Most Wanted Insider Threats: The Tale of A Compromised Account

A single compromised account can create a serious security issue for your company.


Monday, 8:45 a.m. – IT Department, Floor 4, CoolTech Inc. Headquarters:

Walter arrives to work in the IT department. He takes his job seriously, working on the front line between total chaos and an orderly working day. He knows that not all attacks came through the front door. Bad guys would try any avenue to gain access. Often these attacks happened without the victim knowing. Those are the hardest one to find.  

Monday, 9:45 a.m. – Marketing Department, Floor 2, CoolTech Inc. Headquarters:

Bob sits down at his deck with a cup of coffee. He has never really worried about cybersecurity. He works in the marketing department for his company, going about his business, doing his job, putting in his time. In the grand scheme of things, he feels like someone whose actions would largely go unnoticed. He isn’t a vice president who faced the public every day. He isn’t a content producer with his name on the blogs and in social media posts. He is part of the machinery that kept marketing running.

Bob’s real passion is music. He loves alternative music prided himself on staying up-to-date on the latest bands. On this morning, he receives an email from a club he attended the previous week containing a link to the website for a new band. He had dropped his business card in their free lunch bucket at the last open mic night they had. The link to the website shows a rather simple site—clearly not proof-read—but he ignores his browser’s warning about the security of the site. He goes ahead and downloaded the band’s music.

Monday, 9:50 a.m.: A Studio Apartment, Reno, Nevada

Mallory laughs when the latest workstation pinged in. She had compromised an open source blogging site and added malicious java code to standard download widgets. Never sure who she would compromise, the malware scans the most recent documents and uploads them to an open site where she can check out the bounty when it arrives. No need to check all the time—her compromised system lets her know on social media when there was something to see. For now, she waits for that post.

Monday, 4:45 p.m. – Marketing Department, Floor 2, CoolTech Inc. Headquarters:

Bob finishes his day, shuts off his laptop monitor and leaves the office. He has a vacation ahead of him tomorrow and was looking forward to the time off. An indie music festival was his destination.

The malware runs on Bob’s computer. It copies the files up to paste bin and then sends Mallory a command and control ping via a hashtag on a popular actors account.

Monday, 4:46 p.m. – IT Department, Floor 4, CoolTech Inc. Headquarters:

Walter looks over his results from the user and entity behavioral analytics (UEBA) software his company runs. There is a new entry on the list of threats: Bob. He isn’t familiar with Bob but looks him up in the company directory. A marketing employee. But why has Bob been flagged as a risk? Looking at Bob’s top anomalies, Walter sees that Bob visited a website he had never gone to before. He doesn’t recognize the site since the URL was for an open blogging site and the site itself was some hash. VirusTOTAL didn’t report the site as malicious.

It also appeared that Bob downloaded a ton of data from this new website—more data than any of his peers have downloaded from external sites. For this user group, it’s certainly very strange to pull down so much data. Shortly after, Walter sees that there was an upload to an IP address that Bob had never gone to before, but it wasn’t very large—just a few-hundred-thousand. In looking up the address, he saw it was Pastebin. Certainly not the usual location for marketing material! There was also a first-time connection to Twitter. The behavioral analytics software flagged that this was the first time Bob had accessed the site, even though it was not unusual for his peers—definitely an unusual action.

Reviewing the data, Walter is interested in what could have caused this. He wakes up the companies ERD tool and has it scan the running processes and return all recently accessed files. One of the processes comes back as “unknown malicious”. No cleaner available as of yet for it. The files were the same size as the ones uploaded to Pastebin. Looking at the UEBA tool, as well, he sees that these activities happened outside of normal working hours for Bob. With this information, Walter quickly determines it was probably not Bob being malicious. His account had become compromised and that malware had been added to his machine! Walter isolates Bob’s machine from the network until it can be cleaned and locks his account.

Thursday, 9:05 a.m. – Marketing Department, Floor 2, CoolTech Inc. Headquarters:

Bob returns from his time away humming the latest tunes he heard. When he tries to log into his machine, his account is locked. He immediately calls the helpdesk. Quickly, it becomes clear to Bob from his conversation with the help desk that he had made a crucial mistake—his supposedly “benign” downloading activity had potentially cost his company!

 

While the names in this tale have been changed to protect the innocent, this situation is all too real. All attacks at some point—regardless of how they happen—become a compromised account. Often, the attack itself may not be directly detectable, but the resulting behaviors are. Regardless of how Bob got pawned, his account started behaving differently. It was this change in behavior that allowed Walter to detect the attack. This type of scenario explains why it’s important to not only rely on rules and SIEM but supplement these techniques with AI-enabled anomaly detection. You cannot write a rule to detect these specific behaviors without creating an overwhelming amount of false positives in the SIEM and in turn causing the SOC team to just ignore them.

There are two things you can do today to help your company be more secure: 1) send us a note to chat with us about behavioral analytics and how we make supercharge your security tools, and 2) don’t make the same mistake as Bob!

Learn more about the “Most Wanted” insider threats in our infographic: A Guide to Insider Threats and How to Prevent Them.