, do what has worked for years, be loyal to your workers and they will be loyal to you. Paying fair wages and benefits as well as giving employees flexibility when life events happen is smart long term strategy. So many companies right now do not even care about their customers or employees beyond the profits they can make. Where I live, it is hard to get good service at a doctor’s office. You have to leave a message to become a new patient after navigating an automated phone system.

        Your statement that it is the employees responsibility to be happy is ridiculous. I agree that some people will never be happy unless you give them everything you have (and then some), but the majority of us are working too hard for too little appreciation. So Elliot, I would like to see how happy you can make yourself if all your savings was gone and you had to support a family on $12 an hour (or in CT, just try to support yourself on that). It would take over 62 hours to just pay rent for a one bedroom, and that’s if you don’t pay any taxes in CT. Then utilities, health insurance, food… good luck!

        And BTW, higher education is not always available to people that have middle class parents who can not afford to pay for (or towards) their child’s education. If your parents are broke but earn enough money to disqualify you for grants, just try to pay for college on your own. I couldn’t even pay for a community college education while I was working a full time job! I worked hard to get where I am now, and I did it without college. I am highly intelligent though, and I know that many other people do not have that advantage, but they are no less hard working that I am. They are important too!

        • Actually the guy you are talking about IS the problem. Millennials aside, it is that kind of master slave mentality of management that begets unhappy employees. A “thank you for the hard work” now and then will go a long way towards a happy employee. Companies would be way ahead weeding out the arrogant dictatorial jerk supervisors instead of bringing in bagels on Friday.

      • Any reasonable adult will tell you that a job is a two way street. Any employer who seeks to wholly divest themselves of having a stake in the general moral of their employees is asking for trouble.

      • Thoughtful. Thanks for sharing your thoughts. I somewhat agree.

  3. Since so few people actually take security all that seriously, none of this is any real big surprise to me.

    For one thing, social media is (for most companies) a complete waste of time and is unneeded. Therefore it should be filtered out from access through all machines of the network.

    Ultimately though, I agree with UrdD. The best thing to do is keep your employees happy. That really should be standard company policy anyway.

    • Unfortunately it only takes one … and there’s always someone who’s disgruntled.

      • I agree, it does only take one.

        It might be interesting to look at really. “That one” might not be mature enough to handle the job requirements. “That one” might actually have a great idea for making the process more efficient but gets blown-off by management for some reason. “That one” might just be getting frustrated by some pointless directive set in place by management. “That one” might have access rights to files on the server that they should not have with respect to their position in the office.

        With all the ‘reports’, spreadsheets, and meetings that are part of daily life……how does someone fall through the cracks when they consistently maintain low levels of quality work? Given how precise computers can be with numbers. Quite often “that one” is just simply being ignored (Office Space).

    • The Tech Bear

      To what end should employers keep employees “happy”? Ever heard the phrase you can’t please all the people all the time? There’s always someone that’s a curmudgeon at the office. You know, the one guy that’s all “Get Off My Lawn!” and such. With large companies, it’s difficult for management to engage line employees since they don’t have common experiences – most (not all) executives have no idea what their employees do or how they do it because they were hired into their position and didn’t get promoted through the ranks. Good leaders are ones that can interact with line employees and accept feedback without seeing it as a personal attack, great leaders are ones that act on that feedback and remember their names years later.

      • It is not necessary to go out of your way to purposely make people happy (within a business environment or in general). Most of the time it’s more about not creating problems and not making life harder. It’s usually more about policies, standards, practices, methods, and attitudes that make everyone jump through hoops that are irrelevant, meaningless, and are in general considered “the long way around”. You can make more people happy just by getting rid of some of the BS.

      • I think most employee dissatisfaction comes down to money. They see the C suite getting millions while the wages at the lower levels have remained stagnant for the last 40 years. Some disgruntled employees want to hurt the company but most just want money.

    • taking away access to social media is guaranteed to make a lot of employees unhappy.

      • You are there to work, and not there to waste hours on Facebook playing Farmville or Candy Crush Saga. If you go to work expecting to have unrestricted access to the internet, then maybe you are not fit enough to be a mature adult in a functioning society. Restricting access to Social Media is a security oriented approach. I would read up on malware campaigns use of Social Media to spread their malware if I were you.

