The fashion of cybercriminals: bribery and extortion

Attacks on company information systems have evolved to become extremely sophisticated. Cybercriminals currently exploit vulnerabilities in applications, equipment configurations or communication network protocols to seize the data or systems of any organization.

In this context, we often read news about the complex mechanisms they use to subvert the behavior of teams and gain control of them. When that happens, we are sure that many people will think about the deep knowledge that these cybercriminals must have, capable of analyzing systems, evaluating their vulnerable points and developing programs and attack models that require sophisticated computer tools.

For this reason, when we discover that bribery or extortion are a common part of the mechanisms used to access the accounts of privileged users and with them the protected data of an organization, that fascination collapses. And it is that social engineering techniques are probably the best tool to violate the security of a company.

cybercriminals, emblematic cases

Those known as internal attacks are probably the most serious threat that is presented in today’s organizations. Through inadvertent errors or intentional actions, a company’s employees represent the access point that can put the entire security of a company at risk.

Techniques such as phishing, vishing or smshing are currently complemented by actions focused on recruiting employees to help infiltrate corporate networks. Some cybercrime groups even offer exorbitant amounts to those employees who are willing to betray their companies.

The examples have been, and are, historically very representative. Just a few years ago, it was discovered that a Tesla employee had been lured into exfiltrating secret company information with the promise of $1 million.

Ultimately, the bribe was unsuccessful because the employee himself reported it, and the offender, a friend and former colleague, was arrested. Similarly, last year, a Ubiquiti employee was accused of extorting the company from him with information he had stolen months earlier. Interestingly, before that, the employee himself had been part of the internal team that investigated the aforementioned incident.

In 2019, LockBit, one of the most active ransomware on the DarkWeb market, offered “business relationships” to employees of various companies to share “profits” if they installed their malware within their organizations.

More recently, the LAPSUS$ cybercrime group disclosed, through its social network accounts, economic offers to employees and former employees of some companies to provide them with access credentials to privileged accounts. In fact, it is believed that many of the “successes” of this group lies precisely in the collaboration of internal employees with their victims.

The “new” trend of cybercriminals: bribery and extortion of employees

the internal threat

It is very likely that companies have focused their attention on the risks that come from the outside, tiptoeing past those threats that arise within the same organization.

Currently, almost half of the cybersecurity incidents that occur in a company involve an internal actor. According to analysis provided by Forrester, the number of cyberattacks through internal actors has grown by more than 8% in 2021. In fact, it is known that large corporations often feel threatened, for example by disgruntled employees. who create false identities on the DarkWeb to offer their services to the highest bidder.

Insider threats are a serious problem for any organization: they are difficult to detect, employees are increasingly technologically savvy to act undetected, they have legitimate access to systems and data, they use remote working tools and, above all, they base much of their security on the assumption of regulatory compliance dictated by the company.

For example, according to a study carried out by MITER and the company DTEX, 56% of data theft arises from employees who leave the company to join the competition; each year the number of incidents related to the leakage of confidential data through screenshots of information shared in videoconferencing systems during teleworking triples; and the number of employees who use corporate computers, with confidential data, for personal matters have multiplied by four.

mitigation plan

Combating this type of threat must therefore become a priority for companies. An effective insider threat mitigation program will be critical to protecting your critical assets and services.

Monitor the behavior of employees to detect those who make illegal use of the resources available to them, assess the level of risk that each employee represents for the company, implement strategies focused on reinforcing the safety of possible victims according to their possible vulnerabilities or involving the employees themselves in the process of detecting, communicating, stopping or mitigating the inappropriate behavior of another employee, are some of the aspects that an Internal Threat Mitigation Plan must cover.

The truth is that there are numerous factors that influence the materialization of an internal threat, including the personal predisposition of the employee, the pressures to which he is subjected (professional, financial, social…), his habitual behavior inside and outside the company or the guidelines for action in the professional tasks entrusted to him. The concept of “burnout” or employee “burned” is a good example of a situation conducive to the successful completion of any of these risks. There is no cybersecurity budget to protect against its possible consequences.

recommendations

The development of a Mitigation Plan for internal threats is a complex task in time and form. Even so, we do not want to miss a set of basic recommendations that can serve as a reference when considering the first steps in the right direction:

• Principle of the least possible privilege. This is a very simple, yet important step that a company can take to protect itself from these threats: implement an access management model that only assigns privileges to employees for those services and information that are necessary for their assigned function.
• Monitoring and detection of internal anomalies. Companies often tend to protect their infrastructures with firewall systems, workstation antivirus, operating system version updates, etc. However, they often forget to monitor the traffic within the network. Anomalous behavior on the network is, on many occasions, evidence that shows that something unusual is happening and requires special attention. Sometimes, they are simple accesses to unusual resources, execution of processes after hours, connections of external devices, sending emails to unknown addresses, etc. Any event that breaks with the usual routine of an employee can be analyzed.
• Network segmentation. Ransomware attacks, for example, tend to spread across the network through lateral movements, so segmenting network access will reduce the risk of spread to other environments within the company’s infrastructure. Well, the same thing happens with employee access: the possibility of accessing departmental subnets by employees who are not related to them can pose a high risk for any company; hence, establishing duly protected segmentations can be a fundamental element to reduce risks.
• Traceability of actions. The correct identification of users, as well as the recording of their activities, can ultimately allow the origin of a security incident to be identified. The data collected can be analyzed both in real time and for future forensic analysis to determine the possible involvement of an employee in an insider attack.
• Code of conduct. Every company must define a code of conduct for all employees in the performance of their duties. Establishing protocols for the use of the resources available to employees can mean the difference when it comes to being able to resort, or not, to data collected to be presented in administrative or criminal complaints. The internal communication processes themselves must be confidential and strict disciplinary rules must be defined against those who violate the code of conduct.

Finally, there is a last recommendation that is not always included in a document but that is perhaps more essential and critical: promote an honest and transparent company culture; Get to know your employees and make them aware of their importance for the future of the company. Perhaps this way you will end up knowing your likes and dislikes a little more, and perhaps this way you can help prevent a malicious third party from taking advantage of them.

Author: Juanjo Galán, Business Strategy at All4Sec