Fighting Insider Threats Spotlighted at DEFCON Conference

When insider data breaches hit, they hit hard.

Just recently, a former senior database administrator for GEXA Energy was sentenced to a year in prison for illegally accessing, copying and damaging a customer database two months after he was fired. The act cost the company $100,000 in damages and former DBA Steven Jinwoo Kim his freedom.

“The biggest driver we've seen for malicious insiders in the past 18 months has been the economic downturn,” said Jacob West, who is security research director at Fortify Software. “During a recession, engineers see layoffs left and right and begin to fear for their own job stability. This pressure can cause unethical insiders to plant backdoors, logic bombs or other nefarious code that they believe will allow them to steal funds, information or do other damage to the company from the outside in the event that they are laid off.”

All this makes understanding the techniques malicious insiders use more important, and at the upcoming DEFCON 18 conference, West and fellow Fortify researcher Matias Madou plan to address the how and the why behind insider threats uncovered in actual software systems.

“We studied 18 categories (of attacks) in total, ranging from leaking sensitive information outside of the company to disrupting the execution of the code designed to support business processes,” West said. “In general, we found short, dense code fragments that could be written in a couple of hours. However, our anecdotal conclusion is that many of these attacks took months of planning the strategy implemented by these relatively compact segments of code.”
Most development organizations today make no effort to identify explicitly malicious code written by insiders, Madou added.

“If the attack is not so obviously destructive that it is identified through typical quality and security assurance practices, then insiders may plant attacks that lay dormant in a codebase for sometime,” he said. “You might find that piece of code by accident or when the exploit is carried out, but that's a poor time to start the investigation.”

“By intelligently abstracting malicious behavior into key indicators, we have been able to find multiple confirmed problems in real code bases,” West explained. “The key to an effective approach is still a process for reviewing and safeguarding against malicious insiders, but static analysis can and should be an integral part of that process.”

Still, detecting insider threats through technology alone can be problematic. Administrators, after all, can often use their access privileges to hide their behavior. As a result, a mix of technical and non-technical solutions is needed.

“From a technical perspective, we can deter malicious insiders by regularly informing developers that the company is actively looking for insider threats,” Madou said. “Non-technical prevention techniques should be tackled by HR and management. From a detection stand-point, the biggest advantage development organizations could give the [vendors] is sharing anonymized examples of the malicious code they do find so that we can continue improving detection capabilities to combat the insider threat problem.”

DEFCON will run from July 30 to Aug. 1 in Las Vegas.