        • Do you also forbid standing around the water cooler?
          People need breaks. Nowadays that may include going to social media websites. And they do it on their smartphones if you restrict access through the corporate Internet connection.
          The mindset of “let’s forbid x” is what creates disgruntled employees.

          • No one is going to deny you a drink from the water cooler. No one is going to deny you a break. No one is going to deny you access to Facebook (except maybe Facebook). I have no idea where your getting all that from.

            What I’m talking about is the use of company equipment for social media on company time on the company network.

            Have you been paying any attention at all?

            • First, my answer was to Dan’s post.
              Second, yes, people are going to use Facebook in a browser on their work computer, using the corporate network.
              And standing around the water cooler is also on company time, on company premises (or do you require people to clock out before they go to the water cooler?)
              Security is not about preventing access to social media sites. Such stuff only creates disgruntled employees.

              • Forgive me, I didn’t realize I am conversing with royalty here. I didn’t know you have a God given right to Facebook. I can see for myself how little the network, the servers, and other people’s things mean to some people. Not to mention other people’s data.

                Again, no one is going to stop you from getting a drink from the water cooler. It is beyond me how your getting that. You can have water cooler breaks. Have as much as you like. I don’t care. The water cooler is a non-issue to me. Get over it and move on.

                I’m moving on.

          • Joe,

            Then those employee’s should be immediately fired if they expect to have access to Facebook on company time, company provisioned devices, company networks, and what have you. They are not mature enough to be in an adult world. You obviously need a course in Computer Security 101 where they teach you the dangers of Facebook and Social Media, and the ramifications of having such accesses at work. I have been in the Professional IT Field since 2000, and was fired from one job for using yahoo instant messenger to talk to my girl friend during work hours. Waste of Company time and Abuse of Computer Policy. Since then I haven’t cared much for using social media at work. If I want to use Facebook or other social media sites, I then do so on my bathroom breaks or when I need to walk around the building to keep blood flowing. I do not feel entitled like you do to have access to my Facebook at my desk.

            One such use of social media to spread information stealing malware was by the Russian Business Network using stolen Facebook Credentials to further propagate fake news sites and click bait.

  4. I see these darknet forums pop up all the time. All the listings seem fake or are part of some intelligence gathering by operation by some paranoid company.

    • I agree, one of darknet’s principles is anonymity (at least to a certain degree, if you follow the topic more closely).

      So once you post on an onion forum, you never know who is at the other end, a fraudster, an intelligence agency, a clown, the company’s security intelligence team (yes, big companies have that) or an actual employee (disgruntled, greedy, stupid or all of the above)

  5. good security ideas

  6. It’s nice to have the big ones tremble for a change…

  7. “What’s Verizon’s answer to the insider threat? “Love your employees” what? most Verizon employees are disgruntled and many were on strike for employee abuse for nearly 2 months. It just ended. By love maybe the mean f…

    • That’s not at all what the article said:

      “Love your employees, … , but monitor the heck out of their authorized daily activity”

      It says to keep an eye on them.

      My previous employer, a large (ok, huge) pharmacy benefits manager, prevented us from mailing excel files (or any kind of documents) with anything remotely resembling financial or health data. (They didn’t love us either, but that’s a different story).

  8. Embezzlement as a service? Does he really think he will avoid undercover FBI, or even worse just truly bad people who will take advantage of him and then just kill him when they are done? Its hilarious that the guy can’t just do it the old fashioned way, with some cronies, but he will learn his lesson.

  9. Sorry, folks, you also have the wrong ones on your target list.what level of the company, is supposed to have access to your sales data?the secretary? The it worker? The lead salesman n? Or the janitor? And how much are they supposed to know about you companies processes? So how come the janitor has access to the companies secrets?so? Blacklist all dark web? But, the so of the broom pushers needs access to metlifes website to process a claim, only done thru email, and secure link. Darkweb. Check with your security, dark web, and reported to the government.

  10. As all the “lucrative” ways are disappearing, especially the tax fraud and tightening down of credit card fraud ( though that’s a slow and tedious process) several may revert to simply becoming an insider. Lets not get into the specifics but I believe its a lot more dangerous. It may or may not be harder to detect these individuals and prosecute them for the actions they assisted in or did entirely on their own.

    People scream bloody murder about the profiling of people on social media networks, but that gives the law enforcement agencies the ability to discern whether an individual has changed in some way to go down the evil road to hell.

