Nefarious Emails, Novel Malware, and Negligence: The Growth of the Insider Threat
By Ricci Dipshan, From Legaltech News
The 2016 Global Threat Report finds companies’ biggest vulnerability is usually its own staff, with cybercriminals hitting this weakness with increasing sophistication.
With the fault lines in the battle against cyberattacks pushed back, 2016’s cyberthreat landscape is becoming defined by accidental in-house security lapses and sophisticated efforts to exploit employees’ weaknesses, according to the 2016 Global Threat Report by Forcepoint.
While a company’s defense perimeter is always being tested, the threats within its walls are the ones that usually cause the most damage. The report cites a January 2016 Forrester survey, which found that internal incidents were a “leading cause” of the breaches experienced by respondent firms, with more than half noting that they were due to employee negligence or oversights.
Joseph Abrenio, vice president of commercial services at Delta-Risk, told Legatech News that “the most prevalent [cause of data loss] is human error and negligence.”
“Let’s face it, productivity is king, and lawyers, paralegals, assistants, all of the staff are constantly under great pressure to produce,” he explained. “When you’re doing that at such a high rate, ultimately it’s bound that human failure is going to happen. And I’ve seen numerous inadvertent disclosures of data that are either to opposing counsel, to counsel not even involved in the case or people that have no relationship to the case.”
Abernio specifically noted the loss of encrypted company devices, such as laptops, tables or mobile phones, as a widespread danger that often goes unreported.
But even when employees take care not to misplace devices, their careless actions with a device can turn it into a Trojan horse. The report cited an Idaho National Laboratory study, for example, which discovered that 20 percent of employees connected a found, unknown USB device to one of their work computers, potentially exposing their systems to ransomware and malware.
Chances of infiltrating a company through a physical connection, however, are usually slim, so many cyberattackers are instead betting on fraudulent emails to deploy malicious files directly inside a network.
The report found that spam emails dropped markedly in 2015, when they accounted for 68.4 percent of all emails,from 2014,when they accounted for 88.5 percent, and almost all (91.7 percent) contained a malicious link.
In comparison, spam emails that contain malware attachments only make up 2.34 percent of all such emails, with Marcos — programs embedded in Microsoft Office Files — comprising 44.7 percent of these dangerous attachments, the second most common malicious attachment type after zip files.
Cyberattackers are also targeting employees through their use of shadow IT, hedging on the fact that many might download unlicensed programs. This, for example, is the favored deployment channel of one a particularly dangerous and automated malware in only recently discovered by Forcepoint.
Deemed Jaku, the program encompasses a global bot-net complain — an interconnected network of computers controlled by cybercriminals without the user’s knowledge that acts to infect other computers and send out targeted malware and spam emails.
The report noted that the program, which it said originated from Thailand, Mayalsia and Singapore, has affected 19,000 unique victims in 134 countries, with top countries being South Korea, Japan, China, Taiwan and the U.S. Forcepoint also found that Jaku can dwell on an infected system for an average of 93 days, and a maximum of almost one year (348 days).
In a statement accompanying the report, Dr. Richard Ford, Forcepoint chief scientist on Jaku, said that the program was novel for its ability to spread infection and execute specific attacks simultaneously. “What is somewhat of a step-change is the execution of a number of concurrent operations within a campaign, using almost identical time-triggered protocols to herd thousands of victims while at the same time executing a targeted operation.”
Companies and cyber security programs, however, are trained to be aware and look for malicious files such as Jaku hosted on a computer system, so while employees may be unware that their computer is being controlled remotely, malicious access may eventually be identified.
But even experts and IT professionals can be kept in the dark about who is controlling company devices given a new delivery technique discovered by SentinelOne that makes remote access Trojans (RATs) almost invisible to detect.
“This new technique keeps the RAT payload/file in memory during execution. Since the malware never touches the disk in unencrypted state, it cannot be detected by antivirus technologies and even some of the latest generation products, since they’re only monitoring for file-based threats. We expect to see an increase in file-less based attacks that execute in memory to avoid detection,” explained Joseph Landry, senior security researcher, SentinelOne.
Landry added that while the threat is “mostly contained in Asia,” and possibly developed to use against nation governments, “this threat could be used against enterprises including law firms. It’s not uncommon for these techniques to be handed down from nation organizations, or sold, to the cybercriminal community.”
Such threats, Landry advised, can be found using “behavior-based detection mechanisms,” which “continuously look for malicious behaviors all the way down to the user-space/kernel-space interface.”
IMAGE: Anatoliy Babiy
For more on this story go to: http://www.legaltechnews.com/id=1202756012968/Nefarious-Emails-Novel-Malware-and-Negligence-The-Growth-of-the-Insider-Threat-#ixzz472raqAIl