According to IBM, it takes an average of 197 days to detect a breach. Today’s attackers go above and beyond to evade alerting capabilities and make it look like they were never there. While that number tends to be shorter for Insider Threats, Insiders also tend to be much better at deception and covering their tracks as well. These trends leave companies wondering how they can learn the deceptive ways that attackers can cover their tracks to get better at shortening that 197-day window to more rapidly detecting incidents and breaches.
How do they cover their tracks?
Unless dealing with a hacktivist or rare attacker that wants to be known, attackers must make the system look like it did before they gained access and established backdoors for their use. Most cyber attackers do not want to be caught and go to great lengths to ensure that it doesn’t happen. There are three main approaches to covering tracks: obscurity, obliteration, and intentional confusion.
Attackers often try to evade alerts – especially if they are Insiders and know what those alerts. Think of it like an old days jewel thief you see in movies. They duck and dodge the red beams as they may their way to the prized item they plan to steal. Cybercriminals do the same thing and try to understand what detection methods you may be using so that they can prevent triggering an alarm. In the digital world, they may do things to obfuscate the origins of traffic and spoof traffic, use TOR browsing, and more.
Then the second is deleting any traces of activity where possible. They may modify, delete, and destroy logs. Successful cyber-attacks often require some use of elevated user accounts. They may delete such temporary accounts that were created to commit the fraud. They may delete any files associated with the activity etc. Luckily, screen capture technology exists, so forensic investigators can go back in time to watch these actions. This type of forensic grade software is also known as “eyes on glass technology” in the cybersecurity industry, but that’s a discussion for another day.
Attackers also continue to get creative in how they effectively delete information. For example, some attackers are using ransomware to lock up log files so that the victim can’t see the activity. Whether the targeted company pays the ransom or not, the attacker will not plan to unlock the data because they don’t want you to see what else they’ve done on your network.
The concept of “false negatives” also becomes a concern when it comes to Insider Threats. These are the cases where there is a threat actor, a true outsider who is not one of your employees but has gained access to the credentials of your employee. They can perform activities that appear normal – but aren’t. These attackers are hiding under the guise of being a normal user.
For example, let’s say an external cybercriminal has somehow gained access to an employee’s internal login and is now committing fraud paying invoices to a supplier the real employee normally pays. Only, they’ve updated the account information to route to an untraceable bank account. They are using the victims’ valid login, to do an activity that seems normal, but they are doing things they shouldn’t. How do you know it’s not your employee and that it’s an imposter?
This is how some attackers hide in plain sight by engaging in a seemingly regular and authorized activity. This makes managing the risk, especially when it comes to this concept of false negatives, super challenging without the right technologies and capabilities to detect and prevent such instances in intelligent and informed ways.
There is another method worth noting in this section, and that’s obliteration with the assistance of the victim. We have seen through Uber and other examples, that some companies discover breaches and then actually work with the attacker to track and help cover the tracks to avoid dealing with the incident head-on. This usually doesn’t end well, and quite a few companies have been publicly shamed for attempts to hide cyber-attacks. Increasing regulations around cybersecurity and breach disclosure are making it harder for companies to get away with these types of negligent actions.
Some attackers take evasion a step further by intentionally leaving the crime scene a confusing mess that is hard to untangle or leads investigators down rabbit holes to nowhere. They may add fake data to logs, create useless accounts, and perform activities that lead away for the true intentions of the attack.
What can companies do about it?
There are many tools available to aid companies in digital fraud detection and prevention. For example, intrusion detection and prevention systems exist. Furthermore, knowing that the majority of these incidents stem from Insiders within the company, it’s crucial to have an Insider Threat Strategy with adequate tools to understand these threats.
Machine learning and artificial intelligence-based solutions are becoming critical weapons in the battle against digital fraud, as well. While behind every attack is a human being, those human beings are using machines and intelligence to launch bigger, better, and more efficient attacks. Today, detecting incidents is not as simple as noticing an employee working during odd hours or some of the more obvious signs. Insiders especially know the systems well and had insider insight on how to circumvent security features.
This is where artificial intelligence and leading-edge solutions are revolutionary for all businesses, but especially environments with concentrations of high-value assets where the likelihood of Insider Threats is even higher.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.