  11. To me this boils down to fraud and the hard thing is that anyone is susceptible to performing fraud. I’ll reference the trusty Fraud Triangle – all someone needs is Opportunity, Pressure, and Rationalization. The employee doesn’t have to be disgruntled, their poor company could just be collateral damage in an otherwise unrelated situation. That being said, it is an interesting problem, I’m looking forward to what comes out of the woodwork as a solution. Monitoring your employees is important but hopefully most would have the sense to do these deeds on non-company infrastructure. I wonder if we’ll eventually see job postings for darknet experts.

    • You can’t steal sensitive company information from non-company infrastructure.

      The monitoring is for employee access to company sensitive data, not trying to track websites they visit when not at work.

      • You don’t say…

      • And, should those websites be related to the potential demise of your network ? If they know no one is watching them surf, all bets are off that they are going to act as good folk, and stay within the boundaries. Give them a long leash and they will push it to the limit. If your not occasionally watching what they are doing, you as a security professional have failed.

  12. Dennis Kavanaugh

    That last paragraph is a bit too soupy for me. It has been some time since a company valued its employees for anything more than what they can extract from them over a relatively short period of time. All of the ‘we love you’ stuff, along with unlimited vacation, pre-IPO stock, bagels and snacks 24×7 is all intended to enable the companies to suck more out of the employee while not really caring about their well being at all. At the end of the day it is the rare company that realizes that a two-way relationship creates loyalty and commitment that can’t be bought. Trade a few of those MBA bean counters for someone with a heart, then treat security like the risk management strategy it is supposed to be, and the problem will mostly disappear or become manageable.

  13. Townsend Harris

    I consult for three large US hospital conglomerates, and have remote VPN access to parts of their networks. But not HIPAA-protected healthcare information.
    One hospital suffered a ransomware attack but was able to recover nicely without paying.
    The hospitals employ thousands of people, with quite a few firings since I began consulting in 1992: will any of the ex-employees leak access to their patients’ records? That data might be worth a small fortune in the criminal underground.

  14. My fraud training back in the day we used the 20-60-20 logic. 20% of your employees will never steal even if they know they would not get caught. 60% of your employees would steal but only if they are completely convinced they will not get caught. The last 20% is actively searching to rip you off right now.
    I guess with electronic data, cell phones with cameras, and people who work from the numbers have changed.

  15. companies need implement data masking

  16. “Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%),” Verizon wrote, noting that insiders were most commonly found in administrative, healthcare and public sector jobs. “The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them). At the end of the day, keep up a healthy level of suspicion toward all employees.”

    sorry, but citation above is IMHO misleading: as a statistician, what is distribution of employees within company?? I would say there’s less than 14% in leadership roles (and guess also less than 14% with elevated access privilege jobs), so I would not believe the conclusion…

  17. I agree, it does only take one.

  18. Having had to monitor employee Internet traffic since the 90’s I can only say that the higher up the person is in the food chain the more abuse of company resources there are. Having worked a few “lost information” cases I can say that the majority of them were people who really hated the company and wanted to cause as much trouble as possible because they felt cheated or slighted by a Manager Officer, or especially an HR professional. Once they think HR is out for them all bets are off. They have already quit working and just show up to cause ruin for everyone who stills works. If you have elevated rights you should expect that someone will be watching everything you do. If you are the person who watches the people with elevated rights you should expect to be audited and watched all the time. What a world we live in!

  19. Has anyone seen any fraud or a possible data breach after an individual used their card at a Mandee’s store.

  20. I am stunned by the number of commenters to this article who act as if the concept of company concern for employee happiness is the most idiotic thing ever suggested. There are massive ongoing Workplace Happiness studies (Gallup, Harvard Business School, UC Riverside) that all conclude the same thing — employee happiness has direct and enormous effects on the bottom line. Gallup’s latest State of the American Workforce report puts the costs of unhappy employees at $450 Billion per year, in America alone (yes, billion, and isolating for all other factors).

    Unhappy employees call in sick more, quit without notice (the average cost to replace a skilled/trained worker is 40% of their salary), have higher workers comp claims, give bad service, engage in workplace bullying and violence, subject companies to liability, and that’s on top of the fact that they clearly aren’t giving their full attention or effort to their jobs.

