Know Your Adversary Podcast

EP11: KYA – Extortion Attempt of $300,000 Was an Insider Threat

Episode 11 | Feb 23, 2023

We chat with an undisclosed security team that prevented an insider threat actor from extorting $300,000 from a global company.

Episode 11 | Feb 23, 2023

We chat with an undisclosed security team that prevented an insider threat actor from extorting $300,000 from a global company.

In Episode 11 of Know Your Adversary®, we chat with an undisclosed security team that prevented an insider threat actor from extorting $300,000 from a global company. The result of the six months long investigation resulted in the arrest of the suspect who, as it turns out, was motivated by pride and money.

One morning, the security team received an email asking for $300,000 as an extortion payment or the data would be released. Upon showing “proof of life” that the attacker possessed the data, it became clear they maintained elevated access beyond that of someone living abroad in Russia, as is typical of extortion attempts. Thankfully, the global company had a robust security program that allowed them to jump into high gear and track down the actor within weeks.

While many think about grandiose espionage examples like former Soviet spies Aldridge Aimes and Robert Hanssen, in the private sector, two common themes are observed with insider threats when malicious acts go beyond negligence and into malfeasance: greed and ego. This case was no different and drives home important practices for an insider threat program.

Including: 

  1. Robust Open Source Intelligence Capability: Looking outside-in, your team should have the ability to collect important data that matches internal telemetry. This means having collection against social media and telemetry that can alert to sensitive data leaks with third party file sharing services (Dropbox, OneDrive, etc). 
  2. Logging: It’s important to have inventory logs from the applications that are of most important business use. When sensitive data is leaked to the internet, a security team will almost certainly start looking at the logging from the applications where the leak originated.
  3. Security Awareness Program: Building trust within the employee base to allow them to become their own sensor network with the security team always helps an insider threat program.
  4. Forensics Capability: Quick forensics capabilities will almost always be needed when an alert fires from an insider data leak.