Konrads Smelkovs: Very few insiders develop overnight

Interview with Konrads Smelkovs – Incident Response

Could you please tell us a little bit about your background?

I work at KPMG as a manager, and I started working with security when I was around thirteen years old. I used to go to my mother’s work, because there was nobody to look after me. There used to be an admin there who used to run early versions of Linux, which I found to be rather exciting. I begged him to give me an account on his Linux box, but I didn’t know much about that, so I started searching for information in Altavista. The only things you could find there was how to hack into Unix, and there were no books at the time I could buy. I downloaded some scripts off the internet and started running them. Some university then complained that my scripts were hacking them, though I didn’t really understand much of what I was doing. So my account got suspended for about half a year, but I got hooked and found it rather interesting and exciting, and developed an aspiration in this direction. I then did all sorts of jobs, but I wanted a job in this field. So I saw an add in the newspaper and applied for a job at KPMG back in Latvia, 6 or 7 years ago. I was asked what it is I could do, and I explained to them the sort of things I had done in terms of programming: “a little bit of this, a little bit of that…”, I did some reading about security before the interview, and they then asked me if I could do penetration testing. I had a vague idea of what it entailed, because I understood web applications quite well. So I said, “yeah, sure. I can go ahead and do that because I understand these things quite well.”

What are you working on at the moment?

In the past I used to focus mainly on break-ins. Now people resort to me for advice on how to detect on-going intrusions, which takes up a large portion of my time at the moment, but more at a senior level. I do threat modelling for a corporation. I have to know how to break-in in order to give them reasonable advice, but it’s mainly in the form of PowerPoint presentations and meetings.

When you develop threat models for corporations, how do you factor in insider threats as well as the human aspect of security?

I believe the industry oscillates from one extreme to the other. People spoke a lot about “risk” but they understood very little about what this risk entailed. They then spoke about IT risks, but it was more of a blank message. Then it all became very entangled, and there was talk about vulnerability thinking: “you have to patch everything.” But then people realised that there is no way to patch everything, and then started talking about defence strategies, which pretty much everybody misunderstands, and so they started ignoring vulnerabilities. This especially happened because we all had firewalls, but we know that those don’t help either. So what we are trying to do here is to spread common sense in one go. When we talk about threat models, we have to talk about who is attacking, what they are after, and how they will do it. So the “who” will obviously have a lot of different industry properties, why they are doing it, what their restrictions and their actions are and so on. Despite the popular belief in the press, in The Financial Times, CNN, and so on, everybody talks about the APT, these amazing hackers hacking everything. They don’t realise that the day-to-day reality is quite different. There are two main things people are concerned about. One of them is insider threats, because insiders have legitimate access, and just want to elevate that access by copying or destroying information. The second is malware, which is such a prevalent thing. Most malware is uploaded by criminals who are not specifically after you, but are after some of your resources: you are not special to them. There are very few industries where there is nation-state hacking or where competitive hacking is current. So when we talk about threat models, we mainly talk about insider threats within specific business units and how they work. This is what I think people are most afraid of: the exploitation of trust.

How do you normally advice executives in organisations about proper information security? Do you focus on building a proper security culture, on awareness training, technological/architectural means, or what do you consider is the most important thing they should keep in mind?

We need to implement lots of things. I believe that a lot of the information security awareness training is misguided. It is not about teaching people how to recognise phishing or these sort of things. It is about explaining to them why security is important and how they play a part in it.

Very few insiders develop overnight and I believe that there is a pattern, and even then, insiders are rare. Most of the time you have admins who are trying to make themselves important, or, who out of vengeance, try to destroy things. So whenever you have destruction of information, you have to look at what kind of privileged access there is. Sometimes people copy things in bulk when they leave the company, to distribute it to the company’s competitors.

So lets say you develop a threat model and present it to the company, who’s executives accepted and use to develop a policy which they then implement and enforce. Sometimes, these policies my clash with the end-users’ performance and affect the way business within the company is done. Sometimes they might resist new controls because privileges get taken away. How would you factor in this human aspect, in order to avoid this unwanted result?

Many companies impose new restrictions on their employees without analysing the unwanted result it may lead to. So for example, if companies don’t facilitate a method for sharing large files, the employees might resort to Dropbox which could represent a potential threat. Smart companies learn that it is important to offer alternatives to the privileges they remove from their employees.

How do you go by identifying what the users need?

They will often tell you what it is they need and they might even have a solution in mind. It’s really about offering their solutions securely. Rarely is the case when you have to tell them that what they want is very stupid and that they simply should not do it.

Finally, apart from sharp technical skills, what other skills would you say security professionals need in order to qualify for a job?

You have to know the difference between imposing security and learning how to make others collaborate with security. Having good interpersonal skills is very important: you need to know how to convince people to change their behaviour.

Thank you Konrads.

Preventing Insider Attacks

An insider attack is one of the biggest threats faced by modern enterprises, where even a good working culture might not be sufficient to prevent it. Companies implement sophisticated technology to monitor their employees but it’s not always easy for them to distinguish between an insider and an outside attack.

Those who target and plan attacks from the outside might create strategies for obtaining insider knowledge and access by either resorting to an existing employee, or by making one of their own an insider.

They may introduce a problem to both individuals (in the form of financial fraud, for example) and companies (by abusing authorization credentials provided to legitimate employees). In this scenario, a victim and an attacker are sharing physical space, which makes it very easy to gain login and other sensitive information.

According to CERT, a malicious insider is; a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information. Furthermore, CERT split insider crimes into three categories:

  •  Insider IT Sabotage, where IT is used to direct specific harm at an organisation or an individual.
  • Insider Theft of Intellectual Property is the use of IT to steal proprietary information from an organisation.
  • Insider Fraud uses IT to add, modify and/or delete an organisation’s data in an unauthorised manner for personal gain. It also includes the theft of information needed for identity crime.

But how can companies detect and prevent such attacks?

In his paper, Framework for Understanding and Predicting Insider Attacks, Eugene Schultz suggests that insiders make human errors, which when spotted can help in preventing such threats. Therefore, constant monitoring, especially focused on low-level employees, is one of the basic measures for preventing insider attacks and gathering evidence.

There are a number of precursors of insider attacks that can help to identify and prevent them:

  • Deliberate markers – These are signs which attackers leave intentionally. They can be very obvious or very subtle, but they all aim to make a statement. Being able to identify the smaller, less obvious markers can help prevent the “big attack.”
  • Meaningful errors – Skilled attackers tend to try and cover their tracks by deleting log files but error logs are often overlooked.
  • Preparatory behaviour – Collecting information, such as testing countermeasures or permissions, is the starting point of any social engineering attack.
  • Correlated usage patterns – It is worthwhile to invest in investigating the patterns of computer usage across different systems. This can reveal a systematic attempt to collect information or test boundaries.
  • Verbal behaviour Collecting information or voicing dissatisfaction about the current working conditions may be considered one of the precursors of an insider attack.
  • Personality traits – A history of rule violation, drug or alcohol addiction, or inappropriate social skills may contribute to the propensity of committing an insider attack.

There are a number of insider attackers who are merely pawns for another inside or outside mastermind. He or she is usually persuaded or trained to perpetrate or facilitate the attack, alone or in collusion with other (outside) agents, motivated by the expectation of personal gain.

Organisations may unknowingly make themselves vulnerable to insider attacks by not screening newcomers properly in the recruitment, not performing threat analyses, or failing to monitor their company thoroughly. Perhaps the most important thing they overlook is to keep everybody’s morale high by communicating to employees that they are valued and trusted.