Insider threats and AI: the wolf inside the door

With AI powered cyber-crime tools on the increase, Kamil Fedorko at Intellias discusses the key actions that organisations can take to tackle insider threats as part of their overall security strategies

 

Whether deliberate or accidental, research shows an 47% increase over the last two years in breaches caused by employees. Furthermore, it is estimated that a third of all businesses will endure an incident related to insiders, at an astonishing cost of $15.38m per event.

 

Insider threats have been a significant issue for organisations for many years but the introduction of GenAI has now taken its threat level to a critical height. In the hands of an employee, a seemingly helping hand inadvertently exposes them to new vulnerabilities. In the hands of a cyber-criminal, it has the potential to be an unformidable weapon.

 

The impact of Generative AI

In the hands of bad actors, AI tools are being utilised to significantly speed up the development and distribution of malware. Additionally, popular, accessible platforms such as ChatGPT and Bard make it simple to create a PowerShell socket listener with worm-like functionality to distribute malicious code across devices at speed.

 

At the same time, new AI models are emerging and becoming a hit with hackers, such as DarkBERT, which can be modified for illicit usage, and WormGPT which assists in the creation of phishing emails and malware. Doubtless, these represent only a fraction of the vast array of tools at the disposal of criminals.

 

Plus, there’s a healthy illegal trade in hacked credentials and malicious scripts, which can implement malware and ransomware. This threat is aggravated by criminals putting cash on the table for employees at target companies who can offer the right credentials to get past corporate security, as seen with the LockBit 2.0 breaches.

 

Malicious or accidental? It hurts either way

Unhappy employees may get paid to offer security details; careless employees can cause similar damage unintentionally. And AI makes it more likely either way. That’s why some companies are forbidding the use of AI entirely.

 

There are a number of potential issues: unauthorised use of IP, accidental creation of new PPI, libel, and compliance with broader regulations among others; but leading the field are the security dangers that unsupervised AI could introduce, not least by covering the tracks of bad actors.

 

These risks are amplified when organisations connect with genuine third parties, such as contractors and suppliers who might also have access to critical systems. To improve consumer protection, legislation is becoming more stringent and fines heftier for organisations which lack sufficient security.

 

However, it’s not just about the penalties, there are other implications for breaches that could destroy a company. Sensitive IP and personal data being sold on the dark web can lead to enormous brand damage and reputational harm.

 

Simply put, no customer will buy a product or service that puts them at risk; something senior management often ignores when allotting cyber-security budgets. Newer businesses are especially prone to downplaying these risks, thinking that their start-up status makes it somehow safer. The fact is that, regardless of size or age, no company is immune to insider threats. They are some of the most potent risks to protect against without limiting the daily activities of employees. Nevertheless, there are controls that can be deployed to minimise risk and optimise continuity.

 

Preparing for the worst-case scenario

At the heart of any sensible corporate approach to AI and insider threats is training. Begin by developing a comprehensive AI usage policy, which outlines the acceptable use of AI and the consequences of misuse. The policy should also include guidelines on how to identify and report suspicious activities.

 

Then, implement a rigorous training programme to provide guidance on how to use AI safely and securely, covering topics such as identifying and reporting suspicious activities, recognising phishing emails, and understanding the risks associated with AI.

 

With training in place and regular risk assessments scheduled, it’s time to look more closely at your whole approach to risk management. For most companies today, zero trust (assuming that no user, device, or network can be trusted) is the way forward, helping comply with GDPR and HIPAA and providing audit trails to ensure data privacy.

 

Next, undertake comprehensive threat modelling to map out the likelihood and impact of malicious attacks, with a corresponding incident response plan. It is critical to grasp the chain of communication and process to be followed in the event of an attack. Understanding how to manage an incident internally, control external communications, and uphold compliance obligations is crucial to withstanding a breach.

 

Once you have these measures in place, with a firmly embedded zero trust culture, organisations might want to further bolster their security via a range of additional capabilities, such as user behaviour analysis (UBA), data loss prevention (DLP), and extended detection and response (XDR) solutions.

 

Taking these vital steps and fostering a cyber-security approach that follows these principles will minimise the risk of attacks and the damage done when they do occur.

 

With a tried and tested incident control and response plan in place, the risks of AI-enabled insider threats will reduce; just make sure you continually refresh and refine your plans.

 

---

 

Kamil Fedorko is Global Cyber-security Practice Leader at Intellias

 

Main image courtesy of iStockPhoto.com