Watch Out for These Cybersecurity Ghouls  

Dwayne Thaele
5 min read
Watch Out for These Cybersecurity Ghouls  

Everyone knows that October is the scariest month of the year. October brings Halloween and the traditional thrills, chills, tricks, and treats. When Cybersecurity Awareness Month is added for more suspense — even the staunchest of us may end up howling from fear at the full moon.  

Ghouls are rampant in Halloween, and cybersecurity boasts its own ghouls. Maybe not the type that want your blood, but they do want the next best thing: your data and very often your identity. These cybercriminals — or in the spirit of Halloween, cyber ghouls — are actively looking for victims. Cyber ghouls operate day and night. Traversing the Internet like witches on brooms, they can reach almost anywhere on earth.  

Cyber ghouls: they can be anyone, anywhere

According to Verizon’s 2022 Data Breach Investigation reporti, 82% of data breaches involve the human element. The human element includes but is not limited to: errors, policy violations, mistaken clicks on a malware link in email, and intentional acts. Security teams spend considerable time analyzing and classifying the cyber ghouls that comprise the human element. 

Several types of cyber ghouls are looking to feed on businesses. Security teams need to understand their tactics, techniques, and processes.  Threat intelligence and threat modeling are commonly used to understand and protect against cyber ghouls. 

Which cyber ghoul is the scariest of all? 

  • A leading contender for scariest cyber ghoul: organized crime. Organized crime is like werewolves. They may look like valid business but are actually corporate-style in their approach and highly skilled – they even provide benefits to their workers. These ghouls are motivated by money. They typically employ ransomware, a sinister curse that steals data by encrypting it and keeping it encrypted until the victim pays a ransom. Ransomware can severely cripple business and government agency operations.  
  • Also to be feared: well-funded, highly sophisticated state-actors. State-actors are the cyber ghoul version of vampires — real blood suckers. They focus on intelligence gathering but can also launch devastating cyber warfare against critical infrastructure such as energy and water utilities. Their targets are generally governments. State-actors adopt advanced persistent threats (ATPs) to surreptitiously attack their victims. ATPs are hard to detect because of their ability to evade security controls.  
  • The goblins of cyber ghoulishness: hacktivists. They are obscure and can transform themselves to deceive victims into trusting them and often associate themselves with legitimate causes. Hacktivist goblins deploy a variety of tactics to disrupt and discredit businesses and government agencies. They aren’t motivated by money or intelligence-gathering. Instead, they’re driven by political, social, and religious fanaticism, making them the stuff of nightmares. 
  • The Frankenstein of the ghoul gang: script-kiddies: Script-kiddies are clumsy — not pretty — and are composed of many miscellaneous parts slapped together to attack businesses. These ghoulish kiddies are amateurs in the dark world of cyber ghouls. They use businesses as a playground to polish their hacking skills and gain status with peers. With tool kits, such as  Metasploit, they can access business resources and wreak havoc. Like true monsters, they may be oafish, but they cause a lot of damage. 

True horror: insiders

These cyber ghouls are horrifying enough to keep the best security teams up at night. But for a real Halloween fright — if you wanna see something really scary — look no further than insiders. Insiders are the cyber ghouls security teams should be the most anxious about. Insiders are like ghosts on Halloween, they’re difficult to see, full of surprises, and full of disruptive antics. 

Insiders are typically employees, contractors, and partners — those with valid access to business resources. Insiders present the quintessential security challenge: how to provide access, while also doing the monitoring required to detect harmful behaviors, all without interfering with legitimate processes. 

Insiders can be particularly ghoulish for two reasons. First, they can intentionally or unintentionally cause a cybersecurity incident. Secondly, insiders can be associated with powerful, external threats such as hacktivists — merging internal and external threats and creating a nightmare scenario for businesses. 

Ponemon’s 2022 Cost of Insider Threats Global Reportii is not for the faint-hearted. It notes that malicious insiders caused 26% of the security incidents studied, each with an average cost of $648,062. It also reports that 56% of tracked security incidents were caused by negligent insiders, with an average per-incident cost of $484,931. Frightening to believe these businesses collectively had more to fear from trusted employees and partners than external cyber ghouls. 

Security teams must focus on identifying insiders who intentionally seek to divulge corporate information or disrupt business operations. The task is made more difficult because insiders may have role-appropriate privileges. Advanced identification approaches are necessary. For example, several tracking indicators and techniques may be used to identify malicious insiders and activity. They include: 

  • Analyzing user behavior patterns. This generally refers to how insiders access information and business resources. Analysis may include the type of device used, journey/steps to access the resource, time of day, and errors (e.g., passwords entered incorrectly.) 
  • Creating decoy systems (HoneyPots). Insiders may use applications and data to tempt an unsuspecting insider and then trigger a log entry that can identify a potential risk. 
  • Leveraging user profiling. Some insiders, because of their status, may be actively monitored or have their privileges restricted. They may include employees subject to disciplinary action and termination, those with access to highly sensitive data, or those in senior positions of authority. The new category of insiders termed quiet quittersiii should also profiled because of the potential risks they pose.  
  • Developing zero-trust architectures and least-privilege access policies. By using layered security and other techniques, security teams can limit the information insiders are permitted to access. 

Insiders who are negligent but not malicious can also pose extreme security risks. For example, a simple misconfiguration of public cloud services can be exploited to facilitate costly data breachesiv. Negligent insiders are more difficult to identify because their behaviors and privileges are not flagged by traditional security tools. 

Email security, which is closely related to phishing and ransomware, receives a lot of emphasis from security teams. According to IBM’s 2022 Cost of a Breach Reportv, business email compromise and phishing incidents represent the highest total breach cost — $9.6 million — and the highest-frequency attack vector (21%). This is why businesses are increasing their investments in employee awareness and education. They are also bringing disciplinary action against those who violate corporate security guidelines — especially repeat offenders. Businesses simply can’t risk costly mistakes. 

Because of the prominence humans play in cybersecurity, implementation of training and awareness programs is highly valued by cyber-insurance assessors and is the second-most important factor next to cloud securityvi. Businesses seeking to transfer cyber risk to an insurance underwriter will find that they must comply with cybersecurity training programs. 

Perhaps the greatest concern posed by insiders isn’t from financial costs or harm to a business’s reputation but from the disruption of its relationships with employees and partners. Finding talent is proving to be a real challenge in today’s highly competitive job market. Businesses may not be able to hire as quickly or easily as in the past, because they will be compelled to perform more stringent background checks and implement programs to monitor employee activity. Though disciplinary action is needed to give security policies teeth, it may impact morale by eroding trust. However, cyber ghouls are all too real, and businesses need more than wreaths of garlic or fonts of holy water to mitigate the threat they create.  

You might also like: 

Looking for thought-provoking, educational content? Check out Street Wise, your one-stop shop for authoritative articles, interviews, blogs, and more from industry leaders on today’s hottest topics. 

About the Author:

Dwayne Thaele
Dwayne Thaele
Principal Product Manager, Security
Rimini Street

Dwayne has been a disruptor and innovator in technology for 30 years. His expertise and experience includes over 20 years as a product manager with specialty in cybersecurity. Dwayne has defined and launched many security products and services which have protected numerous customer environments in the US and around the globe. Additionally Dwayne has been part of corporate security offices and very involved with developing and implementing security policies and standards. Dwayne’s areas of particular interest are in HoneyPots and Security Operations.