From a high level what are the types or categories of threats faced by the Security professional?
Let’s go over some basics.
- Internal Authorised
- Internal Unauthorised
- Internal to External
- External to Internal
- External to External (new)
The first 4 are quite well known, I have added the fifth (external to external) which I will go over soon.
Person with legitimate access which is used to carry out unauthorised activities.
Such as accessing, removing, modifying or deleting sensitive data. Adding unauthorised programs or files. Using Software/Services for unauthorised activities.
Examples of Internal Authorised:
- Edward Snowden – Administrator who stole classified data and released it publicly.
- Chelsea (formally Bradley) Manning – US Army Intelligence Analyst who leaked data to Wikileaks.
Person without legitimate access who gains access to carry out unauthorised activities.
More often associated with opportunist activities, such as removing, modifying or deleting data from a system. Reconnaissance activities can also be a factor including hardware/software key-loggers.
Examples of Internal Unauthorised:
- Enemy sympathisers working as support staff during military operations.
- Building employees such as cleaners or maintenance staff.
Internal to External
Person with, or who has gained access to, internal devices, in order to act in a negative manner toward external systems.
This person may be working with political motives, exploiting an opportunity, or carrying out a carefully planned agenda. Regardless, the reputational damage to a company will be severe.
Examples of Internal to External:
- Disgruntled employee looking to damage customer relations.
- ‘Hacktivist’ looking to make a statement.
External to Internal
Person who gains access to the internal devices from an external system.
Objectives may include deletion, removal or amendment of data, installation of software or manipulation of internal infrastructure through to defacement and public embarrassment for personal or political gain.
Examples of External to Internal:
- The Sony breach. Sony were targeted by an external group of attackers who looked to embarrass and influence the company to act in accordance with their agenda.
- Ashley Maddison breach. The site was targeted and customer details exposed with the attacker stating that the company was carrying out immoral business.
External to External
Person who accesses the internal systems from an external source to launch an external attack
These types of ‘pivots’ can either be to hide the attackers true origin or because the pivot point may be a weak link to a more secure target.
Examples of External to External:
- The Target Breach. The retail company Target were breached in order to steal credit card data. The attackers used a HVAC supplier’s network to gain access to the Target internal systems.
Why do we care?
Understanding the types of threat that are present helps a business to focus their efforts on the those deemed high risk. For example, smaller companies with an intimate and small staff base in a single office may not need to worry about Internal Unauthorised as the know the face of each staff member and would notice instantly if a non-staff member was using a machine.
Similarly a network which does not connect to the internet would worry less about the External to Internal, and more concerned with the three Internal threats. The External to External may also become a factor for any trusted supplier who has a logical connection to that network and the internet.
What should we do?
Have three conversations; one with senior management and where they believe the threat to be, another with the technical team(s) and finally one with both technical and management to discuss the differences between them. Bear in mind that Internal Authorised may be in one of those two teams.
So what can we do about it?
As this is pitched at a high level, it is not the place to decide on specific technical actions, but instead to look at high level mitigations, for example a forensic readiness plan will help to recover from such actions. Having a forensic readiness plan in place also helps to reduce the accusations of complacency or negligence on the part of the company.
Build scenarios, consider what might happen under each heading. How could that potentially play out? Once you have basic scenarios in place look at how to audit those scenarios, or even how to prevent them. For example, are all internal routers patched? Are the passwords the same on every local admin account? Do you have centralised logging? Is that logging being monitored? Do you have agreements in place with 3rd party suppliers/cloud services on how to deal with the acquisition of evidence if there was a problem?
I know there are a lot of questions, however this post is more about awareness than answers. People like me can be employed to work with you to answer these questions, but they will be bespoke and not something easily found via Google.