When FBI agents arrested a 21-year-old Massachusetts National Guardsman on April 13, the circumstances seemed pulled from bad spy fiction. For months, a junior airman allegedly photographed and copied highly classified material and disseminated dozens of these documents—which contained intelligence and assessments on Russia, Ukraine and other sensitive topics—on a Discord server named Thug Shaker Central.
The airman, Jack Teixeira, is now in federal custody and faces charges of unauthorized retention and transmission of national defense information and willful retention of classified documents, which carry a potential maximum sentence of 15 years in prison, according to the Washington Post.
When the classified files and documents surfaced on Discord and other sites, cybersecurity experts were reminded of other well-known leaks, including those of former National Security Agency contractor Edward Snowden and the Vault 7 documents that detailed the CIA’s hacking tools.
This latest leak of classified material also reminded observers of the dangers of insider threats. “Threats, including leaking confidential information from insiders, continue to be one of the biggest risks facing organizations today,” Dave Gerry, CEO at Bugcrowd, recently told Dice. “Simply put: insiders typically have access to sensitive information in order to do their jobs, and, ensuring that access controls—that is need to know access—are accurate, and updated, remains the best way to defend against insider attacks.”
For tech pros, incidents such as the Discord leaks are a wakeup call to reflect on how to respond to these incidents, what type of training is needed to prevent these incidents from occurring and how best to prepare their organization and non-tech workers to limit damage and prevent sensitive data from leaking.
Insider Threats: By the Numbers
Insider threats are typically viewed in two ways. The first is a malicious actor who steals data, documents and other information for personal gain, to make a political statement or for a variety of other reasons. The second type of insider threat comes from employees or individuals who make mistakes that give outside threat actors a chance to disrupt or attack an organization.
“Over the past six months to a year, we have seen an increasing amount of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering,” stated a September 2022 blog from Cisco Talos.
The case against Teixeira, who worked as IT support for the National Guard, seems to fit into the first category. There are also numerous recent examples of employees or workers making mistakes or acting carelessly with company data:
- Numerous articles published over the last month report that Samsung engineers inadvertently leaked company data when they uploaded code and other information into ChatGPT.
- In April, Tesla settled a case with a former engineer accused of taking data and information related to the automaker’s AI-trained supercomputer, according to a report in Reuters.
- Finally, an employee with the U.S. Consumer Financial Protection Bureau appears to have sent personal information related to thousands of people to a personal email address, according to the Wall Street Journal.
A 2022 report from Keeper Security that interviewed over 500 IT decision-makers found that 79 percent of participants were concerned about a breach from within their organization, and 47 percent of those respondents have suffered a breach or another incident related to an insider threat.
Another study released by the Ponemon Institute and security firm Proofpoint found that, in 2022, insider threat incidents increased 44 percent over the past two years, with costs per incident now totaling more than $15 million.
One reason for this increase: work has changed since the pandemic, with more employees remote or using a hybrid schedule, and the increasing use of cloud-based tools and platforms allows data to move beyond organizations’ perimeters. “An example of this need to adapt is the increase of remote work and proliferation of cloud-based services,” Darren Guccione, CEO and co-founder at Keeper Security, told Dice. “The loss of the perimeter and the skyrocketing number of endpoints has led to less visibility and created a larger attack surface for threat actors.”
Since employees continue to need access to data for their jobs (it was reported that Teixeira had access to classified networks and his superiors would forward to him emails with sensitive documents attached), the threat of information falling into the wrong hands is only growing over time, said Claude Mandy, chief evangelist for data security at security firm Symmetry Systems.
“CISOs should realize that most insiders have authorized and legitimate needs to access the data being protected. This renders traditional preventive data security tools almost ineffective in preventing the purposeful leak of sensitive information by an insider,” Mandy told Dice. “Even worse, these tools are completely blind when the organization doesn’t know where the information is stored or it is stored in a third party, given that most security tools focus on securing the networks and systems that information is stored on.”
Skills in Demand: Zero Trust and IAM
These latest insider threats show that organizations need to continue to invest in various threat prevention techniques, which requires tech and security pros who are skilled in areas such as identity and access management (IAM) and zero trust, which is designed to re-enforce principles of least privilege and defense-in-depth.
“Organizations large and small should implement a zero-trust architecture with least access privilege to ensure employees only have access to what they need to do their jobs,” Guccione said. “Organizations should also have security event monitoring in place. Access management software can help with privileged account and session management, secrets management and enterprise password management.”
Since the pandemic, employees are no longer accessing confidential data solely in air-gapped environments. This new work situation for many companies now requires organizations to alter processes and controls to accommodate the handling of sensitive data with a remote workforce. It also means requiring tech and cybersecurity pros to help build programs to counter insider threats, said Nick Rago, the field CTO at Salt Security.
“Companies must establish formal insider threat programs to identify their most critical assets, and leverage technologies such as data loss prevention, access management, and behavior analysis tools, to help enforce protection of those assets,” Rago told Dice.
This approach also needs to include other parts of the company, and requires tech and security pros to understand how the business side works, said Michael DeBolt, chief intelligence officer at Intel 471.
“Security teams, management and human resources departments should establish communication and response procedures to ensure employee warning signs are spotted early on and actioned as soon as possible,” DeBolt told Dice. “Threat intelligence teams need to monitor the cybercrime underground where insiders and recruiters operate and insider relationships are initially formed to have visibility into possible threats to their organization.”
What tech pros and organizations need to understand, especially in the wake of these latest insider threat incidents, is that new approaches to handling sensitive data are needed, which requires fresh approaches to security and the skills needed to make these changes work.
“While access control tools can help automate and manage these controls, security fundamentals regarding information control, role access and, ultimately, the ethical handling of sensitive information is critical to reducing insider threats,” Bugcrowd’s Gerry said. “Employers must balance security controls with the speed needed to conduct business efficiently. Today's organizations remain globally dispersed requiring new tactics and approaches to security fundamentals.”