When a professional relationship ends, there are generally two ways to go about it.
You can act like an adult and move on to your next chapter in life, keeping your bridges intact for the road ahead.
Or you can choose to burn everything to the ground (figuratively I hope).
Making a Bad Situation Worse
In a bizarre yet not uncommon case that popped up in December, Miklos Daniel Brody, a cloud engineer previously employed by First Republic bank out of San Francisco until his firing in March of 2020, received a two year sentence for a litany of malicious actions that he took against his former employer.
Brody, according to reports, got the boot after downloading pornography onto a USB stick from his company’s computers.
From a security standpoint, I’m not sure which is more offensive — downloading porn on a company device or plugging in a random USB.
The latter struck me as the riskier offense, though he showed poor judgment at every step along the way.
It was at this point that Brody went from a bad situation to something worse.
According to the US Attorney’s office, Brody proceeded to use his work laptop and the access to company systems that had not been revoked to:
- Delete code repositories in the bank’s cloud
- Impersonate other employees by logging into sessions under their identities
- Run a script to delete logs
- Leave nasty notes for his former compatriots within the stored code
- Steal $5k worth of code that he had worked on during his time at the bank
The damages from Brody’s illicit activities are reported to be $220,621.22, and he is expected to pay $529,266.37 in restitution once he is released from prison.
Elevated Risk from Privileged Insider Threats
While outside hackers (83% according to the Verizon Data Breach Investigations Report for 2023) are still behind the majority of attacks, malicious insiders (19%) are arguably a bigger risk for organizations. IBM’s Cost of a Data Breach for 2023 report found that malicious insiders accrue the biggest cost for targeted organizations, beating out the rest with a whopping $4.9 million price tag average per breach. The report put the insiders ahead of even the pernicious Business Email Compromise ($4.67m) and Phishing ($4.76m) attacks in straight dollars and cents.
As a cloud engineer for the bank, Brody posed an increased risk to First Republic.
This is because he likely had extensive access to the bank’s network, cloud repositories, data storage, and plenty of other sensitive systems and information. More than say an average branch employee.
Brody did not have to break into the organization and wander around to find sensitive assets to steal and damage. He was provisioned access and knew exactly where to look for what he wanted to harm. All he had to do was log in.
All insiders, whether they be new and current employees or even 3rd party contractors with access to your systems, can pose a threat. However, the most risky of all are the leavers. This includes those who have already been fired/laid off, as well as those who are slated to leave in the near future.
Leavers Pose the Highest Risk
This last group requires the most attention of all when it comes to monitoring their activity before they are removed, during the offboarding process, and afterwards to ensure that they do not use any access that they retained to cause harm to the organization.
Leavers are considered to be the most risky because they have the most incentive from stealing or destroying data. Especially if they are leaving under less than friendly terms.
Ensuring that leavers are not able to cause havoc can be complicated by a number of factors:
- Partial Offboarding Due to Blind Spots
You may be able to disable an employee in your Okta, Entra ID, AD, or Ping Identity, but there are plenty of opportunities to miss access not managed by your Identity Provider. These may be roles like local admins in your AWS or on systems not managed by your IdP.
- Access for External Actors and Identities
If you are working with 3rd party contractors, chances are that you have given them access to specific files or even systems as part of your legitimate collaboration.However, when your engagement with them ends, it can be difficult to revoke all of their access because you do not manage their identities.
Beyond the examples of access to say a Google Doc or an Excel in your M365, GitHub is a classic case where users bring their own identities for accessing repositories. Because these identities are not centrally managed by the IdP, a user can easily retain access even after their main identity has been suspended.
- Offboarding Process Failures
In an ideal world, every part of the organization would be in sync when it comes to removing an employee from company systems when they exit the organization. This would mean HR coordinating with IT to revoke access to systems and taking back any hardware before the person is fired.However, some employees will inevitably slip through the cracks. The fact that Brody held onto his company laptop after he was fired is a significant, unforced error on the part of the HR, IT, and Security teams.
