6 Best Practices to Fight a New Breed of Insider Threats

The current global pandemic has disrupted how organizations work. Some businesses quickly adapt while other organizations are still figuring out the new landscape. Unfortunately, criminals are exploiting vulnerabilities during this challenging time. There has been an 238% increase in cyberattacks attacks during the pandemic according to data presented in the VMware Carbon Black Modern Bank Heists 3.0 report.  

Insider threats aren’t just about employees not practicing good cybersecurity hygiene or malicious ex-employees, which are all still legitimate concerns. Today, attackers are finding new methods to penetrate defenses and stay undetected. Criminals are also buying illegal access to corporate networks and, when discovered, are often launching counter-defensive attacks. 

In this article, we’ll examine some evolving insider attack trends, challenges faced by security teams and share some best practices on how to fortify security. 

Challenges Faced: The Old Security Perimeter 

Today, data is everywhere: on-premise, on mobile devices, in the cloud and in transit. With COVID-19 disrupting our lives, the current challenge is not only protecting that data in motion but the apps, networks, employees and partners that have moved beyond the traditional on-premise security perimeter. The cloud, working from home, system administration rights, traditional approaches to network security—all of these factors augment the obstacles of defending these attributes. 

“The old security perimeter is in need of re-structuring and re-thinking,” explains Tom Kellermann, CISM, Head of Cybersecurity Strategy, VMware. “There are illegal marketplaces that are dedicated to providing insider access to high-profile corporate networks. All of this is compounded by the fact that the old security standard espoused perimeter defense, but because of cloud computing, teleworking, and new SaaS capabilities, all those defenses and approaches went out the window.” 

Digital Home Invasion: Attackers Island Hopping in Your Network 

Many enterprises, as well as SMBs, are taking digital transformation steps to stay relevant and competitive. However, without new approaches and solutions to security, organizations are left exposed.  

 “You need to treat insider threats like a home invasion,” says Kellermann.  

Attackers are penetrating your network—often unbeknownst to you—then use your network as a launching pad to attack your constituents of customers, partners, and other parts of your organization. This is known as Island Hopping; in fact, approximately one-third of attacks today involve some form of Island Hopping, according to recent VMware Carbon Black research.  

Imagine your network as your home, with a burglar sneaking in, staying undetected and then moving to different parts of the house—all without you knowing it.  

Access for Sale – How Attackers Get Inside Your House   

“We’ve been seeing increased access mining activity across various malware families,” says Greg Foss, Senior Threat Researcher, VMware Carbon Black. “Criminals are harvesting data from compromised endpoints such as usernames and passwords, and posting this information for sale on the dark net, opening up access into corporate networks for anyone who chooses to purchase access.”  

Recent trends in malware research has picked up on “modular” malware. Hackers will add functionalities to malware to extend its capabilities in addition to hiding key components of the malware’s capabilities while performing various post exploitation activities. Meanwhile, attackers will wait until the time is ideal for the attack and infiltration on the target network.  

Foss also explains that access information is frequently sold on the digital black market and in criminal forums. And it’s a very lucrative market.  

“In those forums, access to networks to high profile corporate target companies can fetch upwards of $50,000 USD,” adds Foss.  

Counter-defensive Tactics: Attackers Fighting Back 

What happens when these “home invaders” on your network are found and set off alarms?  

Some attackers will leave when discovered, but some use nefarious tactics to fight back. Examples of counter-defensive tactics include encrypted payloads, Trojan horses, or tactics that involve looking for other ways to avoid detection. 

The number one goal for these attackers is to bypass all the security measures and remain in your compromised network. The network “home invasion” breach may still continue as these attackers hide in other rooms of your “house” (network). 

Best Practices to Fight Insider Threats  

“Treat your network as a hostile environment. Always assume the worst-case scenario; that you’ve been breached,” recommends Kellermann.  

Use the following 6 best practices to combat these insider threats. 

  1. Visibility is key—Know when you’re under attack, and when you aren’t. Conduct threat hunting on a monthly basis. Make sure you’re capturing all the data about your environment and storing it for at least 30 days. Leveraging data and analytics is crucial to creating a window into what is happening—or has happened. 
  2. Don’t have a kneejerk reaction—Don’t rush to turn off all your servers. Find out what they’re doing. You need to sit and watch them, map out their activity. 
  3. Take communications offline or on a separate channel—Odds are the attackers are monitoring your communications. Establish secure communications on a separate channel to make sure the attackers are following your every move.  
  4. Create a separate war room—Here you can do physical forensics on compromised hardware. Make sure the room is separate and controlled, too. It’s important to log all the activity.  
  5. Employ micro-segmentation—Flat networks are more susceptible to hacking methods, like lateral movement. Micro-segmentation divides the data center into distinct security segments, which are then assigned unique controls and services. 
  6. Cover your bases legally—As covered, it’s vital to log all the activity for analysis and research but also to have an audit trail.    

VMware Carbon Black User Exchange 

Where can you go to learn about more evolving threats and talk to like-minded security-focused individuals? Where can you share emerging threat insights?  

The VMware Carbon Black User Exchange lets you to tap into the knowledge of 30K+ security professionals around the world. The community is collective way for security professionals to latest threat intelligence, trends, best practices and ways for organizations—of all sizes and industries—to improve security postures and combat threats.  

“Our community shares write ups and analysis through our rich telemetry of threats,” says Foss. “And our take is that we leverage those insights on threats to develop new protections for our products and harden our customers defenses.”  


The cybersecurity battle is constantly changing and challenging. And with evolving threats, such as insider threats, it can seem a little daunting. However, the best practices and insights from our VMware Carbon Black security experts covered can help provide strategic and actionable insights to combat these advanced threats for our customers, partners and help push the entire security industry forward. 

Looking for more insights?  

Read Tom Kellermann’s article Modern Bank Heists’ Threat Report Finds Dramatic Increase in Cyberattacks Against Financial Institutions Amid COVID-19. 

Join the VMware Carbon Black Exchange 

The post 6 Best Practices to Fight a New Breed of Insider Threats appeared first on VMware Carbon Black.