The Most Vicious Zero-Day Exploit? Insiders.

As security professionals we worry about zero-day exploits - those vulnerabilities known by attackers for which there is no current fix. The zero day, of course, lasts until we assiduously apply patches, waiting for Tuesdays like a kid waiting for gifts on Christmas morning. The gift givers come from many sources – Microsoft, Apple, Adobe, Oracle and any number of other software vendors.

As much fun as it is to wake up to patches waiting to be unwrapped, we don't want the regret of "exploit Wednesday", which is far more embarrassing than becoming a victim of a zero-day exploit. After public disclosure of a zero-day exploit, there is an increase of up to five orders of magnitude (PDF) in the volume of attacks. There are some bad Santas out there, bringing pain instead of gifts, and they're not going through the trouble of trying to access your environment via the chimney when the front door is open.

While there is some protection afforded by a good patch process, it doesn't reduce the time between vulnerability discovery to patch distribution. It's impossible to know for certain what the average vulnerability window is, but estimates put it at 312 days. Zero-day exploits can make anyone feel vulnerable and a bit intimidated, like a small child forced to take a photograph with an enormous bearded stranger.

Why insiders are a growing problem Zero-day exploits get a lot of attention, deservedly so. But insider misuse is a parallel, possibly greater threat, which needs to be revisited.

Typically, we think of the insider threat as coming from malicious privileged users like Edward Snowden. Yet the 2015 Verizon Data Breach Investigation Report (DBIR) indicates that only 1.6% of insider misuse comes from system administrators, citing an effectiveness of controls required by SOX and PCI auditors that has minimized this threat.

What is surprising is that for the first time in the history of the DBIR, regular end users have jumped to the top of the list at 37.6% of all insider misuse incidents, indicating a growing ability for non-privileged employees to abuse their expanding access rights. It makes sense, as an ever-increasing number of workers are provided technology devices and access to applications to perform their tasks.

Malicious insiders are a threat, but not exclusively

It's not just the malicious insider to be concerned with. The same Verizon report indicates that only 55% of insider misuse was related to abuse of privileges, which means the remaining 45% is either related to careless exposure of information, or more ominously, the appropriation of insider credentials by outsiders, as has been reportedly seen in breaches at Anthem and OPM.

In fact, if we broaden the lens of classification of all security incidents in the DBIR report, we see that the top four categories – miscellaneous errors, crimeware, insider misuse and physical theft/loss – add up to 90.4% of all incidents, and have at their core an insider action.

Dealing with the insider threat

Interestingly, mitigation efforts for the insider threat has parallels with zero-day exploit defense:

Insider Threat Risk Reduction Zero-day Exploit Risk Reduction
Reduce the attack footprint by implementing least privileges for users Reduce the attack footprint by configuring services with least privileges and segmenting services and networks
Control access by implementing stronger authentication such as multi-factor authentication and risk-based authentication Control the apps allowed on the network by whitelisting and keep them patched
Invest in user activity monitoring and response processes to detect and disrupt insider threats, and narrow their exploitation time Invest in monitoring technologies and response processes to detect and disrupt threats, and narrow the exploitation time

Insiders have access to the most sensitive information in any organization. Imagine what a rogue elf could do to Santa's operation if he were to disclose the trade secrets of toy manufacturing and distribution that thus far have remained secured in the North Pole. It's worth putting at least as much effort into dealing with the insider threat as we do worrying and defending against zero-day attacks.