Have you ever wondered why APT groups and ransomware are so effective? I no longer ask myself this question because as a pentester, I know what companies are struggling with. You might think of phishing attacks. Yes, social engineering is one of the biggest problems for both small and large companies, but it's only one component of the entire attack, which sometimes isn't even the entry point. What happens next, and why do attackers manage to navigate fully updated systems with antivirus programs, in networks monitored by SOC teams?
It's all possible thanks to the access credentials they obtain, thanks to an Insider.

An insider can be anyone. It could be a newly hired employee who, under the guise of changing jobs, wants to access confidential data or infect systems and disappear afterward. It could also be an employee who wants to take revenge on the company because they didn't receive a raise for the second year in a row and feel undervalued or were unjustly fired while their account wasn't blocked, and the procedure to block all access might take a while. It could even happen that someone sells their account for cash.

It is important to remember not all insider threats are intentional. Consider the case of an employee who, in a rush to meet a deadline, inadvertently shares confidential data with unauthorized recipients or maybe once logged into his/her company account from home PC just to send one email? Sure, it was only for couple of minutes but if they had installed malware e.g. from pirated game that can be enough for an attacker. You can say I don’t install anything from untrusted sources but If not you it could be someone from your family, brother mother etc. but the responsibility will be one you. Such incidents underscore the need for comprehensive data handling and security awareness training within organizations. In fact, it could be someone who obtained domain credentials by phishing or for example got inside the network through weakly secured RDP with access to the Internet. The scenarios can be countless. Technical measures, while crucial, must be complemented by strategies that address the human aspect of security:

Behavioral Analysis: Implementing tools and practices to monitor for anomalous behavior can help identify potential insider threats before they act.

Access Control: Limiting access to sensitive information on a need-to-know basis minimizes the potential damage an insider can inflict.

Security Culture: Cultivating a strong security culture within the organization can deter potential insider threats and encourage employees to report suspicious behavior.

Unfortunately, it's impossible to protect against such a scenario completely. There can be numerous reasons for "changing teams," whether due to personal motivations or external pressures. The best solution is to make it harder for them to navigate networks using access data, which, unfortunately, is not a problem at all currently, and it doesn't matter that systems are up-to-date with the latest patches or are monitored by defensive tools like antivirus programs. The only hope lies in this case in the SOC team, which might detect potential anomalies that can be hard to spot even by dedicated software.

An experienced attacker will breeze through these "inconveniences" with ease! Being an insider means there's no need to use exploits, and the use of offensive tools can be minimized. Sure, they would make the attack easier, but it's possible to manage without them because the biggest issue for companies from an insider's perspective is the permissions of users in the network, sensitive and even critical data located on network shares accessible to every company employee, and finally, the cherry on top is Active Directory and ADCS and their misconfigurations, which can lead to the takeover of the entire company!

Why companies conduct these audits (or why they should):

Social engineering attacks are the most effective attacks carried out by attackers, which means that once they gain network access, they execute the attack with user privileges.

Insider threat is not the same as a LAN audit – access data changes a lot. Often they are "game-changers" and open a window to new vulnerabilities that cannot be detected in a straightforward way.

Security measures and frequent updates do not guarantee protection against attackers.

Not all employees always have good intentions.

From perspective of our Insider Threat audit this type of penetration test, auditor pretends to be an employee. They have an account in Active Directory (usually with the privileges of a regular user) and access to classic services. Auditor armed with user credentials starts the “hunt”. Having connection into company network via VPN penetration tester aka Insider performs all sorts of attacks, enumeration and lateral movement to achieve a goal of compromising whole domain or find as many critical data as possible.

In 10 audits conducted in this way, 5 cases ended with the takeover of the entire client's infrastructure and in the rest, confidential data was found that didn't lead to the takeover of the company but could definitely damage its reputation. If we were operating on the wrong side of the law, encrypting all data in the company would be a mere formality.

In the continuation of this article, I will present the technical side of these tests. How an attacker moves within the network as one of the employees, what interesting things can be found thanks to the permissions of the most ordinary user, all based on errors actually found in insider threat audits! The question is if your company will defend itself from Insider Threat. Alpha going dark to hunt for juicy data. We'll be back in touch soon with technical details.



#InsiderThreat #CyberSecurity #PentestChronicles #TechInsights