The threat actor known as Lapsus$ Group has recently made headlines for targeting and succeeding in their efforts to compromise both Microsoft and Okta. The goal of the attack was to execute what is called a “double extortion” attack, which exfiltrates data and threatens the organization with exposing the data unless a ransom is paid, while selling the data privately. This attack also exposed Lapsus$ Group from blatantly trying to “publicly” recruit employees of their targets to help them gain access to internal networks.
While this is not the first time this has happened, it has generally been done by groups of nation states trying to gain access to government employees or contractors. This bold move by a group of threat actors has shown organizations that insider threats can quickly become external threats. Security teams must have programs to jointly detect, validate, and respond. It also shows that cloud environments are ripe for groups of threat actors to attack, as they are often considered less secure. This is due to vendors’ lift-and-shift approaches to supporting cloud environments versus purpose-built solutions that can span any infrastructure.
However, the onset of engagement begins with changes in today’s workforce and “The Big Quit” as worker loyalty drops and employees change jobs more frequently.
Insider threats have increased dramatically
According to the most recent 2022 Global Cost of Insider Threats Report, Insider threats cost organizations $15.4 million a year, 34% more than in 2020. Insider attacks are often the costliest information security incidents for any organization. Whether your organization’s style is to discuss and resolve these issues openly, or to handle them in a more confidential manner, there is a critical need for detect insider threats early, identify external exposures and speed your response time to identified incidents.
Privileged access is called “privileged” for a reason. However, if the “privileged” are compromised, external threat actors now have privileged access to the same set of resources, making it extraordinarily difficult to detect and stop attacks. So how do we identify insider risk, which has the potential to become an insider threat and later an external attack?
How to deal with insider risk
In cybersecurity, early detection directly affects your ability to respond to and handle security incidents. Therefore, it is imperative that you can immediately spot patterns of behavior that point to indicators of risk.
You may have a collection of security tools to protect your organization from known external threats. You may have terabytes or petabytes of log information, but you’re having a hard time making sense of it. Maybe you use a SIEM to collect and analyze security events. But how well do these traditional security tools help you find non-rules- or signature-based cyber threats, such as malicious insiders?
Traditional cybersecurity tools cannot understand the nuances of changing user behaviors, misuse of privileged access, data exfiltration, external communication, or even opening doors to external threat actors.
Behavior Analytics detects malicious insider activity
What is needed is a new way to examine the myriad of user behavior in large environments to uncover suspicious activity. User and entity behavior analytics (UEBA) can provide the insight and level of intelligence needed to uncover, investigate, and remediate real security incidents.
These efforts can be accelerated by working with HR teams and associated applications and infrastructure through a well-designed process to manage insider risk and potential threats. Also, bring identity monitoring and analysis to understand the privileges and access rights of users is essential to identify suspicious or malicious activities.
Being able to understand insider risk and risky behaviors before actual insider threat activity occurs is critical to staying ahead of the curve and preventing data theft, loss, extortion, or even ransomware, in the last which the Lapsus$ group has participated.
Gurucul offers a advanced UEBA solution delivered through machine learning algorithms, research tools, and scalable big data. Hadoop backends provide the analytical power and security risk intelligence needed to protect your organization. Additionally, we have pioneered working with identity access management solutions to understand user identity information for threat detection and monitoring purposes through advanced identity analytics. Coupled with our ability to ingest any type of identity, endpoint, application, network, cloud and IoT information and interpret that data for risk and insider threat activity, it means Gurucul is at the forefront of helping security teams security with a significant breach in its overall security. Program.
Attend the webinar
To learn more about how Gurucul can help you implement or improve your insider threat program and align it with external threat detection programs, attend our webinar. You can get ahead of attacks like the ones from the Lapsus$ Group.
Upcoming Webinar: Best Practices for Implementing an Insider Threat Program
Date/Time: Thursday, April 14, 2022 at 11:00 am PDT
The charge Grupo Lapsus$ exposes that internal threats are also external threats first appeared in gurucul.
*** This is a syndicated Security Bloggers Network blog from Blog Gurucul | Security Analysis | Machine learning models in Big Data written by Sanjay Raja. Read the original post at: https://gurucul.com/blog/lapsus-group-exposes-internal-threats-are-also-external-threats