Published on July 31, 2015
Motivations and insider factors
37 million users may have their personal data at risk as a result of this latest data breach. There are many factors to this breach that seem different than others that we have previously seen.
With most data breaches customers are pursuing legal counsel, speaking to media outlets, and appealing for justice and actions to protect themselves and their identity. Unlike other breaches, the clientele of these particular services will want (and hope) to remain anonymous so little public outcry can be expected from this incident unless the stolen data is actually released.
Very little has been heard from the attacker since the breach and the demands were made. They have maintained a low profile and so far have released only 2 customer names.
Just a few months earlier, another online “dating site” fell victim to a breach and had some 3.7 million users data in danger. In that case there was a $100,000 ransom was requested to not post the data.
So far, no money seems to have been involved in the Ashley Madison case – only the actor demanding that the services go offline. This obviously is financially impacting to the company. But does this financially benefit the actor?
So what other motives could come into play if not financial?
- Conflict of beliefs - Is the very nature of the services offered the main motivator for the attack?
- The demands that include permanently shutting down the website could support this motivation.
- Personal distress - Has the actor been harmed or hurt by a similar incident in their personal life? Did they suspect a loved one of using these services?
- Opportunistic targeting – The actor saw an opportunity (vulnerability, backdoor, or access method) and seized upon it.
- The attack demand and comments seem more personal and planned to be an opportunistic attack.
- Holding a grudge – An ex-employee or contractor that has had a previous bad experience, poor review or conflict with a co-worker.
- Disappointment or unmet goals in a job can cause personal conflict and turmoil that could encourage someone to make a poor decision.
From the beginning the parent company of Ashley Madison claimed that they had a good idea who was responsible for the data breach and that the person was “known” to them. There are several motivations that could have driven this to be an insider attack.
Let’s look at some of the insider indicators.
Several key indicators were seen that have lead the direction of the breach towards an insider.
- Prior knowledge of a potential attacker that the company has worked with.
- Previous indicators must have been seen that would have made this potential insider stand out as suspicious.
- It is likely the actor was technical in skillset as they were able to bypass control points and were able to find a vulnerability to exploit or conceal their actions to make detection more difficult.
- If the actor was an employee, could this breach be the result of IT sabotage? If an account was created or changed to have new access rights or elevated privileges this could indicate that a technical control point could have been intentionally modified.
- Third party vendors and staffing should be held to the same monitoring and detection routines with supplier assessments a key ingredient to success.
- References to the information security manager.
- The security manager was specifically called out and defended by name. Typically in a data breach, the lack of poor security and expertise is called out. Quite the opposite was done in this case with the security manager was told, “he couldn’t have done anything”.
- This indicates some kind of relationship and knowledge of the security manager close enough that they potentially attempted to save their job and deflect blame elsewhere.
- Knowledge of customer payment / account routines
- Did the actor have prior detailed knowledge of income, payment methods and customer behaviors, or was the information obtained during the data breach? The references to some of the business practices again seem very personal in nature.
Most likely threat actors
|1. Ex-employee / contractor||Highly likely|
|2. Hacktivist / Cyber crime group||Possible|
|3. Customer with technical expertise||Possible|
|4. Collusion with current employee||Unlikely|
- Insider events are not always financially driven. Many factors should be considered when analyzing motivators in the “prevent and detect” stage of an insider event. Ensuring that you are accounting for human elements and behavioral factors in your analysis is essential.
- Third party vendors and partners should be held accountable to the same standards and policies as the company who has ownership of the data. This should include insider threat detection and monitoring on anyone with access or knowledge to critical systems. Some of the largest breaches have been the result of poor controls being in place with external vendors and partners, this falls under the classification of insider threats.
- Behavior analytics can be used to help identify unusual traffic patterns or spikes in activities, such as outbound data and privileged account misuse.
- Data breaches are difficult to detect and avoid, when insiders are involved. The ability to prevent becomes even more difficult without the use of behavior analytics.
- This breach could likely be business ending for Ashley Madison who was on the verge of an IPO. The reputational damage as a result of an insider breach cannot be under estimated to any company regardless of the industry or services being provided.