Insider Threat Hurts Organizations The Most: Forcepoint Report

Forcepoint recently released its 2016 Global Threat Report claiming a definitive breakdown of many of today’s most impactful cybersecurity threats with far-reaching technical, operational and cost impacts on affected organizations. The report details specific, notable threats in-depth and provides the information about the threat composition and their severity.

Insider Threat: The Malicious and the Accidental

The report outlines that 'insider threats describe attacks that either originate or receive cooperation from sources within an organization.' Preying on globalization and more dynamic business relationships and supply chains, attackers are targeting insiders in victim and adjacent organizations. They often gain access to systems by manipulating staff into what appears to be legitimate activity. This is in fact designed to steal their credentials.

Forcepoint and third-party research shows that policing insider activity and accounting for privileged credentials are security issues organizations feel least-prepared to confront. The report outlines that 'nearly 80% of security remains focused on perimeter defenses, with less than half of organizations having dedicated budget to insider threat programs.' Common challenges cited in the report included organizations lacking enough “contextual information” to discern suspect from benign activity and “insufficient visibility” into overall behavior on networks, due to reliance on disparate, disconnected tools in order to monitor users, actions and sensitive files. More sophisticated technology combining data loss prevention (DLP) and threat behavior analytics that correlate with other IT and business systems (like badging and IP log records) is now evolving to determine whether a threat is from a true insider or a malicious masquerader using stolen credentials.

Forcepoint’s Global Threat Report documents a case study of an organization undergoing merger and acquisition (M&A) activity, where personnel affected by downsizing were observed violating their generous separation agreements by trying to exfiltrate proprietary company information before their departures. This activity was prevented, yet could have had costly business repercussions if it were successful.

“JAKU” and Breaking Ransomware

What's “JAKU”: Introduced here for the first time, JAKU is a global botnet named after the harsh desert planet in Star Wars: The Force Awakens and exhibits a split personality. Its attack infrastructure seeks to both compromise victims at large scale, in order to co-opt and herd them for mass effect, and simultaneously conduct narrow, highly-targeted attacks on individual victims, seeking to harvest sensitive files, profile end-users and gather valuable machine information.

Fighting back against the “Locky” ransomware: Locky is delivered in Microsoft Office files that contain malicious macros. While Forcepoint’s technology platform recognized the threat and began blocking execution of the malicious content, the SI team set about analyzing how Locky forcibly encrypted files, in order to defeat this action. Forcepoint’s SI team claims that it reverse-engineered how the malware worked and blocked access to domains needed to complete the key process, rendering Locky harmless on systems that would have otherwise been encrypted. Locky’s controllers fought back by instructing Locky to access new crimeware domains, but Forcepoint’s SI team matched this move, blocking the new domains and negating the malware again.

While specialist teams like Forcepoint’s can thwart the arrival of ransomware, organizations’ best bet is to put strong data back-up postures in place that provide the luxury of simply ignoring ransom demands and seamlessly moving to copied files in the event of data loss or destruction.

Web and E-mail: A Two-Pronged Threat

According to a study, almost 92% of unwanted (spam, malicious) e-mail now contains a URL and the presence of malicious macros in e-mail is up 44.7%.

Forcepoint Labs outlined that overall malicious content in e-mail increased 250% in 2015, compared to 2014, with the Dridex banking malware and various ransomware campaigns largely responsible for the rise.

Security Concerns Still Haunt Moves to the Cloud

Cloud computing’s cost, scalability and accessibility have offset security concerns for many enterprises, yet these issues present headaches for many cloud prospects wary of how inconsistent security controls between cloud providers and their own environments could upend data protection. Somewhat ironically, CIOs and CISOs holding off on cloud adoption nonetheless find themselves wrestling with the consequences of employees’ independent decisions to use the cloud apps they prefer for personal productivity and convenience. More than 80% of decision-makers feel this “shadow” IT poses severe consequences. Unfortunately, when IT and security teams cannot see data in shadow IT systems, they cannot protect it.

To help prevent breaches stemming from unsanctioned cloud accounts and access, the Threat Report underlines measures organizations can take to educate users and block the movement of particular files to unauthorized cloud destinations.

Thoughts from Forcepoint’s Office of the CSO (OoCSO)

Forcepoint’s Office of the CSO boasts to tap the expertise of Forcepoint’s own cybersecurity and data protection leaders to help customers create new security strategies, improve existing programs and repel ongoing attacks. Each expert in the Office of the CSO organization brings to bear decades of industry experience.

In 2015, the OoCSO team saw M&A activity as one of the greatest cybersecurity risk catalysts across industry sectors. Too often, extensive due diligence and confidential proceedings that lay the groundwork for M&A overlook the state of cybersecurity controls in companies party to a deal, opening opportunities for attackers, insiders or others to obtain privileged information or steal trade secrets and other data that could gut the value of a transaction.

Today, more than 84% of the S&P 500’s value now consists of intellectual property (IP) and other intangibles. This means almost any type of data breach event exposing such information can bring immediate profitability, legal, regulatory and shareholder consequences.

In this year’s Threat Report, OoCSO experts recap how comprehensive security controls were managed during the M&A activities that created Forcepoint itself – the combination of the former companies Websense, Raytheon Cyber Products (RCP) and Stonesoft. With so much at stake, the coming together of these companies had to be conducted within the highest levels of security. The Threat Report offers a phase-by-phase timeline of how security risks were consistently evaluated, compared, mitigated and managed at every step, from conception of the deal through the unveiling of Forcepoint on January 14, 2016.