In July 2010, a sophisticated piece of malware attacked the SCADA systems of Iran’s nuclear reactor programme. This malware affected a Windows pc which was used to send commands to control the PLC systems, disrupting the operations.
However, two important points make it more than just a typical malware attack:
- The malware exploited a vulnerability in Windows shortcut (.lnk) files, and could be executed without triggering.
- The infected computer was airgapped i.e. there was no way to “hack” the computer except to physically access it and plug in an infected USB.
When I read about the incident I realized, this is a work of an insider threat.
What is an Insider Threat?
Insider threats are not your regular “hacker” threats. They are people within your organization who commit activities that would damage the org in some way.
Here is a definition from CERT:
Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.
Why insider threats are a problem
- Insider threats are real people inside your organization, so they have access to more information than an outsider.
- It is easy for the insider threat to gather intelligence about the infrastructure i.e. network architecture, surveillance systems, backup technology, etc.
- Traditional firewalls, IPS and IDS do a great job in detecting external threats but they can’t detect insider threats.
- Generally, employees may exchange critical information on the aspect of personal trust. An insider threat can take it as an advantage.
Why do insider threats exist?
Insider threats are normal people before they turn into a threat – that is if they haven’t joined your company with an intention to bring it down. Only due to certain circumstance they might turn into a threat. It can be greed, jealousy or anger towards an individual in the organization, or the organization itself that drives the threatful behaviour.
Can insider threats be caught?
As I mentioned, insider threats are actually individuals with normal behaviour but turn on the dark side. However they exhibit changes in their behaviour – technical as well as psychological. This can be tracked in order to identify suspicious activities, preventing the attack.
Dealing with Insider Threats is not a security issue, it is a defense issue. In next article I will show you ways to detect and prevent insider threats.