It has become commonplace for organizations to protect their networked and cloud assets actively and fervently against the global influx of threat actors who are trying to breach their security edge for nefarious purposes. Although attacks like brute force password cracking, denial of service attacks, and ransomware attacks do cause damage, it is often the attacks from internal origins that cause the most damage.
Many organizations are moving towards interconnected SaaS ecosystems, these ecosystems require diligent, persistent defenses against both internal and external threat actors. SaaS ecosystems are unfortunately the most vulnerable to Advanced Persistent Threats (APT). The most effective countermeasure remains real-time monitoring of SaaS assets, to identify anomalies, together with a zero-trust privilege paradigm. Vendors like docontrol.io, for example, specialize in such granular, mission-critical monitoring. By combining metadata from SaaS ecosystems with EDR and IDP, ATPs can be identified and uprooted.
What are APTs?
Threat actors, typically, attempt to breach an organization’s security perimeter to cause one of two outcomes. The first is to disrupt as many of the intended target’s services to damage their reputation and ultimately their income. The other goal might be to go after a financial gain by stealing sensitive information and offering the information to nefarious buyers or even keeping the information and demanding a ransom for it.
When it comes to APTs, stealing sensitive information is generally the intended goal too. APTs are, however, regarded as long-term espionage attacks. Threat actors gain unauthorized access to an organization’s network or SaaS ecosystem and remain there, undetected, for a prolonged period. This low level of activity allows threat actors to siphon off volumes of data over a period, unbeknown to the organization.
This kind of attack is especially dangerous since it will not trigger any of the traditional alerts since it does not conform to any threat modeling utilized to identify possible breaches. APTs are typically more successful in environments where little to no control is carried out to verify access rights to internal resources.
Insider Threats as APTs
In a recent threat report, by the Ponemon Research Institute et al, about the cost of insider threats it was found that 63% of all insider threats were due to negligence of employees, with the remaining 37% being divided between credential theft and malicious criminal elements within organizations.
The truth of the matter is that if an employee’s usage pattern within an organization does not raise red flags it goes on unaddressed. This makes it increasingly difficult to distinguish between malicious and normal activity. What amplifies insider threats though is that employees typically know exactly where to find sensitive information.
This insider could be any authorized person within the organization, and they become increasingly hard to detect when they are malicious since they would actively hide their tracks as they exploit security loopholes.
How to Deal with Insider Threats
Whether the insider threat originates from an individual or service that has legitimate access to resources or it originates from an APT the remediation actions are nearly identical. In SaaS ecosystems, organizations must adopt the policy of Zero Trust.
The Zero Trust security model clamps down onto SaaS and network resource rights by strictly segregating user access by what is necessary to each individual or service. By default, new users will be created with access to none of the SaaS resources. Access can only be granted by elevated user profiles.
By coupling this paradigm with real-time monitoring tools, security specialists can pick up security anomalies a lot easier and with more efficacy.
Let’s face the facts: no one will ever be immune from cyber-attacks. Organizations need to map out their attack surface and put detection and remediation processes in place to keep the security edge clear and unwavering. This will merely make the organization less of a target. By implementing automatic, real-time monitoring solutions, red flags can be identified earlier and addressed promptly to avoid disastrous breaches.
As far as employee negligence is concerned; regular corporate security training will allow the organization to educate its employees on the various risk factors involved in negligent behaviors such as Shadow IT and interacting with social engineering.