As you\u2019ll soon learn in the following insider threat examples, these insidious threats may not be as easy to identify as you may think. Explore a few examples of such threats and what you can do to identify and quickly deal with them.<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n In February 2024, Verizon Communications Inc. informed the Office of the Maine Attorney General<\/a> of a data breach involving the personally identifying information (PII) of more than 63,000 individuals (82 of whom were Maine residents). The incident, which took place in September 2023, wasn\u2019t discovered until nearly three months later.<\/p>\n\n\n\n According to a sample letter<\/a> provided to the AG (contributed by Vasileios Toulas at Bleeping Computer), \u201ca Verizon employee obtained a file containing certain employee personal information without authorization and in violation of company policy.\u201d Some types of employee information that may have been exposed include:<\/p>\n\n\n\n Although admitting to any data breach is akin to eating a bite of humble pie (i.e., no company wants negative publicity but hopes it\u2019ll be recognized for doing the right thing), this example is pretty mild as far as insider threat-related situations are concerned.<\/p>\n\n\n\n In a statement to Bleeping Computer<\/a>, Verizon\u2019s spokesperson Rich Young said the incident wasn\u2019t thought to have been done with malicious intent, and that the company didn\u2019t refer the incident to law enforcement. But it does make one wonder: what was the employee\u2019s intent when accessing employee data \u201cwithout authorization and in violation of company policy\u201d as claimed in the sample letter?<\/p>\n\n\n\n Of course, we shouldn\u2019t assume malicious intent (a la<\/em> Hanlon\u2019s Razor<\/a>) when it could be something that\u2019s simply explained through stupidity or incompetence. But what if your organization is<\/em> facing an insider threat example that\u2019s nefarious or malevolent in nature? Then things aren\u2019t so simple.<\/p>\n\n\n\n Even cybersecurity companies that specialize in identifying threats can fall prey to insider threats. KnowBe4, one of the world\u2019s leading cyber awareness and training companies, recently shared some eye-opening lessons<\/a> learned after discovering it hired a suspected nation-state actor.<\/p>\n\n\n\n The company thought it was hiring a U.S.-based worker for its Principal Software Engineer role. Instead, it hired an imposter from North Korea who used remote tools to mask his true location from his new employer.<\/p>\n\n\n\n According to the company\u2019s previously mentioned blog post about the situation:<\/p>\n\n\n\n \u201cOn July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST. When these alerts came in KnowBe4\u2019s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.<\/em><\/p>\n\n\n\n The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a raspberry pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20pm EST SOC contained XXXX’s device.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n This incident is an example of a larger trend by North Korean nation-state actors to infiltrate U.S. businesses using so-called \u201claptop farms<\/a>.\u201d (I\u2019ll speak more about those later.) \u00a0<\/p>\n\n\n\n The good news for KnowBe4 and its clients is that \u201cno illegal access was gained, and no data was lost, compromised or exfiltrated on any KnowBe4 systems.\u201d That\u2019s great news, and it provided a great \u201clessons learned\u201d moment to share with the industry.<\/p>\n\n\n\n KnowBe4\u2019s situation is a great example of being on top of your company\u2019s security and acting quickly and decisively in the face of extreme threats. It took approximately 25 minutes from the time the SOC detected the threat to when the team shut down the device. (Check out the link at the beginning of this section to read more about the incident and how KnowBe4 expertly took steps to address it before muck hit the fan.)<\/p>\n\n\n\n Now that we\u2019ve seen a situation turn out positively overall, let\u2019s look at another recent insider threat situation that didn\u2019t go as smoothly for the company involved\u2026<\/p>\n\n\n\n The U.S. Attorney\u2019s Office for the Northern District of California<\/a> alleges that a former Google employee stole info regarding the company\u2019s artificial intelligence (AI) platform on behalf of two Chinese startup companies. The press release states that Linwei Ding, also known as Leon Ding, has been charged with four counts of trade secrets theft after stealing \u201cover 500 confidential files containing AI trade secrets[.]\u201d<\/p>\n\n\n\n The March 2024 indictment states<\/a> that Ding began working at Google in May 2019 and began \u201cuploading Google Confidential Information from Google\u2019s network into a personal Google Cloud account (‘DING Account 1’) on May 21, 2022, and continued periodic uploads until May 2, 2023.\u201d \u00a0<\/p>\n\n\n\n According to the indictment, Google monitors and logs \u201ccertain data transfers to and from Google\u2019s network,\u201d including file transfers to Google Drive and Dropbox. However, because of the way that Ding exfiltrated and processed the data prior to uploading, he was able to avoid immediate detection.<\/p>\n\n\n\n During the period he was allegedly stealing data, Ding also participated in investor meetings in China for one of the companies, Beijing Rongshu Lianzhi Technology Co., Ltd. (\u201cRongshu\u201d for short), where he was chief technology officer (CTO). He also pitched his second business at a Chinese startup incubation program for his second company, Shanghai Zhisuan Technology Co. Ltd. (\u201cZhisuan\u201d), where he was acting chief executive officer (CEO).