Back to basics
Insider threats are a broad topic; their depiction in movies and TV shows, from Jurassic Park to Designated Survivor, demonstrates the various forms in which defectors come. In the cyber world, however, insider threats are when an insider uses their authorized access to harm the organization through cyber means – a significant threat to which nearly 100% of enterprises feel vulnerable.
It is important to note that an insider is anyone with authorized access to, or knowledge of, an organization’s resources. Hence, not all insiders are on the payroll (but we’ll get into this later).
Amateurs hack systems, professionals hack people
There are generally two umbrellas under which several types of insider threats will fall: intentional and unintentional. Starting with the latter, unintentional insider threats in the hardware domain are, typically, acts of negligence; the insider will handle hardware assets carelessly, inadvertently putting the organization at risk. According to a report by the Ponemon Institute, more than 50% of insider incidents are caused by negligent employees.
When it comes to hardware-based attacks, the perpetrator uses social engineering techniques to catalyze negligent actions by manipulating the insider’s cautionary instincts towards devices. For example, malicious actors can exploit human greed by offering free iPhone chargers as part of a promotional deal. By strategically locating themselves near the target enterprise, attackers can entice employees on their way into the office, who will likely accept the familiar device without second-guessing its integrity. Nonetheless, once plugged in, the device – actually an attacking tool in disguise, known as the NinjaCable – will carry out a harmful cyberattack.
In continuation with the theme of chargers, airport charging kiosks offer travelers in need ease and convenience. Rather than rummaging through their bag, an open docking station equipped with a charging wire stands a mere few steps away from the unsuspecting victim, more accessible than the charger buried deep in their hand luggage. Yet, this is not just any charger. Once connected, it not only charges the device but now has access to its contents – some of which are probably work-related, even if only an email account.
Other types of insider threats get carried out intentionally. Despite being less common – accounting for only 26% of insider attacks – these premeditated acts are usually more harmful due to the attacker’s knowledge of the organization and its systems – they know where the weak spots are.
Malicious insiders tend to be financially motivated and can bring a rogue device, such as a compromised USB thumb drive like the Rubber Ducky, into the organization with relative ease. Disgruntled employees, too, have the necessary physical access but are not necessarily incentivized by money; instead, these perpetrators seek vengeance against an organization that, in their eyes, has wronged them.
Intentional insiders, however, can act unwillingly. Blackmail is another social engineering technique attackers deploy to get insiders to use a manipulated device – this time, wittingly. So, while the employee intends to harm the organization, they do so under coercion. The attacker is simply using the employee as a vessel to get the device into the physically secured enterprise.
Third parties are another significant threat to enterprises. These are the individuals who, despite not being directly employed by the company, still have some form of access to the organization. Hardware-based attacks involving third party insiders, such as in an evil maid attack typically exploit outsourced cleaning personnel. These workers have access to the building yet lack loyalty to the organization and are, thus, more likely to give in to a bribe. Alternatively, the attacker can disguise themselves as a cleaner and gain access to the building; they are unlikely to raise any suspicion, especially in a large enterprise where temporary workers are commonplace. Once inside, the “cleaner” (be it an actual cleaner bribed to carry out the task or the attacker in disguise) can implant a rogue device.
Throughout this blog, I have related the various types of insider threats to hardware-based attacks. Why, you might be wondering, do bad actors opt for this attack method? Well, not only are there numerous tools on the market, all with varying functionalities to carry out a range of different attacks, but rogue devices also act completely covertly. And, thus, raise no security alarms, allowing for deep infiltration and perilous attacks. In fact, for 28% of enterprises, difficulty in detecting rogue devices is making it increasingly challenging to identify and prevent insider attacks, according to research by Cybersecurity Insiders.
Spoofed devices (such as the compromised iPhone charger or USB thumb drive mentioned earlier) have been manipulated on Layer 1 to impersonate legitimate HIDs. Existing security solutions, such as NAC, EPS, IDS, or IoT Network Security, fail to cover Layer 1 in the OSI model. This means the spoofed device gets recognized as the legitimate device it is impersonating rather than what it actually is. On the other hand, network implants operate on Layer 1, thus going entirely under the radar of security tools.
On the outs
Sepio’s Hardware Access Control (HAC-1) solution provides a panacea to the gap in device visibility to prevent insiders from harming the enterprise through the use of rogue devices. By going deeper than any other solution, HAC-1’s Layer 1 visibility means no device goes unmanaged; the solution identifies, detects, and handles all IT/IoT and OT device security trough L1 visibility. Using this visibility to support the solution’s policy enforcement mechanism and Rogue Device Mitigation feature, HAC-1 instantly detects any unapproved or rogue hardware, blocking such devices through an automated mitigation process carried out by third party tools. The Zero Trust Hardware Access approach offered by HAC-1 provides protection at the first line of defense and prevents the abuse of insider access privileges.
HAC-1 requires no hardware resources and does not monitor any traffic; within 24 hours, we can provide you with complete asset visibility and identify previously undetected rogue or vulnerable devices. They might be insiders, but with HAC-1, their physical access isn’t getting a rogue device much further than the door.