About Guest Speaker Gregory Barbaccia
Gregory Barbaccia is an expert in counterintelligence, insider threat, and corporate espionage. He spent five years on active duty as an Intelligence Sergeant in the US Army including tours to Iraq and Afghanistan, is an alumnus of the U.S. Intelligence Community, and recently left Palantir Technologies after ten years where he last served as head of their internal threat intelligence team. He is a member of ASIS International, the Society of Professional Investigators, and the Association of Former Intelligence Officers.
Paul: Today, we want to dig deep into your expertise in insider threat and how you see that being impacted in the coming months as we finish 2020, a year that honestly has been uncomfortable for many of us.
For those who aren’t that familiar with the attack vector of insider threat, can you help to shed light on it with an incident that was recently reported?
Gregory: Insider threatInsider threat is certainly a fascinating vector, referring to both witting and unwitting actors within your organization, but they could also be people around the periphery such as significant others or contractors having privileged access to your business facilities.
A pretty interesting recent 2018 case here in Atlanta featured a home improvement and contracting company that acquired another company. With this acquisition, they inherited a system administrator, who wasn’t exactly pleased with the business decision. When he resigned in July 2018, he basically sabotaged the company by changing all the router passwords, shutting down one of the company’s critical command server. And this cost the company more than $800,000 in damagesmore than $800,000 in damages. What this goes to show is that something like an acquisition treads on cultural and social borders, potentially creating problems like this.
Paul: That’s very interesting and I think it’s particularly true here in Asia, where a lot of the cases that we investigate from an incident response perspectiveinvestigate from an incident response perspective contain some element of damage from insider threat.
Today, we’re seeing layoffs happening across the world. And with layoffs and disgruntled employees, there is a ton of intellectual property and confidential documents that can be taken out with these outgoing employees. What is your take on this?
Gregory: It's certainly true that almost every business has some sort of a secret sauce to protect and employees need access to these materials to function at their job. So there are just so many routes for exfiltration that it's just impossible to curb everything you know. Most government environments make it impossible for the data to be scanned, as we've seen with big government leaks in the US and elsewhere. Having overly burdensome security policies affects morale. Worse, people try to find ways to circumvent, because invariably, people always choose convenience over security. So I always say that technical measures are great, but what's really at the root of all this is company culture and a lot of mechanisms you could put in place to stop motivated inside attackers from doing the damage.
Paul: I completely agree and you know one thing I say all the time is that the best thing every organization can implement is a security culturebest thing every organization can implement is a security culture.
For security teams and organizations that are new to this topic, how do you advise they manage this risk?
Gregory: This is actually a pretty exciting time because there are so many off-the-shelf solutions. If you can't stop an attack, these solutions can help you know when such insider threat situations happen and attribute the incident. Governing privilege and access are certainly becoming a standard operating procedure in a lot of places, for instance VPNs and Zero Trust ModelsZero Trust Models, where even if I’m authenticated to the network, I must still be trusted and verified various times as I bounce between internal resources. I like this least privilege model of people having the minimal amount of access to do their jobs.
This goes back to protecting your people and not making them targetsprotecting your people and not making them targets if your organization has adversaries. The less access to sensitive business or financial information an employee has, the more protected your organization. Reducing the number of targets in your organization is important.
Paul: Completely in agreement. Single Sign-On (SSO) is another important yet convenient solution today.
You’ve spent the bulk of your career in the US, Iraq, and Afghanistan. From your experience, do you see any differences in how insider threats need to be managed in different regions? As a follow up to that, since Horangi is based in Asia, do you think it’s any different in our region in Asia?
Gregory: Corporate culture certainly matters and differs from country to country. A culture of trust and transparency is vital. In the U.S., people want to have a great sense of ownership in the outcomes of companies they work for. Transparency is especially important in big companies. You don’t want to become a victim of people’s curiosity.
Like I mentioned earlier, employee outreach assistance programs should be supported so you understand when any employee is having a hard time. You don’t want leaking company data to be considered a viable option, but it to be socially acceptable for employees to talk to managers comfortably about things at home that might affect their work.
As far as Asia, I recently read a Sophos study that assessed security maturity. India and Singapore are ranked higher compared to Japan, Malaysia, and the Philippines. The report was based on things like the management of InfoSec programs, if they’ve been tested in real world incidents etc. Some thought they had better defenses than they did in reality. Also what was interesting was a few were more pessimistic and that they actually were better in reality than what they thought they were.
Paul: Yeah, exactly. The Singapore government is also doing a lot here to support bigger companies, their infrastructures, and SMEs.
We recently released an infographic that talked about how employees can better protect themselves and their business data while working from home an infographic that talked about how employees can better protect themselves and their business data while working from home, especially as it is becoming the new normal. From your perspective, what are the top security risks that employers need to be concerned about?
Gregory: How the industry says it is that the attack surface area is so much wider now. You used to be on corporate resources probably in an office with some sort of InfoSec team protecting against threats on a fortified, constantly updated network. But now we are introducing new endpoints from the home to the office network we are introducing new endpoints from the home to the office network, with people shooting corporate emails with their home routers. Plus, not every organization uses a VPN. And not everyone is diligent about firmware patches on their routers and their IoT devices like fitness tracking apps.
Because people are so cooped up now, they want to work from coffee shops, and again you introduce a whole different set of hardware devices interpreting your communications. I’ve been in bars and Amtrak trains and have definitely heard things discussed by people that were nearly business sensitive.
Paul: It’s no different in Singapore, when I visit coffee shops and there are people taking phone calls. Sometimes it’s obvious who they work for just based on their t-shirt. And you could even figure who they were talking to on the other side, whether a customer or colleague.
I’m sure you’ve seen a fair share of cases in your investigative and consultative work, and you aren’t allowed to mention any names. Are you able to share what you see are common mistakes in those attacks and data breaches?
Gregory: Aside from physical stuff like mugging to getting your car stolen, a key principle is that you never want to be a soft target. I always say that we are our own worst enemy by being sloppy, lazy, and careless; choosing convenience over security just gives attackers an edge over you.
There are easy ways to become a hard target. Password managers are a great way and the first best thing you can do to protect yourself online, as opposed to reusing some simple password. Financial accounts and emails are the biggest killers for someone legitimately targeted.
I’ll go back to the zero trust modelzero trust model, where giving people the least amount of information at least ensures that even if an endpoint is compromised, it’s going to be the least amount of damage. Reminds me of something from my military days called field stripping, which I still practice when I leave my house: in essence, I carry the minimum amount of things in my wallet. So at least even if I lose my wallet, I don’t lose the maximum in my life. These are things that people can think of, even if it’s impossible to make yourself impervious to attacks.
Paul: For anyone who wants to learn more about what you do and insider threat, are there any books or resources that you recommend?
Gregory: I’m a big fan of a gentleman named Mike Bezel. He’s the leader in the world of open-source intelligenceopen-source intelligence gathering. He's also amazing at online identity protection and obfuscation. He's got two really great books: Open-Source Intelligence and Extreme Privacy, which even talk about procuring illegal vehicles and real estate without exposing your name.
I also have a personal blog where I put all this interesting stuff up there that's called Intelligence Et Cetera where I put insider threat, espionage, and interviews in there. Please feel free to check that out.
Paul: Any final words for the audience before we close?
Gregory: Be very wary of coincidences, your spidey-sense is always rightyour spidey-sense is always right. When there’s a weird weird coincidence-based question at a coffee shop or something. you know you might be targeted. So always have a healthy sense of paranoia, and keep your eyes and ears open!
