Story image

Insider threats escalate and thrive in the Dark Web

22 Jun 16

Article by Avivah Litan, Gartner research analyst

Insiders are being actively recruited by criminals operating on the Dark Web, according to Gartner clients. Disgruntled employees working at companies across many sectors, such as financial services, pharma, retail, tech, and government are gladly selling their services to the bad guys in order to inflict harm on their employers.  Seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money from employers, according to our clients.

Gartner clients are increasingly inquiring about how to address and mitigate insider threats – which is a stark contrast to just two years ago when private sector clients would barely utter the words ‘insider threat’. (Of course combating insider threats became a passion and a mandate in the federal government, following the Snowden leaks).

Gartner clients tell us that the reason for the increase in insider threats is in fact the ease in which disgruntled employees can ‘get back’ and harm their employees by selling their insider knowledge and services to bad guys on the dark web. All they have to do is log onto TOR and make their available services known and the criminals happily pounce on their offers.  The criminals even bicker amongst themselves for control and ownership of a trusted insider. See graphic below for a screenshot of this activity from a relatively new threat intelligence firm, Diskin Advanced Technologies.

On the technology front, enterprises should;

1. Consider using ‘insider intelligence’ along with employee activity analytics and monitoring. Insider intelligence combines both internal and external information to create a ‘dossier’ on each employee, highlighting those that present the most risk to the organization. Creepy I know, but necessary in high risk situations.

2. Decide if they want to take a ‘light’ ‘medium’ or ‘serious’ data and information approach, that differs based on the type of data and information fed into the insider threat analytics system. The analytics will only be as good as the data it has to work with.

3. Determine which type of analytics they want to use. Most will want to start by discovering and highlighting ‘known’ bad activities. Gartner clients tell us that about 80% of insider threat techniques are ‘known’.  Once comfortable with that type of detection, enterprises can move on to detecting ‘unknown unknowns’ using anomaly detection or unsupervised machine learning. 

Conclusion

Combating insider threats is a sensitive and potentially creepy undertaking. No one wants to impinge on employee privacy but at the same time, no one wants to watch years of expensive R&D or other undertakings go down the tube either. Organizations will have to be the judge of how high their risks are and how far they need to go fighting it.

Organizations also can’t count on technology solutions to solve all their insider threat problems. Technology solutions will NEVER catch trusted insiders doing normal things.  For that, we still need good old fashioned workforce management, perhaps supplemented by new evolving ‘insider intelligence’ solutions.

One thing is for certain – insiders are very much in demand in the Dark Web.

​Article by Avivah Litan, Gartner research analyst

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.