Many in the cybersecurity world spend their entire careers trying to prevent the kind of high-profile, reputation-wrecking cyberattack such as what occurred to Twitter earlier this month.

On July 15, Twitter users the world over were puzzled to read messages promoting a cryptocurrency scam sent from the accounts of high-profile public figures like Joe Biden, Barack Obama, Elon Musk, Kanye West and others. Twitter employees are said to be responsible for the attack, who allegedly worked alongside cyber criminals to compromise the accounts of many of the site’s most influential users.

This style of cyber espionage stems from what is known as insider threats, a method of cyberattack that made up 34% of all breaches in 2018, according to a Verizon report. Or, as put by ThreatModeler’s own Director of Sales Engineering, Stuart Winter-Tear:

“The ‘malicious insider’ or ‘insider threat agent’ are among the most destructive and worrisome of security attacks. Social engineering is often deployed to psychologically manipulate an insider to do criminal bidding, such as bribery or blunt force, but may also come in a more pernicious subtle guise.”

As insider threats rise in both quantity and sophistication, today’s organizations must mount an effective defense against this leading cause of cyberattacks. Read on to learn more about how hackers managed this feat at Twitter, how insider threats on the whole impact organizations, and discover the benefits of threat modeling as a solution against this malicious act of cybercrime.

How the Theft of an Admin Tool Motivated the Twitter Hack

According to Twitter, the story goes like this: staff were hit by a string of coordinated social engineering attacks, which targeted employees with access to a particularly powerful internal too (the tool in question allowed users access to the site’s user accounts, including personal data contained within).

Attackers next targeted approximately 130 accounts but were most interested in a smaller group of extremely high-profile users. The hackers changed the email addresses associated with each high-profile user, which they presumably used to launch a password reset to gain access.

Finally, each account then published the aforementioned tweets, which claimed a partnership with a made-up organization, CryptoForHealth, saying that they would send participants bitcoin if they provided a smaller amount upfront. It’s estimated that this attack netted the hackers $120,000, according to The Verge.

Investigations are underway at multiple law enforcement organizations, including the Federal Bureau of Investigation. Federal investigators are particularly interested in how the system may be used to expose sensitive information of high-profile government officials.

Given the interconnected and dispersed nature of the internet, thousands of federal employees of all types may be liable to cross-contaminate sensitive assets with third-party applications. And despite the highly sensitive nature of this data, backend tools designed to manage these platforms were liberal in the degree of access they provided, used by an overly broad group of mid-level employees.

A similar story broke last year, this time concerning Myspace, found to have created an internal tool named “overlord” that gave users access to user passwords and messages. Initially designed for moderation and compliance with law enforcement, it was later abused by employees to spy on users.

“Every company has (one),” according to Hemanshu Nigam, who was Myspace’s Chief Security Officer from 2006 to 2010, said during a phone interview referring to such administration tools. “Whether it’s for dealing with abuse, or responding to law enforcement or civil requests, or for managing a user’s account because they’re raising some type of issue with it.”

Malicious and Accidental Insider Threats Can Cost an Organization, On Average, $11,450,000

Insider threats are just what they sound like, cybersecurity incidents that originate from actors inside the breached organization.

Currently, the number of insider-caused cybersecurity incidents are on the rise, increasing 47% since 2018, with 60% of companies experiencing more than 30 incidents per year. And not only are these threats increasingly common, they’re also increasing in sophistication and damage. Their average annual cost has also grown fairly dramatically in this two-year-span, rising 31% to $11.45 million.

Depending on the methods and intent of such attacks, insider threats can be broken down into two varieties:

  • Malicious threats represent 37% of all insider attacks, costing organizations between $756,000 and $871,000 per incident. Typically, these attacks are deliberately launched by internal bad actors, sometimes in collaboration with hackers, as witnessed in the Twitter attack. They often originate from social engineering attacks like phishing.
  • Accidental attacks make up 62% of insider attacks, costing organizations close to one third less, at $307,000 per incident. Incidental attacks originate from human error, whether through poor cybersecurity hygiene, or an accidental leak of sensitive information through an incorrectly addressed email.

Incidental attacks occur most often after an employee inadvertently leaves a door open for hackers through the accidental exposure of sensitive data, or the setting of default or easy-to-guess passwords. They also commonly occur due to employees falling prey to phishing scams.

Such accidents appear to be somewhat common, too. 41% of employees who admitted to leaking data in an Egress survey said they had done so due to a phishing email. An additional 31% said they caused a breach by sending information to the wrong person, for example, by email.

And despite accidental attacks occurring nearly twice as often as malicious ones, purposeful attacks cost almost three times as much to mitigate. In cybersecurity, it’s just as important to secure against the most likely and most damaging attacks, too.

As far as who is most likely to cause insider attacks, managers are the biggest threat, often due to their advanced permissions resulting in the exposure or theft of data. Other likely sources, in descending order of risk level, include contractors, regular employees, and IT admin and staff.

Read about how the principle of least privilege ensures organizations assign appropriate access to personnel across the organization in our blog post.

What’s more, research shows that the larger an insider threat lasts, the more expensive it is to contain. Containing an insider threat within 30 days costs organizations $7.12 million annually, while those that last 90 days increase to an average of 13.7 million.

Threat Modeling for Insider Threats

It’s important to note that internal breaches can’t solely be blamed on an insider, as many organizations are realizing the need to improve upon internal cybersecurity training. It’s also a well-known fact that the workforce’s current cybersecurity practices are in need of at least some form of improvement to keep up with ongoing, sophisticated and emerging threats.

Modern day threat modeling is a particularly valuable approach to combat insider threats. Armed with a map to hunt down security gaps and unprotected accounts – among a host of other security flaws – DevSecOps can detect all vulnerabilities within a network environment and address them.

Think Like a Hacker and Control Access Privileges With ThreatModeler

To implement a threat modeling practice that protects organization-wide assets against insider threats, global enterprises turn to ThreatModeler. The platform’s innovative process flow diagram-based (PFD) approach follows the Visual, Agile, Simple Threat modeling (VAST) methodology, founded on three strong pillars: automation, integration and collaboration. The platform’s Threat Intelligence Framework pulls content from many leading, official sources such as AWS, OWASP, NIST, MITRE CAPEC and more.

Learn what a day in the life of a threat research engineer is like curating threat content for  ThreatModeler by reading our blog post.

While insider threats pose a unique and menacing challenge, ThreatModeler provides the contextual insights for engineers to accurately identify threats and appropriate countermeasures  as early as in the design stage. With a holistic understanding of the organization’s attack surface, autonomous developers can now think like an insider threat hacker, and prioritize and address threats strategically.

ThreatModeler also empowers AWS teams to effectively apply the principle of least privilege in the cloud to apply the correct permissions to applications and resources. For large organizations that need to scale across thousands of employees and devices, plus hundreds of applications within an expanding infrastructure, ThreatModeler provides a staging environment that simulates AWS architectures. Within the simulation, teams can clearly outline potential threats including misappropriated permissions.

ThreatModeler’s threat detection empowers DevSecOps to protect private, sensitive and confidential resources via role-based access. CSAs can now simply audit their over-permissive IAM policies and unused roles to make access management changes. Through it, stakeholders are empowered to prevent data breaches and remediation costs. The platform enables administrators to stay up-to-date with personnel changes, including their roles and responsibilities, to manage permissions in real-time. Easily make a change in the simulated environment to forecast the impact it will have on the AWS environment.

To learn how ThreatModeler is the right platform to proactively secure your enterprise at scale, contact us to schedule a live demo.