Insider Threats
Insider Threats
Social media is being used to entice loyal employees to reveal sensitive data
An insider threat assumes that someone within an organisation deliberately exposes its confidential data. This could happen in any situation where employees feel that they are not being well treated, have developed a grudge or feel they have some right to take it out on the bosses. If staff are well treated and believe that their roles are worthwhile this scenario is relatively unlikely.
Clever manipulation from social media can however change attitudes and lead to deliberate or inadvertent data breaches from individuals who have access to sensitive data. The podcast Darknet Diaries highlights how social media has been used to influence employees and create insider threats. LinkedIn was used to identify and connect with targets followed up by the InMail Messages feature of LinkedIn Premium to chat directly with the mark. An example was cited of a scientist enticed to exchange information with a contact allegedly for peer review of research and later the promise of an attractive job offer in Kazakhstan. Confidential documents were sent out from the company to prove that the scientist had the knowledge and experience for the new post. The outside contact sent some documents back at least one of which contained malware. This was detected and led to the exposure of the underlying threat. In another example an individual was contacted through Facebook by someone who appeared to work in the same company and have similar interests and was worried about pollution and toxic waste coming from their employer’s factories. The mark was encouraged to collect and send company documents to the new friend and an ‘investigative journalist’ to build up a case against them. Once these documents had been sent the contacts left Facebook but no journalistic revelation was forthcoming. The alleged pollution had no basis in fact.
In both cases the outside sources were almost certainly not who they purported to be. Considerable effort went into building a relationship before any attempt to gain access to data. The social media platforms themselves exposed enough information about the mark for the outsiders to feign similar interests and work roles. The eventual destination of the data and funding of the attack profile is less easy to work out. Industrial espionage can be a much cheaper development route than original research. The funder could be a nation state or a corporation. Alternatively the activity might be purely criminal. The attacker is looking for easy marks having the aim of gaining access to data that can be sold on or used to demand a ransom.
The UK Centre for the Protection of National Infrastructure (CPNI) launched the ‘Think Before You Link’ campaign in 2021. This is specifically aimed to raise awareness of the use of fake LinkedIn profiles to attract marks through routines such as attractive new job prospects. The campaign includes downloadable assets in pdf and Adobe in-design formats allowing the material to be customised to an organisation’s house style and individual needs.
The insider threat menace can be minimised through staff awareness training and ensuring that employees are well treated and feel valued in their work roles. Once a mark has exposed some data they will become more confident in their cause or fear the threat of being found out. This can lead to further, more dangerous security breaches if the target feels there is no way back. Individuals should be confident that they can report any incidents of alleged fraud, blackmail or undue influence without any work repercussions.