We’ve written at length about how malicious insiders can use compromised machine identities to steal large amounts of data, all while remaining undetected. Attackers prefer to use encryption because it allows them to circumvent most security controls. In fact, analysts now estimate that over half of all network attacks leverage this method.
Unfortunately, hidden insider threats can have catastrophic real world consequences.
Last year, the National Security Agency was breached by the Shadow Brokers, a self-described hacker group of unknown origin. The Shadow Brokers leaked the NSA’s “cyber weapons,” which included zero-day exploits and vulnerabilities. The agency is still reeling from this breach, which has taken a toll on moral. The Hill recently reported: “both longtime employees and new hires, are moving to better-paying jobs in the private sector under the stress of an investigation yet to find a suspect to focus on”
In addition, it was revealed that the orchestrator may still have access to the NSA’s data.
According to an article from Security Brief Europe: “Former deputy and acting director of the CIA, Michael Morell says 15 months since the first leak occurred they don’t know what else the leakers might have or how the information got out of the NSA in the first place. Morell says the scariest thing about the whole ordeal is that for all they know, the group could still be actively stealing information.”
Morell’s admission is shocking, but not surprising. If the leaker compromised the NSA’s machine identities and if the NSA’s machine identity security is weak, like most other large organizations, it would be nearly impossibleto trace how the attacker gained access and how they exfiltrated the data.
“By using forged or compromised keys and certificates, attackers create malicious tunnels into your network where they hide while they conduct surveillance, install malware and ultimately exfiltrate valuable data,” my colleague Nick Hunter wrote in a recent blog post. “This type of attack is particularly nefarious because the tunnels that attackers use appear to contain everyday business communications, unless they are inspected. But let’s face it, how many organizations inspect 100% of their network traffic?”
Ultimately, Morell’s admission should be a wakeup call for businesses across the globe. After all, the NSA is one of the most protective and secretive organizations in the world and has invested heavily in cyber security technology. The Shadow Broker breach demonstrates the prevalence, and devastation, insider attacks can maintain.
Can you could detect the exfiltration of data through encrypted tunnels?