Insider Threats Growing as a Factor in Cyber-Attack Incidents

Insider threats are rising to new levels as a percentage of cyber incidents, perhaps as a function of a highly fluid labor market and economic uncertainty, a new report suggests.

According to the Q3 2022 Threat Landscape: Insider Threat, the Trojan Horse of 2022 report from risk and financial advisory solutions provider Kroll, LLC, this year's third quarter saw insider threats reach their highest quarterly level to date, representing nearly 35 percent of unauthorized access threat incidents.

According to the November 8, 2022, report, Kroll also saw a number of malware infections occurring through USB interfaces during the third quarter, "potentially pointing to wider external factors that may encourage insider threat, such as an increasingly fluid labor market and economic turbulence," the report says.

The third quarter also saw an increase in general malware incidents, Kroll says.

"With the widespread use of info-stealer malware, it may come as no surprise that Kroll continues to see valid accounts used to gain an initial foothold into a network," the report says. "This shows that, in many cases, threat actors are using legitimate credentials to access and authenticate into systems."

The Kroll report points to the so-called Great Resignation marked by a historic number of workers leaving jobs, as well as the shift to remote work as a result of the COVID-19 pandemic, as potential factors associated with the rise of the insider threat.

"While always a challenge, the risk of insider threat is particularly high during the employee termination process," the report says. "Disgruntled employees may seek to steal data or company secrets to publicly undermine an organization, while other employees may seek to move over data—such as contacts lists and other proprietary documents—that they can leverage at their new organizations."

According to the report, many of the cyber-incident cases Kroll observed during the third quarter coincided with the employee termination process.

"In one example, an employee attempted to steal gigabytes worth of data by copying it over to cloud storage networks," the report says. "In this instance, the company followed a standard protocol that included disabling the user's accounts and deleting data from cloud storage accounts accessible to them."

Months later, after the employee had joined a competitor, the former employer began to suspect that its former worker was using its data to enhance the new company's sales efforts.

"A review of the individual's personal laptop identified that they had created copies of company data on multiple cloud storage accounts and personal data storage devices when they still had access to the corporate network," the report says. "A review of the individual's web browser history also identified multiple searches related to personal cloud storage and deleting log files."

Regarding threat incidents during the third quarter, the Kroll report says that email compromise plateaued at 30 percent while the ratio of overall ransomware attacks declined. But there were modest increases in other threat incident types including unauthorized access (27 percent), web compromise (7 percent), and malware (5 percent).

The report says that Kroll has seen web compromises targeting small to medium-sized e-commerce websites increasing since the beginning of the COVID-19 pandemic, when many brick-and-mortar stores moved some or all of their sales onto the web. "In many of these instances, cyber security may have taken a backseat as merchants worked to maintain sales amid lockdowns," the Kroll report says.

Malware—excluding ransomware—increased from 1 percent of cases in the second quarter of this year to 5 percent of cases in the third quarter, Kroll says. The increase is likely the result of the proliferation of various "info-stealers" malware that is typically spread through phishing attacks, according to the report.

"Once a victim's machine is infected, the malware is able to target and steal a variety of data, including browser histories, device fingerprints, login credentials, and financial data," the report says. "Information from this malware is often sold on credential markets where a user may buy a listing that gives them access from a compromised computer from which they can log an attack."

Kroll says it saw an increase of phishing attacks in the third quarter, using valid accounts to gain access. "Kroll saw a rise in phishing lures being sent via text message—known as 'smishing'—where threat actors sent the malicious payload via a container file instead of an Office document (e.g., .ISO instead of .docx or .word) and instances where, in lieu of a link, cybercriminals used social engineering to dupe victims into calling a phone number from which a fraudulent call center would walk them through the installation of malware of a remote management tool," the report says.

Kroll says it also saw an increase in the use of valid accounts to gain access during the third quarter. "Cybercriminals using this method may take over an account in several different ways, such as purchasing credentials from information-stealing malware or credential-stuffing attacks," the report says.

Professional services firms passed health care as the most targeted sector in the third quarter, Kroll says, accounting for 21 percent of the company's cases compared to 12 percent in the second quarter. Common threat types aimed at professional services firms during the quarter included email compromise (40 percent), unauthorized access (27 percent), and ransomware (10 percent).