Subscribe

Insider cyber risk on the increase says Kroll

/ 7th November 2022 /
John Kinsella

Kroll, the provider of risk and financial advisory solutions, has warned of an upsurge of ‘insider threats’ to company computer networks, spurred by dissatisfied employees.

The company said that in Q3 2022 insider threats accounted for one-third of all unauthorised access threat incidents notified to the company.

Kroll said it also observed a number of malware infections via USB this quarter, potentially pointing to wider external factors that may encourage insider threat, such as an “increasingly fluid labour market and economic turbulence”, as Kroll puts it.

Other findings in the Q3 Threat Landscape report include:

- An increase in phishing, particularly via valid accounts which could be tied to malware trends, such as a growth in the use of credential stealer, URSA.

In Association with

- A decrease in overall ransomware attacks but interesting activity among specific groups such as LockBit.

- Increase in malware, fuelled by the proliferation of credential-stealing malware such as Ursa, Vidar and Raccoon among others.

  • Increase in attacks against professional services and manufacturing firms.

Laurie Iacono, associate managing director for cyber risk at Kroll, said the steady growth of insider threat is a worrying trend for businesses.

“Whether it be insiders who are malicious by intent, simply careless or compromised by cybercriminals, the potential damage – particularly with regards to intellectual property theft – can be significant,” she said.

“Rising inflation and the number of jobs available post-pandemic has become a reason for many to move jobs. This becomes ripe ground for possible insider threat, as employees try to retain information on the projects they’ve worked on outside of corporate devices or, in other cases, they retain access rights and permissions for tools and applications they previously used as HR and IT teams struggle to keep up with the amount of staff turnover."

Cyber risk
Kroll
“Whether it be insiders who are malicious by intent, simply careless or compromised by cybercriminals, the potential damage – particularly with regards to intellectual property theft – can be significant,” Laurie Iacono said.

Trojan horse

Iacono added: “To counter insider threat, organisations should pay close attention to the access rights they give to staff and always try to maintain a ‘least-privilege’ environment. Monitoring for suspicious activity – such as a particularly large data download or unknown USB device – is another way to spot potential compromises of security.

“Above all, clear instructions to employees on what is and isn’t allowed, combined with fast and efficient IT and HR processes that work together in harmony, will prove the best defence against insider threat becoming a trojan horse.”

The Kroll report notes that the risk of insider threat is particularly high during the employee termination process.

Disgruntled employees may seek to steal data or company secrets to publicly undermine an organisation, while other employees may seek to move over data–such as contacts lists and other proprietary documents–that they can leverage at their new employers.

After declining in Q2, web compromise saw a small uptick in Q3. Malware (excluding ransomware) saw a jump from 1% in Q2 to 5% of cases in Q3.

Kroll believes this increase is likely linked to the proliferation of information-stealing malware such as Redline, Raccoon, Vidar and URSA. These types of ‘info-stealers’ are typically spread through phishing campaigns.

According to Kroll: “Once a victim’s machine is infected, the malware is able to target and steal a variety of data, including browser histories, device fingerprints, login credentials and financial data.

“Information from this malware is often sold on credential markets where a user may buy a listing that gives them access from a compromised computer from which they can then log an attack.

“It is also widely believed that information gained through this type of malware helps to fuel the activities of initial access brokers operating in the ransomware ecosphere by providing legitimate credentials for access into corporate networks."

Kroll added that there has been an increase in USB-based malware cases targeting clients.  When clicked, .LNK files run an MSI installer process to fetch and install RaspberryRobin, a malware strain typically distributed via USB drive.

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram