Mapping the motives of insider threats

Insider threats can take many forms, from the absent-minded employee failing to follow basic security protocols, to the malicious insider, intentionally seeking to harm your organization.

motives insider threats

Some threats may stem from a simple mistake, others from a personal vendetta. Some insiders will work alone, others at the behest of a competitor or nation-state.

Whatever the method and the motives, the results can be devastating. The average cost of a single negligent insider incident exceeds $300k. That figures increases to over $755k for a criminal or malicious attack and up to $871k for one involving credential theft.

Unlike many other common attacks, insider attacks are rarely a smash-and-grab. The longer a threat goes undetected, the more damage it can do to your organization. The better you understand your people – their motivations, and their relationship with your data and networks – the earlier you can detect and contain potential threats.

Insiders’ drivers

Insider threats can be loosely split into two categories – negligent and malicious. Within those categories are a range of potential drivers.

As the mechanics of an attack can differ significantly depending on its motives, gaining a thorough understanding of these drivers can be the difference between a potential threat and a successful breach.

Financial gain

Financial gain is perhaps the most common driver for the malicious insider. Employees across all levels are aware that corporate data and sensitive information has value.

To an employee with access to your data, allowing it to fall into the wrong hands can seem like minimal risk for significant reward.
This is another threat that is likely higher risk in the current environment. The coronavirus pandemic has placed millions of people under financial pressure, with many furloughed or facing job insecurity. What once seemed an unimaginable decision, may now feel like a quick solution.


Negligence is the most common cause of insider threats, costing organizations an average of $4.58 million per year.

Such a threat usually results from poor security hygiene – a failure to properly log in/out of corporate systems, writing down or reusing passwords, using unauthorized devices or applications, and a failure to protect company data.

Negligent insiders are often repeat offenders who may skirt round security for greater speed, increased productivity or just convenience.


A distracted employee could fall into the “negligent” category. However, it is worth highlighting separately as this type of threat can be harder to spot.

Where negligent employees may raise red flags by regularly ignoring security best practices, the distracted insider may be a model employee until the moment they make a mistake.

The risk of distraction is potentially higher right now, with most employees working remotely, many for the first time, often interchanging between work and personal applications. Outside of the formal office environment and distracted by home life, they may have different work patterns, be more relaxed and inclined to click on malicious links or bypass formal security conventions.

Organizational damage

Some malicious insiders have no interest in personal gain. Their sole driver is harming your organization.

The headlines are full of stories about the devastating impact of data breaches. For anyone wishing to damage an organization’s reputation or revenues, there is no better way in the digital world than by leaking sensitive customer data.

Insiders with this motivation will usually have a grievance against your business. They may have been looked over for a pay rise or promotion, or recently subject to disciplinary action.

Espionage and sabotage

Malicious insiders do not always work alone. In some cases, they may be passing information to a third-party such as a competitor or a nation-state.

Such cases tend to fall under espionage or sabotage. This could mean a competitor recruiting a plant in your organization to syphon out intellectual property, R&D, or customer information to gain an edge, or a nation-state looking for government secrets or classified information to destabilize another.

Cases like these are on the increase in recent years. Hackers and plants from Russia, China, and North Korea are regularly implicated in cases of corporate and state-sponsored insider attacks against Western organizations.

Defending from within

Just as they affect method, motives also dictate the appropriate response. An effective deterrent against negligence is unlikely to deter a committed and sophisticated insider intent on causing harm to your organization.

That said, the foundation for any defense is comprehensive controls. You must have total visibility of your networks – who is using them and what data they are accessing. These controls should be leveraged to limit sensitive information to only the most privileged users and to strictly limit the transfer of data from company systems.

With this broad base in place, you can now add further layers to counter specific threats. To protect against disgruntled employees, for example, additional protections could include filters on company communications to flag high-risk vocabulary, and specific controls applied to high-risk individuals, such as those who have been disciplined or are soon to be leaving the company.

Finally, any successful defense against insider threats should have your people at its heart.

You must create a strong security culture. This means all users must be aware of how their behavior can unintentionally put your organization at risk. All must know how to spot early signs of potential threats, whatever the cause. And all must be aware of the severe consequences of intentionally putting your organization in harm’s way.

Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack

R1 RCM Inc. [NASDAQ:RCM], one of the nation’s largest medical debt collection companies, has been hit in a ransomware attack.

Formerly known as Accretive Health Inc., Chicago-based R1 RCM brought in revenues of $1.18 billion in 2019. The company has more than 19,000 employees and contracts with at least 750 healthcare organizations nationwide.

R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story.

The “RCM” portion of its name refers to “revenue cycle management,” an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients.

The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data.

It’s unclear when the intruders first breached R1’s networks, but the ransomware was unleashed more than a week ago, right around the time the company was set to release its 2nd quarter financial results for 2020.

R1 RCM declined to discuss the strain of ransomware it is battling or how it was compromised. Sources close to the investigation tell KrebsOnSecurity the malware is known as Defray.

Defray was first spotted in 2017, and its purveyors have a history of specifically targeting companies in the healthcare space. According to Trend Micro, Defray usually is spread via booby-trapped Microsoft Office documents sent via email.

“The phishing emails the authors use are well-crafted,” Trend Micro wrote. For example, in an attack targeting a hospital, the phishing email was made to look like it came from a hospital IT manager, with the malicious files disguised as patient reports.

Email security company Proofpoint says the Defray ransomware is somewhat unusual in that it is typically deployed in small, targeted attacks as opposed to large-scale “spray and pray” email malware campaigns.

“It appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely,” Proofpoint observed.

A recent report (PDF) from Corvus Insurance notes that ransomware attacks on companies in the healthcare industry have slowed in recent months, with some malware groups even dubiously pledging they would refrain from targeting these firms during the COVID-19 pandemic. But Corvus says that trend is likely to reverse in the second half of 2020 as the United States moves cautiously toward reopening.

Corvus found that while services that scan and filter incoming email for malicious threats can catch many ransomware lures, an estimated 75 percent of healthcare companies do not use this technology.

New Proofpoint Enterprise Archive capabilities help streamline e-discovery and supervision processes

Proofpoint announced numerous enhancements to its award-winning Proofpoint Enterprise Archive solution to help customers streamline e-discovery and supervision processes and reduce related costs.

Deployed by top organizations worldwide, Proofpoint Enterprise Archive is a proven, cloud-native, modern archiving solution that delivers unmatched search performance, supported by an industry-leading and financially backed service level agreement (SLA).

“Proofpoint has been recognized by Gartner as a Leader in the Magic Quadrant for Enterprise Information Archiving for eight consecutive years and we believe today’s advancements are the latest example of our commitment to ongoing innovation,” said Darren Lee, executive vice president and general manager of Compliance and Digital Risk for Proofpoint.

“Our new Proofpoint Enterprise Archive capabilities enable legal teams to assume more control over e-discovery, relieve overburdened IT staff, and empower supervision analysts with greater visibility and increased accuracy in ensuring regulation compliance.”

A complete end-to-end solution, Proofpoint Enterprise Archive uses cloud intelligence and machine learning to help solve the most challenging long-term information retention, e-discovery, and supervision requirements.

Streamlined e-discovery to increase efficiency and reduce costs

A new case management feature, which is part of the Discovery Analytics module, will now organize e-discovery elements into cases for efficient orchestration and tracking, helping legal teams efficiently perform more analysis in-house.

With Proofpoint Enterprise Archive, users can uncover relevant information in a fraction of the standard search time, with blazing search performance averaging 20 seconds or less. Once uncovered, critical information is preserved and exported in a variety of common file formats.

Refined insights expand visibility for mitigating risks

A new Compliance Risk Dashboard with Intelligent Supervision makes it easy for teams to quickly visualize major compliance risks and rule violation trends for further investigation. This people-centric view helps identify individuals that require targeted action and opportunities for broad training on specific types of violations.

Enhanced regulatory compliance supervision

Enhanced regulatory compliance supervision to improve review accuracy across email, social, and enterprise collaboration data. Organizations worldwide rely on Proofpoint Enterprise Archive and its broad supervision feature set to effectively manage SEC, FINRA, and IIROC compliance with extensive capture, monitor, and reporting functionality.

