Chief information security officers, or CISOs, around the world have come to learn from the SolarWinds manual supply chain attack that insider threats are a real issue, one that must be prioritized in 2021. The breach also brings to light an underdiscussed application security challenge: developers writing malicious code that can later be exploited.
The frequency and financial impacts of insider threats have grown dramatically in the past two years. In a recent Ponemon Institute report, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020.
Building off the lessons learned from the SolarWinds breach, here are six steps CISOs can take to prevent insider threats.
1. Change your mindset around your threat landscape
Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often underaddressed cybersecurity threats within organizations. Now, in large part because of SolarWinds, it is apparent that organizations have to change this mindset. CISOs must take leadership roles within their companies to prevent both external and internal cybersecurity threats.
2. Employ threat modeling
Adopt threat modeling at a greater scale to determine your organization’s threat landscape. It is essential to identify who would want to attack your systems and where the assets are in order to understand the potential attack vectors and enable appropriate security controls. Threat modeling should study potential threats from both vulnerabilities and malicious code, as the harm from either could cost an organization millions. Conducting one type of threat modeling without the other can set your organization up with a false sense of security.
3. Map out potential insider threat exposure
Detecting a threat such as the SolarWinds supply chain attack is vastly different from traditional pen testing, code review or other vulnerability detection techniques. To identify similar potential issues, it requires CISOs to look at software in a different way. CISOs should also conduct an analysis of their organization’s internal team and map each individual’s exposure to areas that could succumb to malicious code activity. Dealing with an identified insider threat issue is not as simple as going back to the developers and asking them for a fix because those very employees or vendors could be the adversary.
4. Enact a proactive and ongoing insider threat detection governance program
To put in place a proactive and ongoing threat detection governance program, you’ll first have to get buy-in from your leadership team. Make sure to consistently inform executives on the scope of your malicious code review engagements. After all, malicious code review dictates that you theoretically view those within your operations — who have privileged access — as threats. While finding malicious code is difficult and the probability is small, the risk of insider threat is on the rise. In fact, Forrester Research predicted that 33% of data breaches will be caused by insider incidents in 2021.
Importantly, all malicious code review efforts should be done in secrecy and only involve small teams of people whom you trust completely. It has to be a covert operation where you don’t notify or give knowledge to stakeholders in the software supply chain. They should never be aware that you are implementing a process to look through their work with the intent to identify code that looks suspicious and possibly malicious.
5. Define risk scenarios and escalation steps
Once your malicious code review regimen is in process and suspicious activity is detected, consider the following escalation steps to mitigate risk.
Suspicious, but not malicious
If you find something that looks suspicious or malicious but that cannot be exploited — it might have even been left by mistake — you could choose to do nothing.
Circle of trust invitation
If you find something that looks suspicious but can’t get confirmation on whether it is malicious, you may need to call in reinforcements to verify or negate your suspicion. In this escalation step, the CISO would form a relationship with an internal or external developer and bring that person into the circle of trust.
Choosing a monitoring stance could be another escalation step when you find something suspicious. This stance enables additional logging in production or additional data layer protection that alerts you when someone tries to exploit a suspicious line of code.
The next level of escalation is when you find suspicious or malicious code and work to suppress it. During this step, you actively write a rule within your firewall. Then, you build a compensating function or do some type of dependency injection or weaving to actively stop the suspicious code from being executed.
Commencement of an executive event
When you find malicious code and have identified its source — whether it be a sole insider, team, department, line of business or even country — your escalation step has nothing to do with software development. Rather, it has everything to do with safeguarding your organization by involving your leadership and executing a severe executive-level event. This could include terminations of implicated employee(s) or contractors. It could even involve law enforcement.
6. Push for holistic solutions for long-term protection
The security industry does not yet have a complete solution for looking holistically at supply chain attacks. In the long term, we need to examine how to approach the evaluation and risk acceptance of third-party services. This could come in the form of changes to compliance requirements around least privilege, auditing and integrity checks. However, with the continuing rise in insider threats and the increasing toll they are taking in terms of financial and reputational loss — as well as possible safety threats to people — it’s essential for organizations to take immediate action. And it’s imperative that CISOs assume a leadership role in this battle.
About the author
Nabil Hannan is a managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Hannan has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pen testing, secure code review and vulnerability remediation, among others.