Spear-phishing case shines spotlight on insider threats

May 18, 2015
Report shows 7 in 10 U.S. companies vulnerable to breaches from ex-employees

Earlier this month, federal authorities announced that Charles Harvey Eccleston, a former employee of the U.S. Department of Energy and U.S. Nuclear Regulatory Commission, had been indicted on charges that he planned to carry out a spear-phishing attack against dozens of DoE employee email accounts. According to an FBI affidavit, the goal of the attack was to cause damage to the computer network of the DoE through a virus that would also extract sensitive, nuclear weapons-related information.  

Eccleston initially came to the attention of the FBI after he entered a foreign embassy and offered to provide classified information, which he claimed had been taken from the U.S. government. He later met with FBI undercover employees who were posing as representatives of the foreign country, and in exchange for a promised future payment, offered to design and send spear-phishing e-mails that could be used to damage the computer systems used by his former employer and to extract sensitive information from them.

The affidavit alleges that Eccleston sent those e-mails to over 80 DoE computers in January 2015. The FBI was able to ensure that no computer virus or malicious code was actually transmitted to the government computers.

 “This particular case shows the dangers an insider threat poses to an organization even after their employment has been terminated, particularly in cases where an employee has been fired and the employee holds a grudge against their employer. Mr. Eccleston had insider knowledge and contact lists of employees and even though he had no offensive computer security training or experience believed that he would be able to trick fellow former employees into downloading malicious software to their systems.  A malicious insider’s potential to cause damage is not removed once they are no longer officially an “insider” but can persist well after their employment has terminated, particularly when they have exfiltrated sensitive data or have extensive knowledge of internal networks, procedures and people, ” said Ken Westin, security analyst for Tripwire.

“One of the real dangers of spear phishing attacks is that they can be very targeted, very personal, and very compelling to recipients.  If 10 employees are targeted, chances are good that at least one might click on a link that initiates delivery of malicious web content.  Once that happens, the attacker wins and the organization loses.  This is another reason why businesses and government agencies should adopt technology that isolates the web browser and all malicious content safely outside the secure network,” said Franklyn Jones, CMO of Spikes Security.

"The human element is one of the weakest links in today’s security landscape. Spear phishing often proves successful to gain initial access and is almost impossible to detect in many cases. However, as the attacker reaches out and starts probing and looking for the resources or documents they wish to steal, you need to have measures in place to detect this anomaly. One of my best suggestions is to keep a close watch on Active Directory - it traditionally provides authentication for 90 percent of most companies' user-accessible data," said Brett Fernicola, CISO with STEALTHbits Technologies.

Although this case highlights the potential dangers of spear phishing, it is just one of several threats posed by former employees. In fact, according to a recent report from IS Decisions, seven out of every 10 U.S. companies risks serious security breaches carried out by former employees. A survey of 250 IT professionals in the U.S. and 250 IT professionals in UK found that only 29 percent of U.S. companies follow strict post-employment processes to ensure that employees no longer have access to company-sensitive information once they have left.

The report also found that IT professionals across the US and UK are calling for more help to tackle the issue of insider threat. An overwhelming 91 percent want to see industry-wide collaboration on the issue, 78 percent want clearer guidelines, and only 43 percent see senior management taking enough responsibility for insider threat.

And while 67 percent state they plan to look at specific tools, technology and data to help tackle insider threat, the tools are not likely to be effective in isolation. Research found 57 percent of insider threat programs will include organization-wide training — demonstrating that a joined-up approach is essential for internal security.

 “It’s often easy for companies to overlook post-employment processes when they’re worrying more about the behavior of current employees. However, an employee on the outside with access to your systems can be as dangerous as any hacker or virus — and often your threat detection systems won’t pick up a former employee because it thinks the employee has genuine authority to access systems,” said Francois Amigorena, CEO of IS Decisions. “Threats can go undetected for months, leaving a huge open window for attack. A simple employee exit checklist can help mitigate these threats.”