This includes new Intelligent Supervision features for biasing sampling towards problematic content, segmenting review subsets for greater scrutiny, and surfacing trends for low-value content that can ultimately be filtered out.

Criminals boost their schemes with COVID-19 themed phishing templates

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to.

“Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials,” Proofpoint researchers have noted.

The COVID-19 themed phishing templates

Cybercriminals have eagerly embraced the opportunities brought on by the COVID-19 pandemic. One of those is the fact that many governments and non-governmental organizations are offering crucial information about the virus and/or financial assistance.

The crooks have put in a lot of effort into creating convincing phishing page templates to impersonate these organizations and make it easier to quickly set up new pages once current ones get blacklisted.

Most of the templates aren’t exact copies of the impersonated websites, but they do copy their look and feel – and that’s often enough to fool many targets.

For example: the multi-layered template that spoofs the legitimate Canadian government website starts with a page that asks users to chose whether they want to continue using the site in English or French (the country’s two official languages), and then offers the credential phishing pages in the chosen language.

COVID-19 themed phishing

Another template that impersonates the US Internal Revenue Service (IRS) first tells the potential victim they are eligible for financial aid as part of the COVID-19 relief program and then leads them to the page asking for their personal information.

Similar schemes are used to impersonate Her Majesty’s Revenue and Customs (HMRC) in the United Kingdom, the French government, the World Health Organization (WHO), the US Centers for Disease Control (CDC), and so on.

COVID-19 themed phishing

The crooks are exploiting people’s anxiety and despair to steal login credentials for a variety of online accounts – Gmail, Office 365, Outlook, etc. – as well as sensitive information such as names, addresses, social security/insurance numbers, payment card information, and so on.

So far, ProofPoint researchers have seen more than 300 different COVID-19 campaigns this year and, as the COVID-19 situation continues to unfold, they expect these kinds of attacks to continue and threat actors to offer additional tools that can make those attacks easier to carry out.

Phishers exploit Zoom, WebEx brands to target businesses

Proofpoint researchers have spotted and documented email phishing campaigns targeting US companies in a variety of industries with emails impersonating Zoom and Cisco (WebEx).

phishing Zoom WebEx

Phishing emails impersonating Zoom and WebEx

“Video conferencing has become very popular very quickly. Attackers have noticed and moved to capitalize on that popularity and brand strength,” noted Sherrod DeGrippo, Proofpoint’s Senior Director of Threat Research at Proofpoint.

“Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”

Some of the lures are not particularly original, but will surely fool some of the targets. For example, an email that welcomes users to their new Zoom account and requests them to activate their account, or an email that claims that the user has missed a scheduled Zoom conference meeting (see above).

In both cases, the attackers are after account credentials, either for Zoom or for the target’s email account.

The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”):

phishing Zoom WebEx

Many targets will spot the malicious nature of the email almost immediately, as it warns about an old vulnerability in a software that has nothing to do with Cisco WebEx (apart from the fact that both are developed by Cisco.) But there’s always some recipients who panic or are inattentive enough at the moment of perusal and will end up entering their login credentials.

The value of compromised video conferencing accounts is obvious. “Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks,” DeGrippo noted.

Malware delivery campaign

The researchers have also spotted a email malware delivery campaign that does not impersonate the aforementioned developers of video conferencing solutions, but does exploit their widespread use.

The emails are made to look like they are coming from a potential client who asked for a quote, says they are available for a call via Zoom, and contain a booby-trapped Excel file in the attachment, supposedly containing the sender’s schedule.

To view the contents, the recipient is asked to enable macros. If they do, the macros execute a script that, unbeknownst to the victim, installs a legitimate remote control application, which the attackers then use to access files and information on the compromised system.

Users are warned to be on the lookout for these and similar lures, and to keep in mind that phishers love nothing more than (ab)using popular brands as social engineering lures. These specific campaigns were directed at employees in US companies in the technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing sectors.

Cyber crooks continue to exploit COVID-19 for their malicious schemes

A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.

The latest schemes and scams that exploit COVID-19

Proofpoint researchers have observed COVID-19 being used as a pretext in BEC scams:

exploit COVID-19

“BEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the attacker’s end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the attacker will send their true ask. (I need you to buy gift cards, wire transfer funds, etc.),” the researchers explained.

