What tracks internal perpetrators lay in network traffic

Behind the internal threats to IT, information and business processes are intentional or unintentional actions by employees as well as by suppliers or freelancers with access to the network.

 Perpetrator profiles of internal attackers

The greatest danger comes from the intentional perpetrator who uses his access to files, applications and systems. Personal and financial reasons are the main motivation, far ahead of sabotage. There are two types here:

• The Collaborator is active for its clients: competitors, cybercriminal malware actors or even states.
• The "lone wolf" acts independently and uninfluenced. If it is a user with the appropriate privileges, such a perpetrator has serious potential for danger.

The non-intentional or careless offender can also be divided into two categories.

• The Pawn in cybercriminal chess ("pawn"): He is an authorized user that hackers manipulate without his will. Cybercriminals attack him with targeted spear phishing to hijack his identity. Many attacks target the endpoint of a single user.
• Unintentionally acting "goofHe violates IT security guidelines out of arrogance, ignorance, incompetence or simply lack of awareness. He is often easy prey for phishing attacks with subsequent privilege escalation.

Any employee can remove and delete information on a PC. For larger and more complex attacks, the circle of perpetrators narrows. The majority of employees do not have the means, rights and knowledge to launch serious attacks on a backup or Active Directory server. They also cannot escalate privileges or exfiltrate data on a larger scale from a cloud endpoint that is well shielded by the provider. Only technically competent employees from IT administration are capable of doing this. But if attackers hijack the identities of an ordinary employee, they too can become a dangerous weapon.

The view inward

Every type of attacker leaves traces in network traffic and on end devices. At the network level, for example, they use the Windows network protocol for their own purposes with Server Message Blog (SMB). Exfiltration of information reveals itself through contact with an unknown IP address. When internal users suddenly behave differently, artificial intelligence (AI) detects these sporadic deviations from normal processes both on the network and on the endpoint. AI solutions make processes visible and put them in context. Even small and medium-sized enterprises can use these AI solutions. Especially for protection against attackers from within, they are a necessary tool for manageable IT security.

Abnormal behavior of perpetrators in the network is visible mainly through the following activities:

• Unauthorized or anomalous access to systems or data with legitimate credentials: For example, an employee suddenly logs into the network at unusual times or places. An IT administrator or employee searches areas of the network for which they have no rights. These scenarios are just as suspicious as accessing a backup server, which is usually only done to manage, check backups or restore data.
• Search the network: Normally, an internal user moves securely along the paths that have been laid out for him and targets systems, data and applications. Once they leave, they behave like an external attacker: they gradually access systems in order to explore or modify them.
• Data exfiltration: Sensitive data is copied to an external data carrier or sent via mail and cloud services. The connection of a device is visible as well as the rash of data traffic.

Defense in the net and at the end point

Attacks by an internal perpetrator can be detected by continuously monitoring all internal and external traffic. For example, through consistent user entity behavior analysis (UEBA), looking at user activity, analyzing logins, file accesses and resource usage.

Preventive measures in the network topology and in the blocking of attacks by means of endpoint detection and response immediately before the execution of an attack are derived from this. These measures primarily include in the network and at the endpoint:

• Microsegmentation in the network to be able to completely block systems that communicate regularly with the attacked endpoint quickly in an emergency. At the same time, this limits the radius of an internal attacker's lateral movements.
• Control of endpoints: Hackers change systems not only with new malware, but also with new configurations. Analyzing changes to the system is therefore the first requirement for blocking a system. If an anomaly on an endpoint is sufficiently noticeable, an automated defense immediately initiates the backup of the system to save the information from encryption. The attacked PC is then quarantined - just like the computers of the other employees in a department.
• Benefits of IT security technologies such as antivirus firewall, data loss prevention or identity access management.

The human eye of the security analyst

Many inside perpetrators, often acting individually, cannot be detected by one-dimensional security approaches or by automated monitoring alone. Attackers usually use legitimate tools and rarely install malware. They do not need an intrusion tool. Entities such as users or systems, however, can still be detected by certain anomalous behavior. For the overall picture and especially for efficient defense, the human eye of a security analyst is additionally needed. He analyzes the recorded behavior of internal entities. He recognizes through exceptional log ins that probably the actual user no longer controls the account. It responds to alerts about a malware infection or keeps an eye on it in phishing campaigns as a possible starting point for an internal attack. It controls defenses and blocks suspicious protocols or data transmission through the firewall it manages. In dialog with the companies to be protected, the security analyst recognizes whether a legitimate user is not hiding under suspicious behavior - a new employee, a new branch or a newly assigned competence.