img img img img

How to craft an insider threat?

How to craft an insider threat?

It doesn’t require a lot of effort to achieve it and the below story is an example of how simple things from real life can catalyze it in an unexpected way.


Step 1. We need a bad time manager skill and a host

I had a scheduled meeting in an organization as a client. Once the time passed I was in front of the desk of the employee just like a swiss atomic watch. Unfortunately the employee had a regular meeting and the journey just began. I had to wait about 15 minutes before we started, just watching and listening calmly and carefully without disturbing.


Step 2. We need a bad culture and a toxic leader with a legitimate power 

The employee started appearing nervous from the situation, because I had to wait 15 minutes. On one hand I was there waiting and full of expectations to start dealing with the planned visit. On the other hand, there was a person in the virtual meeting with enough power to interfere with the decision to leave the meeting and start engaging with me. Once the employee decided to leave the virtual meeting no matter the consequences with an apology and then we started to discuss our planned topic.

The situation also created a precedent for potential annoyed customers which will double the consequences and the damage for the organization from few perspectives: customer churn, inefficient management, frauds and losses.


Step 3. We need a victim under an emotional affect who feels guilt and a situational pressure to resolve the situation

Eventually at the end of our conversation I get back on the situation and start asking questions about the virtual meeting, the topic, how often it happens, how interesting it was and why the employee was unable to leave it and start engaging with me in time and many more open questions. The answers start flowing in the air in an intuitive way without any barriers one by one revealing the internal organization state and hidden artifacts.

This is how social engineering and the involved information elicitation do work and the trivial phishing campaigns are just the top of the iceberg.


Step 4. We need enough information about the organization, structure, stakeholders

The above situation and the information gathering gave me good insight into what a person stays on the other side of the line, what personality traits has, what kind of legitimate power has and how to identify it in real life and within the organization, what resources and assets they both do control and of course other interesting info. Last, but not least, what is the organizational atmosphere and culture and how it can be exploited for malicious operations externally.


Step 5. We need to analyze the information and start designing the attack and maximizing the likelihood to succeed and the effect from it. 

All above information can be used by wide and infinite combinations and posibilites. At cyber world it may produce a well organized cyber attack abroad from the victim’s perspective. Physically and socially it may produce a well organized  personal vulnerabilities that may be exploited for control of power and decision making which may lead to primary and second degree frauds and voilations with power.


Step 6. Push the button and execute the attack. 

The Pandora’s box will be opened and all the miracle will happen. The effectiveness of the attack would depends on the involved technical and non technical factors from the malicios actor side as function of the organizational, team and infrastructure effectivenesses. In other words the malicios actors may not work alone and they may represent solid organizations and well organized fraud and battle machines.


Why is this important?

  • Malicious actors can walk everywhere exploring the world unidentified and the organizations should focus not only to the cyber world, but the physical and social world as well.
  • Malicious actors need to target somebody inside and what a beautiful coincidence to identify a person with a legitimate and coercive power and a relative subordinate susceptible to attacks.
  • Bad leadership and bad culture will multiply the likelihood of the success of an attack
    The bad time management is just an example and it can be changed to anything else which can influence teammates, colleagues, subordinates and customers in a negative way
  • Managers with power must be wise and they should be catalysts of a good culture of shared values instead of a bad one, because the organizatuional security is also being influenced by a such factors
  • We’re all humans who are prone to attitudes and behavior and a nice and positive attitude may safe time, life and a whole organization

Last but not least – all above would not happen if the planned meeting was being started just in time.