Preventing cybersecurity betrayal in real-life 'Among Us'

October 06, 2021 08:54
Photo: Google

Although created a few years before the world went into lockdown, something about the simple app-based game Among Us truly tapped into the pandemic zeitgeist like nothing else. On the one hand, it was a community-based game that worked perfectly in our new Zoom-based reality — while on the other, it tapped into the mounting dread that we were becoming more disconnected from other people.

For those who don’t know, Among Us is like the old board game Cluedo remixed with a paranoid 1970s sci-fi-like Alien and adapted for the digital age. The online game has gained popularity over the world, including Hong Kong, with more than 264 million downloads worldwide.

Those in the cybersecurity space may not find Among Us to be exactly escapist, considering they play a real-life, high-stakes version of this game every single day.

Insider Threats by the Numbers

The Ponemon Institute’s 2020 Cost of Insider Threats report found the average global cost of insider threats rose by 31% in two years to $11.45 million, while the number of total incidents nearly doubled (rose 47%) in the same time period. It showed that Asia-Pacific (APAC) had an average annual cost associated with an insider threat of $7.89 million.

The study explored three primary insider threat profiles:

● negligent insiders (those who unintentionally cause issues)
● criminal and malicious insiders (those who intentionally cause damage) and
● credential thieves (those who target login information to gain unauthorised access to applications and systems).

Out of these three profiles, employee or contractor negligence was the most frequent actor of insider threats in APAC with an average of 13 incidents annually, a significant gap from other insider threat profiles. This is followed by criminal and malicious insiders with an average of 4.5 annual incidents; and credential thieves, with an average of 1.4 incidents annually.

Meanwhile, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 99% of incidents classified under the “privilege misuse” category were driven by internal actors. As the report states, “This pattern is an uncomfortable one — this is where the people we trust betray us.” The DBIR found financial gain to be the most common motivator at 67%, yet it revealed several other drivers: fun (17%), a grudge against the employer (14%), espionage (9%), convenience (3%) and ideology (1%).

The insider threat is very real, very hard to spot and makes balancing efficient daily workflows and stringent, always-on security a real challenge. It’s all fun and games until you find yourself alone in the electrical bay with an imposter — figuratively and/or literally, as the case may be.

The Insider Security Conundrum

Ironically (or not), one of Among Us imposters’ more popular “kill zones” is in the vessel’s security room. While crew members are in the room surveilling other areas via security cams, they can’t see what’s happening right behind them.

Working undercover is precisely how insider threats operate, and it’s what makes them so difficult for cybersecurity experts. By focusing on keeping the bad guys out, it’s easy to miss what’s right over your own shoulder. And these threat actors have a leg up — the most crucial thing outside attackers are looking to acquire is something that insiders already have, and that’s legitimate access. Using stolen credentials from other corporate identities, insiders can easily move throughout systems, elevating their access and worming further into privileged systems to steal data or use it in ways they shouldn’t.

Before devising a strategy for shoring up security measures against threats in your own house, it’s important to consider where this responsibility ultimately falls. Is it solely the purview of the info security teams? Or do HR and legal bear some responsibility since insider threats track back to hiring and potential employee vetting? The answer, like so much involved in the digital world, is the more communication and cooperation you have between departments and leadership, the better equipped you will be to uncover and mitigate threats from within. To revisit our Among Us analogy, the fewer dark rooms and unmonitored pathways you have, the less likely malicious actors will be able to move about undetected. Shining those lights is vital.

No Trust, No Sus

In this new reality of remote and hybrid work, you can’t simply separate the “good” guys from the “bad” guys because they often look alike. What’s more, sometimes a person will start as one and eventually become the other. The solution is to trust no one until you can continuously verify that they are who they say they are before granting access. This means there are no darkened rooms, no hidden vents and far less uncertainty that when someone unlocks and enters a specific “room,” they are there only to do their assigned task and nothing else.

To combat insider threats, organisations should adopt this “Zero Trust” approach, a strategic cybersecurity model designed to protect modern digital business environments. It generally follows the same mindset as the players in Among Us -- everyone is "sus", unless verified or proven otherwise. It goes a long way in proactively managing insider threats by limiting disruption, strengthening security resilience and protecting resources — particularly in hybrid cloud environments.

The threat may be coming from inside the house, but security measures must go well beyond a few doors and walls.

Zero Trust would make Among Us far less fun to play for sure, but it makes operating in our new boundary-less world a whole lot safer. Tricking your friends with casual sabotage can be fun when it’s a game, but it’s much less so when millions of dollars and reams of sensitive data are at stake

-- Contact us at [email protected]

Vice President, Asia Pacific & Japan, CyberArk