The threat is already inside

Justin Fier, Director of Cyber Intelligence | Monday March 6, 2017

Imagine a middle-aged middle manager at a multinational corporation. Joe is the kind of employee who’s always done just enough to get by, cutting corners when he can and flying under the radar. One day, Joe’s boss decides that enough is enough. She fires Joe.

Furious, Joe storms back to his desk to pack up his belongings. Halfway through cleaning out his filing cabinet, he remembers that he doesn’t have to go quietly into the night. He still has administrative access to edit the company website, he has valuable client information, and he’s on an email thread with compromising photos of his boss at the last holiday party.

Disgruntled employees like Joe may be in the minority, but their potential to do serious damage can’t be ignored. Posting those photos of his boss on the company website would be trivial, causing embarrassment at best and impacting financial performance and market confidence at worst. Another option at Joe’s disposal would be to make some money out of his trauma by selling client intelligence to a competitor.

Joe might even go a step further, obtaining access to supposedly secure documents via a new device called PoisonTap, a $5 USB that installs a backdoor onto locked computers. By handing over access to a sophisticated hacker on the Dark Web, Joe could undermine his former employer in the long term with surprising ease.

A recent industry report found that 60 percent of all cyber-attacks are carried out by insiders, and 1 in 4 of those attacks are accidental. For instance, employees click on phishing emails an alarming 23 percent of the time and often use cloud services like Dropbox despite their company explicitly forbidding them. Even basic cyber hygiene remains an uphill battle. The most common password today is ‘123456’, and ‘password’ isn’t far behind.

So even if Joe does take the high road, he may already have exposed his company to serious risk through using poor passwords, mishandling of sensitive documents, or becoming the victim of a well-disguised phishing attack. Despite our modern-day interest in foreign attackers, the biggest threat facing organizations isn’t nation-state hackers or anonymous saboteurs. It’s everyday employees like Joe.

So how do we stop Joe and people like him from exposing their companies to risk, either purposefully or on accident? The first step has to be educating employees on best practices, but education can only go so far. Defending against insider threat should be a core focus in our approach to security. To do that, we have to continuously monitor all users and devices and look out for the early signs of compromise. One thing is for sure in cyber security – the threat is already inside.

Justin Fier

Justin is one of the US’s leading cyber intelligence experts, and holds the position of Director for Cyber Intelligence & Analytics at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Smile! You're on camera

Dave Palmer, Director of Technology | Monday February 13, 2017

Every day, we’re surrounded by cameras and microphones. It’s not just those on our smartphones and laptops anymore. It’s smart TVs, CCTV cameras, conferencing systems, and virtual assistants like Amazon’s Alexa. Many of these devices are recording even when you think they’re off, so they collect audio and video footage 24/7.

Unfortunately, these are among the most vulnerable devices in the IT world. The Mirai botnets responsible for the largest DDoS attack in history have reportedly taken control of 300,000 devices worldwide. Most of them are cameras and video recording equipment.

So why is video equipment so vulnerable? In short, they were manufactured for mass production, and quick time-to-market, not security. After the Dyn DDoS attack, Chinese company Xiongmai vowed to recall up to 10,000 webcams. Devices like these use default usernames and passwords like “admin” and “password”. And in many cases, they’re designed so that users can’t change the password.

The scale of this vulnerability is giving way to a new threat type: ambient surveillance, where you are potentially watched all the time as you move around the world.

But this begs the question: who would want to do such a thing? What would they have to gain by listening to my meetings for hours? Why would a hacker want to watch my face staring at a computer screen?

Because it’s profitable. The rapid development of AI means that ambient surveillance is increasingly becoming a viable way to penetrate business environments and engage in corporate espionage and ambient data theft.

In the past, attackers would have to go through victims’ video or audio footage manually to look for something of value. But AI techniques will automate the process. Attackers will be able to train malicious software to know what to look for – to understand what it hears and sees. In other words, infected machines will be able to sift through all the boring stuff to find the diamond in the rough – recognizing faces, images, and words along the way.

Without disrupting normal functions, conferencing systems could quietly listen and extract the most valuable information, like discussions of illegal activity, quarterly earnings, negotiations, or prep for M&A.

This isn’t just a hypothetical. Recently, Darktrace observed a law firm’s video-conferencing unit behaving strangely. It was transmitting large volumes of data to rare external IPs. The camera was being accessed remotely, allowing the attacker to essentially live stream images and sound. The worst part?

The conference room was used for the most important board and customer meetings. Sensitive information was discussed daily, and the attacker had access to all of it.

This case involved sending large streams of data to the attacker’s server. But soon, cyber-attacks will only send back the most relevant information. By leaking only tiny fragments, these attacks will be much harder to detect.

In the movies, we see gangsters and spies lock their phones away before discussing sensitive topics. But in an era of widespread IoT we need to do something cleverer than hiding from our devices. Ambient surveillance is just one of many new techniques that modern attackers will add to their arsenal.

To learn more about the advanced threats we’ve uncovered, you can book a meeting with me and the rest of the Executive Team at the upcoming RSA conference in San Francisco.

Dave Palmer

Dave is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over 19 years of experience at the forefront of government intelligence operations, Dave has worked across UK intelligence agencies GCHQ and MI5, where he was responsible for delivering mission-critical infrastructure services, including replacing and securing entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He acts as an advisor to cyber security start-ups and growth-stage companies from the UK Government’s Cyber Security Accelerator and CyLon. His insights on AI and the future of cyber security are also regularly featured in the UK media. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.