How to Determine If You Are a Victim of an Insider Attack


Organizations can’t afford to sit blind for months after an attack has taken place—waiting for law enforcement to show up at their door to let them know their networks have been breached. Actions need to be taken sooner to find the presence of a malicious insider.

However, most organizations rely only on two types of protection that generally give them some coverage, but not complete coverage:

  1. Perimeter Security: Pretty much every organization invests in perimeter protection in the form of firewalls, intrusion protection systems, sandbox secure email gateways and others. All of these approaches work well to keep out most malicious activity, but they are not without their limitations.
  2. Endpoint Security: Other types of defenses used by most organizations are anti-virus, mobile device management or some other form of endpoint agent protection. These technologies definitely have a place in the security stack, providing prevention and detection of infections and other problems for machines in addition to protecting corporate assets and preventing data loss. But when such tools rely on signatures, they may be out-of-date, and unprotected devices may enter the network anyway if no network access control is in place.

Unfortunately, once malicious actors are either physically inside the network behind the firewall—or once they gain access from the outside to the inside of a network via a Remote Access Trojan—it can be extremely difficult to find the activity in which the malicious actors engage. In most cases, these remotely-orchestrated, now-insider attacks are successful as they target and compromise the most vulnerable devices as a means to explore the network.

Once the network reconnaissance process has started, there will be callbacks to the Command & Control server while the actors hop around the network laterally, looking for valuable data to exfiltrate. It’s hard for an inline perimeter security system to figure out this type of activity; the attack could come in through one device, and the call back could leave through another. The exfiltrating device’s network traffic could look like legitimate behavior to systems searching through piles of logs for anomalies.

Security teams thus need additional tools and data in order to identify activity inside the network that could otherwise evade perimeter protections (outside/in) and endpoint protections (through phishing-based infiltration and zero day attacks, for example).

First Understand How Attacks Work

Once attackers make their way in—such as through malware or via a spear phishing attack—communications will be established with a Command & Control (C&C) server. The C&C server will communicate with a compromised device using a remote interface to see and control the machine and its desktop, performing actions such as opening the camera, opening files and folders, and even taking screenshots.

From that point of penetration, the attacker will generate P2P traffic and call actions onto other network-connected machines, with the purpose of exploring digital assets and escalating the attack towards machines on more protected segments of the network. Exfiltration will be executed every time something is found, especially valuable data. To make it more difficult to discover the exfiltration, communications are encrypted and can’t be deeply analyzed.

Detecting the Existence of an Insider Attack

In the above descripted anatomy of an attack, there are three levels/directions of communication: in, across, and out. Each of these activities may disguise itself through the flow of standard business communications. But the whole traffic correlation as well as the protocols involved, the type of communications, and other indicators all together may reveal the whole picture.

Let’s make it clear: No human steps are effective enough to determine an insider attack from an IT team standpoint. Security needs to rely on technology, but there are areas and ways to prevent or detect such attacks that are still not given the right importance by IT security teams.

Here are some of the key steps for detecting insider attacks:

  1. The very first step is to avoid physical intrusions of unwanted machines onto the network. Visibility is the key. Unmanaged/unprotected and rogue device on the most sensitive segments of the network could be a problem. Through the standard flow of mobile and wired devices (including BYOD, guests and personal) via a network access control tool, IT has the power to monitor, spot and isolate unwanted machines.
  2. Next-gen perimeter technologies are a great first network-security barrier. They can detect most of the hazards; spot the intrusion of malware by analyzing incoming objects; filter risky applications and emails; and even capture a possible exfiltration. Today, we can’t rely 100% on this approach as the only layer of security: defense-in-depth is also needed.
  3. Internal layers of defense from inside the network are the active response that modern networks require in order to spot an attack in action—and in case the infiltration phase went undetected or one or more network connected devices were already compromised. In order to detect these types of latent activities, it is necessary to scan and track all of the internal communications: inbound + outbound + peer-to-peer. Correlation of all the dots, analysis of traffic behaviors, and the gradual association to typical characteristics of attacks are the types of automated engines that can lead to detection of an insider threat. The goal is to collect and use as much information as possible to detect the attack while not letting it go so long that it gets to be too late and everything is lost.
  4. Check the IP address of the C&C server to identify what is “controlling” this activity from the outside. Note that the C&C server will notice your investigations against it, so be careful. C&C servers are also often moving targets.
  5. Lastly, after identifying the compromised and targeted machines, go to the suspected machines to check the system logs to see what exactly happened at a specific time and day.

Prevention Is the Ultimate Goal

As I have presented in this article, organizations today require a multilayer defense approach to detect attacks against their networks and their digital assets. Network visibility is key when it comes to detection, and prevention is the ultimate goal: It’s simply not enough to reactively respond to attacks. You need to see them before successful penetration occurs.

Fortunately, there are solutions available in the market that help automate all the steps and allow you to focus on each layer of defense that you require. Try consulting with your strategic IT partner to help determine which solution is best for you. They likely already understand the nuances of your networks and what it will take to detect attacks so that you can fully protect your environment. 

Carmine Clementelli
Manager with PFU Systems, Inc. -- a Fujitsu Company

Carmine Clementelli is a security expert and Manager with PFU Systems, Inc. -- a Fujitsu Company. Clementelli and his team help integrators and enterprises in sectors such as healthcare, government, banking/finance and education to secure their networks, data and critical information assets.

More about Carmine Clementelli