Case Study
When Insider Threat Bites: A Lesson from Trend Micro
At the start of November, cybersecurity company Trend Micro was hit by a serious data breach as a result of an employee selling the personal data of thousands of customers. Lucy Ingham looks at what lessons can be learnt from this severe example of insider threat
No organisation wants to receive the calls that cybersecurity company Trend Micro began receiving in August of this year.
Customers of the organisation had begun phoning about receiving scam calls, from individuals claiming to be from the company’s support department. Concerningly, the knowledge they possessed was significant: these were not phone calls from someone simply trying their luck, but from individuals with significant data relating to the targeted customers.
“The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack,” said Trend Micro in a blog post about the incident.
The company launched an investigation that lasted for two months. By the end of it, they knew for certain what they were dealing with: an employee of the company had stolen and sold the customer data of around 70,000 customers, including names, email addresses, telephone numbers and support ticket numbers, in a severe example of what is known as insider threat.
Insider threat is a common problem in any data-handling company, referring to situations where a cybersecurity incident is caused by someone within the organisation. In most cases, such a data breach or other incident is an accident, but in the case of Trend Micro this couldn’t be further from the case.
“It's every security firm's nightmare for something like this to occur,” said cybersecurity expert Graham Cluley in an interview with BBC News.
“You can have all the security in place to prevent external hackers getting in but that doesn't stop internal staff from taking data and using it for nefarious purposes.”
Trend Micro has contacted all the affected customers, fired the employee and disabled their account access. The company is also working with law enforcement in an ongoing investigation into the incident. But the incident contains vital lessons for other organisations that may be similarly at risk.
Insider threat should be high priority
While much of cybersecurity focuses on the efforts of malicious actors attempting to gain access from outside an organisation’s perimeter, insider threat is on the rise.
“This is an area of risk that is becoming high on any organisation’s priority list, or at least it should be high on the priority list!” said Peter Draper, technical director, EMEA at Gurucul.
“Insider threat covers more than just the nefarious insider, such as this particular case, but includes the unintentional insider threat and insider threat from ‘trusted’ third parties (suppliers, contractors etc.).”
And this isn’t just a case of a perceived risk in such threats: according to research by Securonix, 21% of organisations have suffered over five insider threat attacks in the last 12 months alone.
“As organisations become better at protecting their data and assets which is within their control, options for gaining access to that data are turning to insiders.”
According to Draper, this rise is a result of other approaches becoming increasingly challenging for cybercriminals, making targeting those on the inside a more appealing option than was previously the case.
“As organisations become better at protecting their data and assets which is within their control, options for gaining access to that data are turning to insiders,” he said.
“This particular case may have been a single users selling the data for personal gain or it could have been that external bad actors could have been in play and may have solicited the sale of the data.”
In the case of intentional insider threat, the motives of employees will, of course, vary, although money is naturally a key lure. Notably, Securonix found that 52% of organisations saw contractors and temporary workers as being a higher risk of such actions, likely due to their lack of loyalty to the company in question.
Danger inside the walls
However, the motives and actions of employees is only half of the issue – and the other element is far more technical.
While companies have placed increasing focus in securing their perimeter, cybersecurity efforts within organisations remain less than ideal. Essentially, while the walls may be secure, anyone inside can often access anything they want.
“The breach at Trend Micro underscores a major, yet unfortunate, disconnect in IT security today where perimeter security, UBA, database encryption, DLP and fraud/threat detection are deployed without a complementary deployment of security that ensures the data inside is protected,” explained Warren Poschman, senior solutions architect at comforte AG.
“The belief that ‘if I build a high enough wall they can’t get in and my data is safe inside’ is a fallacy that has been exposed repeatedly in 2019. Instead of just building virtual Maginot lines around data, organisations need to adopt a data-centric security model to protect the data inside from either external or internal threats – in other words, protect what matters most inside as well as you do to protect the outside perimeter.”
“The belief that ‘if I build a high enough wall they can’t get in and my data is safe inside’ is a fallacy that has been exposed repeatedly in 2019.”
In particular, companies are advised to increase the security of their data at all points in its handling, through processes such as tokenisation, where data is substituted with unique identification symbols. This way, other employees at an organisation cannot simply access unencrypted data as they please.
“Data-centric security technologies such as tokenisation protect data at rest, in motion, and in use and protect enterprise-wide. In the Trend Micro case, this could have stopped the rogue employee because although they may have had elevated credentials to the customer service database, they would have found that the database contained useless tokens instead of salable data,” explained Poschman.
Behaviour analytics also poses another option that could have benefited Trend Micro. This identifies employees engaging in unusual activity within an enterprise’s network, giving companies the opportunity to take action before a person has the opportunity to sell on any data they have acquired.
“The report states that the user in question ‘improperly accessed the data’,” said Draper of the Trend Micro incident.
“That being the case, if a modern behaviour analytics solution such as GRA had been deployed, this activity would have been highlighted before the user had the chance to extract the data and sell it.
“This would have, not only stopped the data exfiltration, but would have also stopped the Trend Micro users getting the scam calls.”