- Leavers Grabbing Data Before Exiting
An employee that knows or suspects that they will soon be making an exit from the company is more likely to collect some valuable information on their way out.Under normal circumstances, they might take some examples of their work, professional contacts, or other bits that will help them in their next position but will not cause harm to their current employer.
But in some of the nastier cases, they can steal valuable intellectual property or customer data, and cause other harms.
This is why employees who are likely to be leavers need to have their access activities more closely monitored, notifying security teams if they access sensitive assets. Knowing what has been accessed can also play an important role during investigations if an incident occurs.
Risk from User Impersonation in the Cloud
One interesting tidbit that popped up in this story is how Brody impersonated other users. While the report does not dive into the details here too deeply, it is a good reminder that a privileged attacker who has controls over the organization’s IdP can log into the downstream CSPs and SaaS apps with ease.
We have published similar attacks where an attacker with org admin privileges can attach their own malicious IdP to their target’s Okta tenant and then abuse the trust relationship to make themself a Super Admin. This then allows them to make significant changes in downstream apps, delete logs (like Brody did), and impersonate privileged users in different apps.
If we are not monitoring the upstream Identity Providers and other identity infrastructure, then attackers can abuse those systems to impact the downstream apps.
5 Tips for Mitigating Insider Threats
Handling the threat from malicious insiders requires a mix of risk reduction to minimize your threat surface and real-time detection and response to block attacks when they happen.
Here are a couple of pointers on how to mitigate your insider threats.
- Coordinate and Streamline Offboarding
Offboarding should be a seamless process. HR systems should be connected with IT and Security systems so that once an employee is set to leave, they should have their access revoked as soon as possible. Not tomorrow. Not in a few days. ASAP.Time and again we have seen how just a few hours is enough for an angry ex-employee to cause serious disruption and harm to their former place of employment.
- Reduce Privileges
Remove excessive privileges that a user or identity has, thus reducing their ability to access more systems than they need.This is always a balancing game between giving enough privileges for the employee to be effective at their job while not posing too much risk to the organization.
However, by constantly working towards Least Privilege, we can strive to reduce risk to acceptable levels within our threat model.
- Remove Stale Accounts and Permissions
Especially in the cloud, many identities are simply provisioned far too many privileges from the get go. This has been found to be particularly true when it comes to what Microsoft terms super administrators and non-human identities. According to their 2023 State of Cloud Permissions Report, super administrators use less than 2% of their permissions while workload identities use less than 5%.By taking a usage-based approach with a Cloud Infrastructure Entitlement Management (CIEM) tool, understanding which accounts and privileges are actually in use, we can reduce risk without compromising on productivity.
If you don’t use it, you lose it. Simple as that.
- Continuous Monitoring for Zombie Accounts
Far too many organizations have inactive identities with privileges just sitting around waiting to be abused. The Colonial Pipeline hack is a prime example of this.Ideally you should remove these inactive accounts. But if not, then at least use continuous monitoring to receive alerts when they spring back to life.
This is especially important for the insider threats who may discover that they still have access to company resources and will login with an account that should have been deprovisioned and deactivated.
- Monitor and Detect Changes to Privileges
Looking upstream to protect your IdP, you need to monitor for changes to privileges, logs, and other bits that may indicate that someone is abusing your identity infrastructure for their attack.Identity infrastructure like Okta are useful for managing your identities, but they are not security tools in and of themselves. They require continuous, directed monitoring to detect malicious activity.
Only Identity Threat Detection and Response (ITDR) tools are custom built to uncover these changes, enabling automated responses to alert and block attacks before the malicious actors can carry out their exploitation.
Prevent Identity Abuse and Attacks
Learn more about securing your assets in the cloud with CIEM solution by downloading our CIEM Buyer’s Guide, or schedule a demo with one of our identity security experts.