Why device identity is the overlooked insider threat
- 08 October, 2021 08:30
There has been no shortage of thoughts and ideas proffered on how to manage and mitigate insider risk that comes with having humans as part of the ecosystem.
It’s true, the human is both the strength and the weakness. They are called upon to mitigate the risk and ameliorate the actions of the malevolent or careless employee. Where discussion has been sparse is how machine / device identity plays a part in insider risk management.
“There needs to be more application of the insider threat framework toward devices at the same level as we do with humans,” says Rajan Koo, chief customer officer, DTEX Systems.
Yash Prakash, chief strategy officer at Saviynt, observes, “Insider threats are increasingly introducing risk to organisations, primarily as insider identities have grown over recent years to include human identities and machine identities (i.e., APIs, bots, vendor accounts, etc.).
"By strengthening an organisation’s identity program, companies can more effectively mitigate this risk and reduce the impact of malicious insiders by spotting fraud early on and preventing the exfiltration of critical data.”
Bot as privileged user
In further fleshing out how the human-machine engagement may be leveraged in a deleterious manner, Prakash provides the example of the finance department, responsible for approval and payment on vouchers.
The manager has a script in place that automates the approval process, for the more routine and thus freeing up time for the manager to focus on the more complex. From an efficiency perspective it’s a multi-level win. From a cyber risk perspective, the software bot -- robotic process automation (RPA) -- is now a privileged user within the finance process and presents new risks.
The introduction of RPA, with privileged access, within the workflow carries risk. The bot needs to be credentialed to perform the business process required -- access the system, scan, analyse, and process. Those credentials are hard-coded into the process and rarely, if ever, updated.
Then we have employees who create their own bots, extant from CISO’s processes, much in the same way employees evolve their shadow IT processes. They are simply trying to get their job completed for their vice president, or in the example Koo provides below, were trying to hoodwink the enterprise as to their dedication to their job.
Koo relates how in one of their investigations they came across an employee whose network access resembled a sine wave -- login 0700, apps accessed, opened and closed, refresh apps access around lunch time and then close apps and logoff at 1800. Eleven-hour days, all controlled by a script created by the employee to give the appearance of working on those days when the employee wished to play hooky.
In a separate case, Koo related how non-human or script/bot behaviour was exfiltrating the CFO of the firm’s financial presentations. When the dust settled it was confirmed that the CFO had fallen victim to a targeted phishing attack and his credentials had been compromised.
The compromise opened to the adversary the permissions afforded to the CFO to include the many RPA bots. Interestingly, the adversary in this case did not use any complex malware. They used low-profile commercial off-the-shelf applications to FTP the information accessible via the CFO’s instance.
Better visibility needed
The obvious question for CISO’s is, “What level of visibility does the infosec team have over the RPA bots within their network and what are the processes surrounding their care to ensure that if compromised the credentials cannot be used to elevate privileges beyond that which was intended?”
Beyond the RPA bots is the need, to the extent possible, to remove the “forever” instances of credentials within devices within the ecosystems, and in all instances ensure that an authentication process takes place prior to scripts, machines, or other forms of automation being actuated.
In sum, Koo has it right: Equal attention must be paid toward devices and processes as is given to the individual when addressing the insider risk management strategy.