Cybersecurity firm CrowdStrike says it “identified and terminated” a potentially malicious insider in October, after they were caught sharing screenshots externally – reportedly with cybercrime group ShinyHunters.

The “suspicious insider” was fired, CrowdStrike told The Stack, “following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised and customers remained protected throughout.” It has brought in law enforcement. 

The threat group told Bleeping Computer that they had offered the insider $25,000 for access to the company’s network – and that he had shared “SSO authentication cookies” but been caught before they could use them.

The incident casts a fresh light on insider risk. That’s among the biggest concerns of CISOs, particularly when lower paid support desk staff are potentially susceptible to bribes for network access – and visibility over sub-contracted staff or those brought in via M&A frequently has gaps. 

Insider risk: Specialist help needed?

CrowdStrike has since re-advertised for an “insider investigations analyst.”

It’s not alone in recruiting specifically to target insider risk – with current open roles advertised at rates varying from $66,000 to $360,000+.A quick look at the market shows that Anthropic, Blackstone, Deloitte, Northern Trust, OpenAI, Target, and Tiktok are among those also currently hiring in this space.

Some roles have a specifically cybersecurity or software tooling focus; others target “policy violations, dual employment, and reputational risk.” 

(Asset management giant Blackstone gives a clear snapshot of its role. It says it includes using “advanced behavioral detection engineering” and “conducting investigations using insider threat management platforms, data loss prevention, user and entity behavior analytics, and other monitoring tools across email, endpoint, network, and cloud environments.”)

"You can't 'patch' people"

Building robust insider threat frameworks is challenging and often leaves CISOs encountering what one recently described to The Stack as “taboos” around trust, loyalty and corporate culture. Tackling it is made even more challenging due to the extensive use of stolen credentials and identity theft in attacks; with “outsiders” hiding behind “insider’s” identities in hacks. 

(As Sysdig’s Crystal Morin puts it to The Stack: “Insider threat analysis is often nuanced and requires human discretion, something that cannot simply be programmed into detection alerts or AI-driven triage… An unusual data download might signal exfiltration, but it might also just be an employee preparing to work offline on a long flight. You can’t ‘patch’ people, but you can design layered, collaborative security and cultural strategies that safeguard both your workforce and your organization.")

Talking to The Stack about the issue (prior to the CrowdStrike incident), Netskope CISO James Robinson said that when it comes to frameworks for reducing the risk of insider threat, two of his favourites were “a very old one from Intel (recently updated) which breaks down personas in an incredibly useful way” and the INSA insider threat sub-committee’s framework.

He noted the importance of preventative efforts and “connecting with other teams to understand life events that might be a trigger for someone becoming an insider threat… Information like that can be considered useful if you tier your access groups and move people up and down risk groups within trial periods, contract types, those in notice periods etc.”

Robinson added: “When you can invest in an insider threat programme the most important thing is to educate and communicate – it’s usefully preventative for more than just accidental, insider-enabled risk. You want to ensure that… your programme should be very approachable, from management down, so the rest of the workforce becomes a useful partner.

“I always recommend partnering with works councils where they exist. They are usually willing to work with you when you partner from the start and ensure they understand the controls and motivations from the start. It’s really important that you – and they – know you are not building a surveillance programme as much as one that allows you to have technical signals and triggers that will raise flags from which you can investigate. 

“For technical frameworks, zero trust is the best foundational technical approach to address insider risk... You are looking to give every user just the right amount of access to do their jobs, and then continuously verifying that access, removing permissions and locking down at the same rate that you extend and open them, as corporate projects start, evolve and complete.”

Tony Fergusson, CISO-in-residence, Zscaler, agrees. Also sharing comment on insider risk as part of a story The Stack was working on prior to the CrowdStrike incident, he added: “As adversaries increasingly live off the land and use trusted sites to hide in plain sight, they are logging in rather than hacking their way in. Every attack now begins to look like an insider attack, whether or not the actor is actually employed by you. 

“Minimising attack paths by embedding trust into your environment through Zero Trust, and then adding noise through Negative Trust, is the way forward. We must become far better at detecting malicious behaviour, especially now that adversaries are willing to pay employees to leak data or simply hand over authentication cookies from their browsers…”

See also: Microsoft's new open-source “Zero Trust Assessment” for tenants is welcome - and overdue!

The link has been copied!