    It SO EASY for most companies to fix this:
    1. Stop promoting people into management roles without giving them any training in how to effectively manage other human beings. A management role is any job that requires someone else to report to you. I work with law firms all the time and ask, “how many managers do you have?” and they’ll give a number around 15 or 20, but they have 300 attorneys — all of whom have teams of assistants and paralegals and junior associates who answer to them and these lawyers have NO CLUE how to motivate and engage workers. In fact, many of them are just straight-up monsters (with a big book of business) and the firms refuse to see how much that’s costing them in turnover and other expenses. This is equally bad in the sciences, medicine, tech — anywhere that people are put in charge of others by virtue of their education or job title. Seriously — a one hour session with HR just training salaried workers how not to talk to their assistants can save hundreds of thousands of dollars.

    2. Fire all of the toxic people. You know who they are. You can’t fix toxic. You think you need them, but if they got hit by a bus tomorrow, your company would survive and they are costing far more than you’re willing to admit. Look at the absenteeism and turnover in every department and if one is a standard deviation above the rest, go find out who there is toxic and show them the door.

    3. Give employees clear directions, then get out of their way. The #1 factor in workplace happiness is a person’s sense of accomplishment. That’s all any of us wants from a job — the feeling that we can do it and do it well. The #2 factor is autonomy — being able to do our jobs without interference. If you give people that, it’s worth more than all the bagels and foosball tables in the world.

    These changes cost virtually nothing.
    They save millions.
    Leaders who blow this off are idiots who deserve to lose all the money they’re losing.
    But go ahead and pay ten times what implementing the above would cost on data monitoring and security consultants so that no one will make fun of you for caring about your workers’ happiness.

    • @Valerie Alexander, your contribution is the most sensible and pertinent one I have read so far.

      • Thanks, Hayton! This is what I do for a living. I go into companies and show them how to lower costs, increase productivity and maximize profits by making happiness a priority in the workplace. It saves the companies I work with hundreds of thousands of dollars, and yet, it’s still an almost impossible sell to the Board, the C-suites and — oddly enough — HR. They all think there are better things to spend money on. There aren’t. If employers had to include the cost of unhappiness among their workforce in the P&L statement, they’d pay a lot more attention to it.

  21. Too few Companies understand that, an Employee is not only paid for the physical work they do. Employees are also paid for the Honesty, Integrity and Knowledge they have.

    Employees also need to understand….that CEO making 7 figures a year……..more than likely……worked his/her way to the top. This includes countless hours worked, time away from family and unbelievable amounts of stress, worry and anxiety. He/She has walked in the Employee’s shoes. Been there, done that and got the T-Shirt.

    If both sides could understand this….it would make for a happier workplace.

    • I’m not sure which company you worked for, but in the fortune 100s that is almost a pipe dream. Most are business majors that back stabbed their way to the top and put in 60 hours a week. They all attended the social events and golf with everyone above them till they make it to the top. Many are secretly married to the daughter of another Corp and the parents traded kids to promote them up to vp. A lot of back scratching/nepotism going on.

      My brother in-law puts in 60 hours a week driving dump trucks. But I’m not seeing him make 5000x his average employees wage.

      My previous company the CEO made more in a day than I made in a year, 30mil+ a year after options.

      If you treat your folks like they are just replaceable parts and show 0 loyalty to them, you get what you created. Not everyone has a career or pride enough to keep them from doing this stuff in the article. Last place I worked had 4,000 indian IT in house in America. Yea that was a show, the bathrooms were awful. How would that effect you working there?

      The other part is; many IT folks are trapped, they can’t leave because they didn’t keep refreshing to newer skills once they got a job. 10 years doing one thing over and over, is not 10 years of experience, that is 1 year over and over, and its 9 years old. I’ve seen this type behavior, its not hard to understand how they got there.

      Proper management training from the top down and an honesty policy starting at the top helps quite a bit. But when did you see an honesty policy get enforced above lower management? People are not stupid, some might take a while to get to the conclusion, but they will get there.

  22. DO YOU NEED AN URGENT LOAN TO HELP YOUR BUSINESS GROW FASTER OR TO HELP YOUR FINANCIAL NEEDS? IF YES EMAIL livingstoneloaninvestment@qualityservice.com

  23. A link to the recorded session that Avivah Litan presented at the Gartner Risk and Security event can be found here:
    https://www.linkedin.com/pulse/insider-threat-2016-gartner-security-risk-management-friedlander

  24. I just got hit with a bunch of fraudulent charges at Guitar Center, remembered seeing the screenshot at the beginning of this story. I guess that person found an interested buyer after all.