Security & Resilience Update | 9-8-23

Insider Threat Awareness – Understanding and Mitigating the Risk of Insider Threats

Every organization is vulnerable to insider threats. As more organizations migrate their business operations to digital platforms the risk of a compromise due to an insider threat will continue to grow. Research for the latest Data Breach Investigations Report from Verizon found that 74% of data breaches involved a human element, highlighting the enduring risk both malicious and unintentional insider threats pose.  

According to the cybersecurity firm Tessian, insider threat incidents increased by 47% between 2018 and 2020. Water and wastewater utilities, specifically, have experienced multiple insider threats incidents over the past few years, such as the incident in Kansas where a former employee pleaded guilty to unauthorized computer access with intent to harm. This summer, a former water utility employee was charged for reportedly accessing the network of the utility and then purposefully uninstalled the main operational and monitoring system for the water treatment plant and then turned off the servers running those systems causing a threat to public health and safety. With September also being National Insider Threat Awareness Month, now is the time for organizations to assess their risk and implement an effective insider threat program. Proofpoint classifies insider threats as careless insiders, malicious insiders, and compromises. Despite the differences, an effective insider threat management program will help mitigate against all potential insider threats.

The best defense against an insider threat is creating an insider threat program. Some important considerations for managing insider threats include fostering a more open work environment, particularly employing positive incentives over negative ones. For instance, researchers at Carnegie Mellon University recommend that organizations leverage positive-incentive-based organizational practices centered on increasing job engagement, perceived organizational support, and connectedness at work. In addition, leaders throughout an organization should be trained to be aware of factors that put employees at risk of becoming an insider threat. More often than not, leaders are best positioned to spot and help struggling employees before they become an intentional or unintentional insider threat. Implementing frequent user awareness training is also an important consideration, treating training as a process and not a singular event can help to socialize the expectations of managing insider threats throughout an organization. Additionally, the program should consist of strict policies for identity and access management, conduct regular account auditing, and establish processes and procedures for collecting and monitoring employee data and activity. Read more at Proofpoint or at Forcepoint.

CISA has released actionable guidance for Federal Civilian Executive Branch (FCEB) agencies to help them evaluate and mitigate the risk of volumetric distributed denial-of-service (DDoS) attacks against their websites and related web services. The Capacity Enhancement Guide: Volumetric DDoS Against Web Services Technical Guidance:  

• Helps agencies prioritize DDoS mitigations based on mission and reputational impact. 
• Describes DDoS mitigation services so agencies can make risk-informed tradeoff decisions on how to use available resources most effectively.

Members are recommended to review the guidance for potential inspiration. Read more at CISA.

Group-IB has posted a blog discussing its research into W3LL, a mature, phishing-focused threat actor that has developed and is selling a phishing kit capable of bypassing MFA.

Group-IB’s researchers have observed W3LL’s underground store, which has over 500 active users who can buy 16 regularly updated custom tools that cover all steps of a BEC attack. W3LL tools are largely used to target victims in the United States, Australia, and the UK, with the most targeted industries being manufacturing, IT, and financial services.  The report provides a description of all the tools on offer, as well as how they might be used in an example attack. Read more at Group-IB.

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

CISA Releases Four Industrial Control Systems Advisories

Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.

• Dover Fueling Solutions MAGLINK LX Console
• Phoenix Contact TC ROUTER and TC CLOUD CLIENT
• Socomec MOD3GP-SY-120K
• Delta Electronics CNCSoft-B DOPSoft (Update)

​Alerts, Updates, and Bulletins:

• CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
• Cisco Releases Security Advisories for Multiple Products
• CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
• CISA Releases Capacity Enhancement Guide to Strengthen Agency Resilience to DDoS Attack
• CISA Adds One Known Vulnerability to Catalog