CrowdStrike Highlights Magnitude of Insider RiskCrowdStrike Highlights Magnitude of Insider Risk

When CrowdStrike alerted 200 customers last summer that its OverWatch managed threat-hunting service discovered endpoint telemetry indicating that the company might have at least one fake IT employee working for it, many were initially doubtful that they were among those affected.

Upon further investigation, though, it turned out that 40% of them were victims of a North Korean APT group that recruits people to apply for open tech jobs and, when hired, use their network access to deploy malware and steal data. The spike in activity by the group, known as Famous Chollima, was the impetus for last week's launch of CrowdStrike's Insider Risk Service, a set of professional services for detecting rogue IT workers and improving hiring practices.

Famous Chollima — threat actors from North Korea — used rogue IT workers to infiltrate over 300 companies, according to a May announcement by the US Department of Justice. Several perpetrators were charged with allegedly defrauding US companies using online job sites and payment platforms with locally hosted proxy computers. Victims discovered malicious IT employees installed malware, notably BeaverTail or InvisibleFerret, or exfiltrated data.

According to the Justice Department, it was the largest criminal act using IT workers, resulting in an estimated $6.8 million in losses.

"I think it's significantly higher than $6.8 million; I would say it's on the order of tens of millions of dollars," Adam Meyers, CrowdStrike's senior VP for counter adversary operations, told attendees at the company's annual Fal.Con customer event in September.

Customers Initially Dubious

CrowdStrike's chief global services officer, Thomas Etheridge, recalls customers' initial skepticism that they may have unwittingly hired fake IT workers.

"We had many organizations that absolutely said, 'Thank you, but we don't have that problem,' and then they later reached back out to us and said, 'We realize you were absolutely spot on,'" Etheridge tells Dark Reading.

According to 467 cybersecurity professionals surveyed for Securonix's "2024 Insider Threat Report," insider attacks rose from 66% of organizations in 2019 to 76% last year. Moreover, 90% said insider attacks are equally or more challenging to discover than external attacks.

CrowdStrike cites research from the Ponemon Institute, which found that 71% of organizations experienced between 21 and 41 insider incidents in 2023 — up from 67% over the previous year. The report also found that the annual cost of insider threats averaged $16.2 million per organization.

Data from 1,542 security decision-makers responding to Forrester Research's 2024 Security Survey indicated that 23% of data breaches resulted from internal incidents. Joseph Blankenship, VP and research director for Forrester's Security & Risk practice, says addressing insider risk is more complex than external threats.

"It's difficult to discern normal insider behavior from potentially malicious or accidentally harmful behavior," Blankenship says. "Insider risk services help to test the technology and processes organizations use to detect and respond to insider incidents."

CrowdStrike's New Services Portfolio

CrowdStrike's Insider Risk Service provides assessments to determine overall security gaps that enable both malicious and unintentional internal threats and HR hiring processes.

"We have some really rich telemetry around identity, around what threat actors are doing and the tooling they're using to remain persistent and undetectable in an environment, and we use those same techniques and tools to uncover insider activity," Etheridge says. "Putting a lot of these things together and bringing the people and process aspect to it really can help an organization up level and mature their insider-risk program."

The offering consists of a program in which CrowdStrike's consultants examine an organization's approach to insider risk and perform technical reviews to discover gaps and recommend improvements. The services also include tabletop exercises and red team simulations to test what defenses are in place and explore ways to discover vulnerabilities.

Not surprisingly, the services rely on threat intelligence and telemetry gathered from CrowdStrike's flagship Falcon platform and its OverWatch 24x7 threat-hunting service team. While major IT consulting firms like Accenture, EY, and smaller service providers offer risk assessment services, Etheridge touts CrowdStrike's platform as an advantage.

"These organizations are coming to us because we have a lot of the telemetry that they would need to understand the difference between normal activity occurring in the organization and non-normal activity," Etheridge says.

Meanwhile, activity from Famous Chollima is off from last year's peak, though Etheridge expects variations in this insider threat type to continue.

"It's not out of the realm of possibilities for other threat actors to try to either mimic or come up with another creative way to try to infiltrate companies," he says.

Forrester's Blankenship agrees.

"I believe threat actors like Famous Chollima will continue to be a risk," he says. "Without measures in place to confirm the identities of employees and contractors, organizations will continue to be vulnerable to threat actors posing as legitimate workers. Ongoing monitoring for suspicious insider behavior is also necessary to detect these threat actors."