When The Lines Between Victim, Defender And Attacker Gets Blurred. What You Need To Know?

Let me start this discussion by asking you a simple question. What is the commonality between the Victim and the Defender? Both have trusted access.

As we know, trusted insiders are given access to highly sensitive information without necessary oversight. And those that intend to attack us know that.

For example, some insider incidents involve outsiders, sometimes from organised crime, who can approach employees of the organisation and offer topay them in exchange for some service or coerce them threateningly to comply.

Example 1: A teller employee at a large US bank handled customer information on a daily basis and processed checks for customers. Heavily in debt, the employee was approached by individuals who offered to pay him to steal the bank’s client’s personable identifiable information records (PII). Over the course of several years, the employee sold PII to the organised crime group, who used it to create fraudulent checks, open unauthorised credit cards, and commit identity theft. The theft was eventually disrupted when the bank became suspicious of the exceptionally high rate of fraud occurring in one of its local branches.

In this case, the employee was recruited by an outsider, which is very difficult for organisations to detect, particularly if it occurs outside the workplace. And, here is another well know example when an insider recruits another insider.

Example 2: Edward Snowden, a contractor within the US National Security Agency (NSA), was able to persuade a colleague to lend him his credentials for accessing highly sensitive classified information, which he eventually leaked it to the world.

Question – Is there a situation where the victim and the defender corporate with the attacker either for personal gain or to prevent further adverse either for themselves or their organisation?

Even the idea that the victim and the defender could be in cahoots with the attacker is inconceivable and ludicrous.

Yet, one way to approach the idea is really to understand the intent, risks and consequences of each party to gain a better picture.

The victim: These are individuals that have some level of responsibility of protecting themselves either from cyberattacks, or coerced in doing something that they shouldn’t have done, and were therefore successfully breached.

What is the risk associated with the victim? Victims are at risk of having their personal data being stolen, used for fraud, or as a platform to conduct other attacks on other people and systems.

Why would the victim collude with the attacker? Cooperation with the attacker either for personal gain (monetary) or their perceived risk of getting caught. As the fraud crime grows, the insider perceived risk of getting caught increases which result in a real escalation of fraud activities, as can be seen in the following diagram (source: The CERT Guide To insider Threats)

They are also some victims who are unaware that they have been manipulated, used, and their trust violated, as shown in example 2.

The Defender: Are those individuals that are tasked in protecting the organisation assets from cyber and insider attacks.

What is the risk for the defender? The defenders are at risk of seen and identified as negligent, incompetent and incapable in protecting the organisation assets, reputation, loss of customers, the loss in the value of the organisation and shareholders displeasure.

What is the risk for the attacker? The attacker is taking the risk of being caught and punished.
Now, it goes against all thoughts that the defenders and the attackers would somehow collude.
Why would the defender collude with the attacker? If the value of the attack greatly exceeds the sought-after remediation, there is a greater incentive to give in to the attacker. For example,


• Sometimes the cooperation might be considered to be beneficial for the organisation as in the case of paying the ransom in the event of a ransomware attack.
• Sometimes the defender will purposely try to sweep or hide the problem from the organisation fearing that their role within the organisation is at risk and will, therefore, collude with the attacker.

Suggested Recommendations

Consider raising awareness to employees to this potential recruitment. Understand the types of crimes that could be committed with the information and make them understand how you monitor for such activities as a form of deterrence.

Secondly, encourage your employees to recognise and report suspicious contact in which an insider or an outside approach them to join in a fraud scheme. Importantly. Develop the ability to allow employees to report suspicious events without fear of repercussions.

Develop an internal user activity monitoring strategy for insider threats activities which may include monitoring access and data modifications on critical assets as well as anomaly behaviour.

Finally, regularly audit critical business transactions to help detect unauthorised access and modifications.

How Can We Help You?

Are you interested in identifying risky behaviour by your employees or other trust partners?

Are you interested in implementing a deterrence measure to shape people behaviours so that they act in the best interest of the organisation?

If you have answered either of the above questions, then we can help you implement strategies to effectively mitigate insider risks. Contact us by filling out the form of the Naked Insider website: https://www.nakedinsider.com/contact-us