“These coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the recipient. In the body of this message, the actor attempts to eliminate the possibility of voice-verification, in hopes of ensuring a higher success rate, by saying their phone is ‘faulty at the moment.’”

They’ve also spotted an assortment of fake notices impersonating doctors and local health agencies and institutions (aimed at the general population), as well as more targeted emails aimed at enterprises (employees), such as fake internal emails for credential phishing attacks impersonating the organization’s president, IT staff, risk manager, and so on.

Scammers are also trying to make media and advertising companies spread URLs of scammy websites to their audience – they offer money for the placing of the URL in a prominent place (e.g., on top of their most recent YouTube video description).

exploit COVID-19

Malvertising campaigns and extortion

There has also been a spike in malvertising campaigns on coronavirus-themed news stories, delivering malicious Flash Player updates.

ESET researchers have spotted COVID-19-themed extortion emails:


The sender is threatening to infect every member of the recipient family’s “with the Coronavirus” if he or she doesn’t deliver $4000. To make the threat more believable, the scammer uses leaked passwords in an attempt to create the impression that they know a lot about the recipient.

SpyCloud researchers have been keeping an eye on popular online criminal forums and have noticed:

  • A threat actor advertising a service in which they craft coronavirus-focused scam letters and scam sites for customers
  • A threat actor sharing instructions for cracking and taking over meal-kit delivery accounts, to take advantage of the fact that many people are ordering food online while attempting to practice social distancing. Another threat actor is offering to sell stolen meal-kit delivery codes.

Finally, with many, many people around the world losing their job due to the current situation, Brian Krebs says that cyber criminals have already started trying to trick them into becoming money mules. The pretext? They would be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

Healthcare cybersecurity in the time of coronavirus

Brno University Hospital, in Brno, Czech Republic, which is one of the country’s Covid-19 testing centers, has recently been hit by a cyberattack. The nature of the attack has yet to be shared, but looks like it might be ransomware. The result? Some surgeries have been postponed and some patients redirected to nearby hospitals.

healthcare cybersecurity coronavirus

On Sunday, the US Health and Human Services Department was hit by a distributed denial of service (DDoS) attack that, luckily, did not impact the agency’s operation in a meaningful way. Its website, which provides information to the US public about how to cope with the Covid-19 situation, was not affected by the attack.

By now, those hoping that cybercriminals would spare healthcare organizations from cyber attacks while the Covid-19 virus spreads across the world must have realized that there are always people who have no qualms about exploiting a bad situation for their own advantage.

Nothing’s changed, really

“We’d like to think that in a world where everyone is effectively in the same boat, a sense of togetherness, an unwritten code of conduct, or even a sense of morality would prevent bad actors from doing bad things – even if just temporarily. This obviously is not the case and if anything should serve as a reminder to organizations that one threat hasn’t been traded for another,” Adam Laub, CMO, Stealthbits, told Help Net Security.

“To the contrary, individuals and groups that prey on the weak will likely look to take advantage of this dire situation, causing more disruption to organizations already reeling from the financial distress, business disruption, and human resource nightmare the coronavirus pandemic has inflicted in just a short period of time,” he added.

“What’s particularly disturbing about this latest incident at the U.S. Health and Human Services Department is that the intent of the attack appears to be driven entirely by malice, seeking only to prevent the men and women trying desperately to protect millions of American citizens from harm from doing their jobs, as well as spread false information in order to generate more panic and uncertainty.”

Patients might end up bearing the brunt of successful cyber attacks but, Covid-19 or no Covid-19, the danger for healthcare organizations has effectively remained the same – only the stakes got higher.

Healthcare organizations must remain vigilant on all fronts

It is crucial for healthcare organizations and agencies not to ignore cybersecurity and data protection at this moment.

Educating healthcare employees about the increased risk of ransomware attacks, Covid-19-themed phishing attacks and disinformation is more important than ever.

Nurses and other healthcare professionals are, according to Proofpoint, one of phishers’ preferred targets as they have access to all the data.

Generally, healthcare organizations share many weak links and attack surfaces as every other industry – phishing attacks on employees, cloud infrastructure and a remote workforce – but there are some challenges only they face, notes Sam Roguine, a director at Arcserve.

