When it comes to cybersecurity, it pays to consider both internal and external attacks, that is, both the unwitting victims behind the gates and the trojans sneaking past them.
When thinking about security, we tend to focus on the barriers between us and them: the high walls of the castle. Yet it turns out that preparing for an internal attack can prepare you for the external one as well, since siege attacks often disguise themselves and behave like normal activity: nothing to see here, move along.
This is, after all, the classic meaning of a trojan in cybersecurity, a form of malware which is downloaded on purpose, dragged behind the gates, by taking the form of a legitimate or innocuous program or behavior. This type of attack typically uses social engineering to malicious code to gain access to user resources and permissions.
In other words, trickery and disguise, just like the Ancient Greeks.
Re-thinking Outside & Inside
Let’s define an “internal threat” as one where an “authenticated” actor seeks to exploit a system, to damage it or to steal data. These kinds of threats are very disturbing from a security perspective because they break our bonds of trust.
Trust is a default setting inside an organize for good reason: companies need to depend on their employees and to achieve daily tasks. For this reason, we may be blind to internal threats and often don’t take necessary measures to prevent such attacks.
Internal threats can be categorized in two groups:
- Intentional: A bad actor is seeking to exploit the system
- Unintentional: A good actor mistakenly creates a risk
Of course, even an unintentional threat can be dangerous: something protected was exposed, and a new risk was created. Moreover, unintentional threats can also cause a lot of damage. Which is why security teams are obliged be on the lookout for unusual events generated from inside the company.
Instead of preparing to react “if we are breached,” companies should assume they are under attack. First ask: What can we do to detect it? Then ask: What can we do to stop the breach and eliminate the threat?
“Only the paranoid survive,” to quote the famous Silicon Valley saying.
The Barbarians at the Gates
By contrast to internal risks, an external threat is one that is generated by actors outside the company. The goal of this category of attacks is to breach the company (the castle walls) and gain some kind foothold inside, whereupon to deliver their payload, causing loses (financial, reputational, operational etc.).
In security, we’re often biased to consider this kind of risk, our firewalls and other defenses stand as digital barricades to the hacker armies. Battle stations!
But what happens when the enemy comes over the top? When does an external attack start behaving like an inside attack? How should we protect from these two categories? Is one more important than the other?
To approach this question, let’s consider some examples:
- A weak password is guessed by an attacker who is summarily breaching the network: is this attack internal or external? What about the further attacks done with the compromised account: internal or external?
- An employee falls for a phishing campaign and downloads a malicious executable. That executable allows external attackers internal network access: internal of external?
Considering this logic, we come to the view that what’s important in classification is where an attack began. So, if the attacker was external, we define it like this. Same as for internal attacks. But names are just names. What matters is the origin of the attack (and attacker) and what assets are being exploited (external or internal)
Looking at the above examples, we’ll report the breached accounts as external attacks (and everything related to them). Further attacks originating from the breached account will have the same bad actor in the background, external to the company.
Defining Threats in the Playbook
Looking at this common kind of cyber trickery, our playbooks view these types of events as external threats, along with internal movement originating from them.
A complex attack can be split in its components and further analyzed: in this way, we see that an attack that breaches the network and continues attacking will be defined (from one point on) as internal attack.
Taking the logic further, we further subdivide the attack typology:
- Initial external breach: Was is contained or did it just lose steam?
- Continuous inside threat: How are we reacting to mitigate the issue?
In these cases, the breach as an external cause, the malicious actors outside of the company exploiting a public asset (login credentials used in Internet-facing assets e.g., VPNs). But in this scenario, after the attacker has infiltrated the network and is impersonating a valid user (using a breached account), we are now faced with a continuous insider threat.
Once a user is exploited, the attacker’s actions are masked by the valid user’s persona. This implies that (unfortunately) we can never fully trust even “validated” users. We need to create detection rules and scenarios to which accept this reality and prepare for the attacks (which will come).
In short, when an external attack causes a breach to the network, internal defenses need to kick in and mapped the threat as an insider attack.
Protecting Networks from the Inside Out
A diligent approach seeks to protect networks from the inside out.
Yes, sometimes there is a fine line between these threat categories, but in the end, we strive to have the proper security controls in place to lower the general risk the company is facing, no matter the origin of the risk.
When we talk about what keeps us up at night, there are actions to take:
- Pentesting – Assess what vulnerabilities a system may have and what may happen if they exploited.
- SecOps – Acknowledge vulnerabilities and construct in depth-controls to correct them sooner. We analyze company and its products from inside the development action (building a product).
- Security Governance – We make sure everybody is on board with security and that stakeholders know what’s required.
Our approach is to monitor and protect against both internal and external risks. This caution may at times seem overbearing for legitimate users. Yet protecting the castle takes the collaboration of all rightful inhabitants.