<\/p>\n\n\n\n Google caught wind that Ding was representing himself as the chief technology officer (CTO) of one of the Chinese startups, \u201cRongshu.\u201d It conducted an internal investigation into Ding\u2019s malicious and then handed over the information to the FBI.<\/p>\n\n\n<\/span><\/span>\n\n\n Data from Cybersecurity Insiders and Securonix shows<\/a> that insider attacks increased from 66% in 2019 to 76% of surveyed organizations in 2024. Although it\u2019s not the only way that insider threats infiltrate companies, one way that makes it easier for international insiders to carry out their \u201cdirty deeds\u201d is to infiltrate U.S. companies by posing as domestic IT workers<\/a> using the laptop farms mentioned earlier.<\/p>\n\n\n\n Laptop farms are discrete operations set up in remote locations throughout the U.S. that take advantage of companies\u2019 remote IT work opportunities. They\u2019re dummy locations where domestic conspirators host many laptops sent by legitimate U.S. companies to the people posing as legitimate new hires. The cybercriminals working internationally access these U.S.-based proxy devices remotely, enabling these overseas actors to appear like they are working domestically.<\/p>\n\n\n\n In May, the U.S. Department of Justice (DOJ) indicted five people<\/a> thought to be involved in a massive fraud scheme involving North Korean-based insider threats. A woman in Arizona, Christina Marie Chapman, along with three unnamed foreign nationals, were charged in connection with helping North Korean IT workers pose as U.S. employees<\/a> using stolen or \u201cborrowed\u201d identities. The fifth individual, Oleksandr Didenko from Poland, was charged with engaging in similar conduct.<\/p>\n\n\n\n The DOJ reports that more than 300 U.S. companies were defrauded in the scheme. According to the earlier-cited May 16 press release:<\/p>\n\n\n\n \u201cThe overseas IT workers [\u2026] were paid millions for their work, much of which has been falsely reported to the IRS and the Social Security Administration in the name of the actual U.S. persons whose identities were stolen or borrowed.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n As you can see from these insider threat examples, these criminals\u2019 activities don\u2019t just mean bad headlines for your company. They also wreak havoc on businesses in a multitude of other ways:<\/p>\n\n\n\n Last year, Ponemon Institute and DTEX reported<\/a> that it took companies an average of 86 days to contain insider threat incidents once they were discovered. The average global cost? $701,500 per incident. But that\u2019s not all. The report\u2019s data shows that companies globally spent an average of $16.2 million over a 12-month period on \u201cactivities that deal with insider threats.\u201d <\/p>\n\n\n\n But insider threats aren\u2019t necessarily in-and-out scenarios. Some are \u201clong cons\u201d that can last years or even decades<\/a>.<\/p>\n\n\n\n Stu Sjouwerman, CEO of KnowBe4, provided some excellent tips and advice for businesses on how to thwart these types of threat actors in his blog post that I linked to earlier in section #2. It includes everything from IT prevention tips and insider threat indicators to look out for to recommended process improvements (including for HR). Be sure to read that article to read those specific tips.<\/p>\n\n\n\n Landon Winkelvoss, co-founder at Nisos Inc.<\/a>, responded to a LinkedIn post<\/a> by investigative reporter Brian Krebs on KnowBe4\u2019s situation. Winkelvoss (named \u201cLandon W.\u201d on LinkedIn) shared some additional recommendations for how companies can avoid similarly falling for AI-based insider threats. One such recommendation is to track the laptop\u2019s physical location instead of the shipping address:<\/p>\n\n\n\n \u201cWe have detected patterns of \u201claptop farms\u201d derived from anomalies between the alleged location of the IT worker (fraudulent US person identities), the shipping address of the laptop, and the address listed on the I9 form.\u201d<\/em> \u2014 Landon Winkelvoss, co-founder at Nisos Inc.<\/p>\n<\/blockquote>\n\n\n\n That\u2019s definitely one useful approach. But what else can you do to avoid becoming the next insider threat example to make headlines?<\/p>\n\n\n\n DigiCert Trust Lifecycle Manager is an all-in-one PKI & certificate lifecycle management (CLM) solution. Explore how this tool can help you keep a close eye on your PKI and avoid certificate outages.<\/p>\n\n\n\nA Look at 3 Recent Insider Threat Examples That Made Headlines<\/h2>\n\n\n\n
1. Verizon\u2019s Employee Accesses Data They Shouldn\u2019t<\/h3>\n\n\n\n
\n
2. KnowBe4 Hires Nation-State Actor Posing as Legitimate IT Worker<\/h3>\n\n\n
![\"Insider](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/08\/insider-threat-examples-fake-employee.png\")
\n
3. Google Software Engineer Indicted for Stealing AI IP For Chinese Startups<\/h3>\n\n\n\n
\u2018Laptop Farms\u2019 Enable Overseas Threat Actors to Appear as U.S. Workers<\/h2>\n\n\n\n
![\"Insider](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/08\/laptop-farm-concept-insider-threat-examples-1024x639.jpg\")
\n
Why Insider Threats Suck So Much for Companies and Their Customers<\/h2>\n\n\n\n
\n
What Your Company Can Do to Avoid or Mitigate Insider Threat Risks<\/h2>\n\n\n\n
\n
\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/02\/trust-lifecycle-manager-dashboard-tools-1024x516-1.png\")
<\/figure>DigiCert Trust Lifecycle Manager Simplifies PKI & Digital Certificate Management<\/h2>\n\n\n\n