Defending Against a Targeted Insider Attack (aka The Snow Job)

Everyone is familiar with the marketing buzzword APT (Advanced Persistent Threat) which has become synonymous with what's known as a targeted attack. What I'm writing about today is a targeted Insider attack which occurs when a person tries to become an employee of the targeted company whose data he's seeking to steal. What one Internet humorist (@explanoit) has beautifully dubbed "a Snow job" in honor of the now infamous Edward Snowden, who specifically targeted the NSA as an employer that he intended to steal from.

During 2011, I was asked to participate in evaluating a Fortune 50 company's security operations center  (SOC) for any threats that they haven't already prepared to defend against. This is one of the defining characteristics of superior SOC management; i.e., they know that they're missing something and regularly hire independent assessors to determine what that might be. Inferior SOC managers assume that they've got everything under control. Those are the guys that more often than not are being fed their lunch by both insiders and external threat actors.

The company who hired me quietly run their security operations from a different location than their company headquarters. While this isn't generally known, it's advertised in the local papers when they're hiring. The company's public employment ads contained enough detailed information about the position and the skill set that they were looking for to enable a person with malicious purpose to (a) discover where the SOC is and (b) tailor-make their resume to fit the hiring requirements (problem #1). Furthermore, prospective SOC employees weren't vetted for financial problems that might provide leverage for a foreign intelligence service (FIS) to recruit them. In fact, financial difficulty is the most common reason for employees to engage in corporate espionage (problem #2).

Extortion to commit theft of company secrets via threatened exposure of a personal secret (drug addiction, sexual orientation, etc.) is yet another tool used by FIS to convert employees into intelligence assets. All of these red flags may be spotted by empowering at least one HR manager to act like a one-person Red Team by evaluating all candidates who received a hire recommendation for some or all of the security risks that I mentioned above.

In the cleared world where one would expect more attention paid to these red flags, background checks suffer from extensive fraud according to the OPM Inspector General Patrick McFarland during a Senate hearing on the problem last week. A Senator at that hearing mentioned a 2009 GAO report which said that 87% of security clearance reports were missing background information so the problem isn't new. Ironically, these background checks are conducted by contractors.

While targeted spear phishing attacks are pervasive and serious, they pale in comparison to a targeted insider attack like Snowden's against the NSA. And frankly, if a company can up its game to defend against the insider threat through improved background investigations, post-hire monitoring for network access anomalies and other tactics, defending against a spear phishing attack is going to be child's play.