Insider threat, by now you’ve heard a lot about it. You know insiders, those negligent employees or managers who may open a phishing email and expose your company to theft. At times they’re even those employees may be acting intentionally with malicious intent. Malicious insiders are increasingly finding it difficult to bypass machine learning behavioral analysis. However while they may not be able to do much on their own one must consider how much they could do with some hired help. Malicious insiders are a significant factor in darknet markets, where data peddlers sell stolen data to others who have their own insidious agendas.

The Data Market

Data peddlers from the darknet have one distinctive target and that’s your data. Credential theft, DDoS attacks, and malware are all attempts of data access for future illegal sales. There now exists cybercrime-as-a-service offerings to anyone willing to pay. These services are marketed to amataur hackers and malicious insiders. Sometimes the offering may just be code, where the customer needs to rely on their own ability to use it properly. Other times the sale may be a service with a hacker from the darknet working on an insider’s behalf.  Insiders at time can have deeper motives than just access to data, they may want pure disruption. The Senior Vice President of McAffee Labs, Vincent Weafer, has stated that:

“They even had a ready and efficient black market for selling the stolen credit card information, including an anonymous, virtual-currency-based point-of-sale payment system. Raw materials, manufacturing, marketplace, transaction support — it’s all there for thieves to use.”

This black market, also known as the “Darknet”, is where all the shady data dealings happen. Your data assets are a top selling product in the darknet, and it doesn’t show any sign of slowing down. Insiders have also may even more complex arrangements than just a simple purchase or subscription. There have been cases where insiders offered to provide access to their company’s network in exchange for a percentage of the payout that comes from a successful attack. This behavior reflects what Mr. Weafer said on how efficient and ready these markets truly are.

Insider Motivations & Market Demand

Cyber criminals have increased sales of their products and services when malicious insiders need some way to steal from or sabotage their company. On the darknet, cyber criminals are often programmers and vendors. It can be either malicious external actors or malicious insiders who pay top dollar for either information or malware development. These two clients have the know how and strongest motivations to launch an attack on a company. Insiders especially understand the culture and politics in an organization. When engaging in the darknet, insiders have a variety of products available to them with full descriptions. Insiders, external rouge actors, and even state actors are all clients of these cyber weapon vendors. So let’s explore some of what is available for purchase by insiders, and why you should really invest in cyber security.

Darknet’s Dangerous Products

Insiders in your company have access to a variety of products that are a threat to your networks and devices. When insiders have access to these products or even services, they have the ability to conduct a cyber attack with minimal experience. Understanding what’s on the market for them will provide you insight on what your cyber security systems need to be aware of. If you have behavioral analytics in your security solution you can also create rules to detect and counter any malicious activity too. Consider it market research, but for the safety of your company.

Service: Subscription DDoS Attacks

Insiders have access to a product called a distributed-denial-of-service (DDoS) attack. DDoS attacks are automated and spontaneous traffic sent to your website with the end goal of overwhelming your server. Some organized criminal groups offer a targeted DDoS attack to anyone willing to pay for as little as $5. Others sell on a subscription model for consistent attacks on a target throughout the month. Imagine if an insider made a deal with a DDoS attack service provider, you would have to manage constant server overloads and provide customers another place to visit your website. It would be best to prepare yourself for DDoS attacks, as they are the cheapest and most accessible product on the market.

Product: Botnets

Botnets are a particular type of malware that is commonly associated with the internet-of-things (IoT). Botnets control a network of vulnerable devices from either a central server or can autonomously control each other. This is mainly the result of smart product manufacturers not designing for security and not patching products regularly. Your insiders are able to purchase botnets which can turn everything connected to your network like that fancy smart fridge to your smart toaster into a vector of malicious data transfer. These are often sold as products and how-to guides, but a darknet customer can even hire a hacker to attack for them. Often any potential profits from the attack are shared between the hacker and the insider.

Product: Exploit Codes

Have you kept your systems up-to-date? If not an insider could easily purchase the exploit codes to extracting data or setup for a larger attack on your network. Privileged insiders are most dangerous here. The last two major cyber attacks NotPetya and WannaCry were both leveraging the exploit called EternalBlue. The best line of defense here is to keep all software, operating systems, and browsers up to date.

Service: Ransomware

The infamous word everyone is becoming more familiar with as the scale and magnitude of cyber attacks have increased. Ransomware in the past would simply encrypt your documents and then demand you pay a ransom for the decryption key. However, NotPeyta set a new paradigm for ransomware; one of of sabotage now. In should terrify you that this is an available product for purchase on darknet markets. Often these are a service, where the seller relies on a successful attack, and may actually help. With a successful ransomware attack the insider and seller will share the profits from the attack. An insider with minimal ability or even just their credentials can bring your operations to a grinding halt.

Insiders have many motivations for wanting to steal from or sabotage a company. Some of the best ways to deter malicious insiders are through behavioral analytics. However, this is not always enough which is why system updates and insider threat mitigation strategies should always be practiced. The darknet can turn each and every insider in your organization into a hacker. Best to protect from this in any and all ways possible.