Inside Attackers Often Unremarkable, Warns CERT

Most attacks are relatively unsophisticated, planned in advance, conducted during normal business hours, and start from inside the organization. The common driver comes as no surprise: money.

Countless security studies point to security managers’ insider-threat fears. To catch an attacker, however, organizations need to know the most prevalent types of attacks, the level of technological sophistication, and the types of behaviors attackers most often exhibit.

The data is in, and surprisingly, most attacks are relatively unsophisticated, planned in advance, conducted during normal business hours and from inside the organization, and driven by one desire: money.

That’s according to the new “Insider Threat Study” report, which studies 23 cases, perpetrated by 26 inside attackers between 1996 and 2002 in the financial services and banking sectors. The report was produced by Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center, together with the U.S. Secret Service, which is now part of the U.S. Department of Homeland Security (DHS).

The report says attacks from inside an organization were often conducted with users’ normal levels of access to systems and functionality. “In 87 percent of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78 percent of the incidents, the insiders were authorized users with active computer accounts.” Half of attackers even used their own username to conduct the attack.

Surprisingly, the majority of insider attacks, the report finds, were conducted “by individuals who had little or no technical expertise.” The typical attack “involved the exploitation of non-technical vulnerabilities such as business rules or organization policies.” Spoofing or flooding was used in only 14 percent of attacks; attack scripts or programs were used in 9 percent of attacks.

Most attacks were also the work of more than one person, and four out of five attacks were planned in advance. As opposed to wanting to damage an organization or its data and information outright, 81 percent of attackers were simply “motivated by financial gain,” says the report, and 65 percent didn’t envision the damage their attack would create.

Aside from a love of money, however, attackers fit no common profile. Given IT employees’ ready access to systems, and the ability to hide their tracks, for example, one might posit a stronger lure for system administrators to defraud their workplace. Yet only about one in four attackers held a technical position, and a scant 13 percent of attackers had previously demonstrated any interest in hacking. Prior behavior is also no indicator, since prior to their attack, only a third of attackers displayed conduct that drew a supervisor’s attention.

If attackers don’t readily fit a profile, their results do. Of the 23 incidents the report studied, “in 30 percent of the cases the financial loss exceeded $500,000.” For example, the report cites a March 2002 attack against an unnamed, international financial services company. An attacker used a logic bomb—malicious code that activates either at a set time or after a certain event—to delete 10 billion internal files. The cost for restoring information to 1,300 servers and cleaning up the mess was $3 million.

To help counter insider attacks, the report suggests investigators focus on the group nature of most insider attacks and institute mechanisms for employees to report any suspicious behavior.

While the report’s authors hope organizations will use their findings to avert attacks, there’s a more specific goal as well. “We believe this insight may be useful to those in the sectors charged with protecting their critical assets as they begin to examine ways of improving their defense against insider attacks,” they write.

For that to happen, however, the Secret Service and CERT wants organizations to overcome their reluctance to share information. “This study provides concrete insight into the insider threat problem. It also demonstrates the value that can be gained when organizations are willing to share their data and experiences with others,” notes Richard Pethia, director of the CERT Coordination Center.

Related Article:

Quantifying the Threat from Insiders

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.