Security & Resilience Update | 9-8-23

Insider Threat Awareness – Understanding and Mitigating the Risk of Insider Threats

Every organization is vulnerable to insider threats. As more organizations migrate their business operations to digital platforms the risk of a compromise due to an insider threat will continue to grow. Research for the latest Data Breach Investigations Report from Verizon found that 74% of data breaches involved a human element, highlighting the enduring risk both malicious and unintentional insider threats pose.  

According to the cybersecurity firm Tessian, insider threat incidents increased by 47% between 2018 and 2020. Water and wastewater utilities, specifically, have experienced multiple insider threats incidents over the past few years, such as the incident in Kansas where a former employee pleaded guilty to unauthorized computer access with intent to harm. This summer, a former water utility employee was charged for reportedly accessing the network of the utility and then purposefully uninstalled the main operational and monitoring system for the water treatment plant and then turned off the servers running those systems causing a threat to public health and safety. With September also being National Insider Threat Awareness Month, now is the time for organizations to assess their risk and implement an effective insider threat program. Proofpoint classifies insider threats as careless insiders, malicious insiders, and compromises. Despite the differences, an effective insider threat management program will help mitigate against all potential insider threats.

The best defense against an insider threat is creating an insider threat program. Some important considerations for managing insider threats include fostering a more open work environment, particularly employing positive incentives over negative ones. For instance, researchers at Carnegie Mellon University recommend that organizations leverage positive-incentive-based organizational practices centered on increasing job engagement, perceived organizational support, and connectedness at work. In addition, leaders throughout an organization should be trained to be aware of factors that put employees at risk of becoming an insider threat. More often than not, leaders are best positioned to spot and help struggling employees before they become an intentional or unintentional insider threat. Implementing frequent user awareness training is also an important consideration, treating training as a process and not a singular event can help to socialize the expectations of managing insider threats throughout an organization. Additionally, the program should consist of strict policies for identity and access management, conduct regular account auditing, and establish processes and procedures for collecting and monitoring employee data and activity. Read more at Proofpoint or at Forcepoint.

CISA Releases Capacity Enhancement Guide to Strengthen Agency Resilience to DDoS Attack

CISA has released actionable guidance for Federal Civilian Executive Branch (FCEB) agencies to help them evaluate and mitigate the risk of volumetric distributed denial-of-service (DDoS) attacks against their websites and related web services. The Capacity Enhancement Guide: Volumetric DDoS Against Web Services Technical Guidance:  

  • Helps agencies prioritize DDoS mitigations based on mission and reputational impact. 
  • Describes DDoS mitigation services so agencies can make risk-informed tradeoff decisions on how to use available resources most effectively.

Members are recommended to review the guidance for potential inspiration. Read more at CISA.

W3LL: Mature, Phishing-Focused Underground Marketplace Uncovered by Researchers

Group-IB has posted a blog discussing its research into W3LL, a mature, phishing-focused threat actor that has developed and is selling a phishing kit capable of bypassing MFA.

Group-IB’s researchers have observed W3LL’s underground store, which has over 500 active users who can buy 16 regularly updated custom tools that cover all steps of a BEC attack. W3LL tools are largely used to target victims in the United States, Australia, and the UK, with the most targeted industries being manufacturing, IT, and financial services.  The report provides a description of all the tools on offer, as well as how they might be used in an example attack. Read more at Group-IB.

CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

The Cybersecurity and Infrastructure Security Agency (CISA) has released an update to a previously published Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. The updated CSA contains victim information gathered in August 2023. CISA strongly urges all critical infrastructure organizations to review the advisory and follow the mitigation recommendations— such as prioritizing patching known exploited vulnerabilities like Citrix CVE-2023-3519. Read more at CISA.

CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins – September 7, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

CISA Releases Four Industrial Control Systems Advisories

Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.

  • Dover Fueling Solutions MAGLINK LX Console
  • Phoenix Contact TC ROUTER and TC CLOUD CLIENT
  • Socomec MOD3GP-SY-120K
  • Delta Electronics CNCSoft-B DOPSoft (Update)

‚ÄčAlerts, Updates, and Bulletins:

Supplemental Cyber Highlights – September 7, 2023

The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.

Critical Infrastructure Vulnerabilities & Resilience

IT Malware & Threats

IT Vulnerabilities

Ransomware Resilience

Cyber Resilience & General Awareness

Insider Threats (September is Insider Threat Awareness Month)

Technical Posts (for security analysts, sysadmins, and other nerds)