These include the security of medical devices, Wi-Fi access for patients (the patient Wi-Fi network should be fully isolated from the primary one) and, at the moment, shifting priorities driven by the Covid-19 outbreak.

“If the scenarios in Italy or China were to repeat in the United States, many hospitals will be in ‘Code Black,’ which is when the influx of patients is bigger than what hospital can handle. Hospitals will have to prioritize patient care, reducing the focus on everything else, including business continuity and disaster recovery (BCDR) and cybersecurity. This is a gap that hackers are going to leverage,” he noted.

Healthcare organizations must implement best-in-class centralized security with enhanced detection and response, review security practices, and include every aspect of the organization’s operations – not just obvious IT systems like servers, but also medical devices, employees wearables, cloud services, patient systems, and more, he says, and recommends them to follow the NIST Cybersecurity Framework for every aspect of their operations.

“CISOs must remain very vigilant. Cyberattacks can and will affect hospital operations, and the ability of healthcare organizations to cope with Covid-19 patients. When CISOs plan for scenarios like this one, cybersecurity, backup, disaster recovery and continuous availability technologies cannot be underestimated or placed on the backburner,” he concluded.

Over half of organizations were successfully phished in 2019

Nearly 90 percent of global organizations were targeted with BEC and spear phishing attacks in 2019, reflecting cybercriminals’ continued focus on compromising individual end users, a Proofpoint survey reveals.

phishing attacks 2019

Seventy-eight percent also reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.

The report examines global data from nearly 50 million simulated phishing attacks sent by Proofpoint customers over a one-year period, along with third-party survey responses from more than 600 information security professionals in the U.S., Australia, France, Germany, Japan, Spain, and the UK.

The report also analyses the fundamental cybersecurity knowledge of more than 3,500 working adults who were surveyed across those same seven countries.

A people-centric approach is recommended

“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of Security Awareness Training for Proofpoint.

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”

End-user email reporting, a critical metric for gauging positive employee behavior, is also examined within this year’s report. The volume of reported messages jumped significantly year over year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67 percent over 2018.

The increase is a positive sign for infosec teams, as there’s a trend toward more targeted, personalized attacks over bulk campaigns.

Users need to be increasingly vigilant in order to identify sophisticated phishing lures, and reporting mechanisms allow employees to alert infosec teams to potentially dangerous messages that evade perimeter defenses.

Phishing attacks in 2019: Key takeaways

More than half (55 percent) of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods.

88 percent of organizations worldwide reported spear-phishing attacks in 2019, 86 percent reported BEC attacks, 86 percent reported social media attacks, 84 percent reported SMS/text phishing (smishing), 83 percent reported voice phishing (vishing), and 81 percent reported malicious USB drops.

Sixty-five percent of surveyed infosec professionals said their organization experienced a ransomware infection in 2019; 33 percent opted to pay the ransom while 32 percent did not. Of those who negotiated with attackers, nine percent were hit with follow-up ransom demands, and 22 percent never got access to their data, even after paying a ransom.

Organizations are benefitting from consequence models. Globally, 63 percent of organizations take corrective action with users who repeatedly make mistakes related to phishing attacks. Most infosec respondents said that employee awareness improved following the implementation of a consequence model.

Many working adults fail to follow cybersecurity best practices. Forty-five percent admit to password reuse, more than 50 percent do not password-protect home networks, and 90 percent said they use employer-issued devices for personal activities. In addition, 32 percent of working adults were unfamiliar with VPN services.

Recognition of common cybersecurity terms is lacking among many users. In the global survey, working adults were asked to identify the definitions of the following cybersecurity terms: phishing (61 percent correct), ransomware (31 percent correct), smishing (30 percent correct), and vishing (25 percent correct).

phishing attacks 2019

These findings spotlight a knowledge gap among some users and a potential language barrier for security teams attempting to educate employees about these threats. It’s critical for organizations to communicate effectively with users and empower them to be a strong last line of defense.

Millennials continue to underperform other age groups in fundamental phishing and ransomware awareness, a caution that organizations should not assume younger workers have an innate understanding of cybersecurity threats. Millennials had the best recognition of only one term: smishing.