Image courtesy of IT Security Central

This article is the final article in a series about the Darknet. This collection of eight articles will focus on bridging the gap between stolen information, insider threats, and the darknet. You can expect to learn about the journey of information after it is stolen, how insiders help set up the breach, and what you can do to protect your company from darknet insiders.

As we have gone through this series and presented some of the ins and outs of the darknet, you may be wondering if it even is possible to protect yourself from an insider who knows about the darknet. The short answer is yes! The more complex answer would be that you may need to update some policies, technology, and practices if you want to prevent darknet and professional insiders. Some of these suggestions are within your capacity to implement regardless of budget, which others may require some more investment into cyber security. We’re going to jump right in, below you can find some of the best practices you can take to fortify your organization against the Darknet.

Removable Media Policies

As you’ve read the articles you’ve likely noticed something. Most darknet tools can be booted from removable media devices such as USB sticks or DVDs. Unless there is a very specific requirement of a role that requires removable media, it should be banned at all costs. Removable media being allowed on your devices allows darknet enabled insiders to boot Tor, Tails, VPNs, and a host of other software without leaving a trace on your devices. Thankfully you are able to block them not just with a written policy but also through data loss prevention software. With such software you’re able to block any and all removable media from being loaded on your devices. This way an insider would have no ability to use malicious programs on your network. The main threat here would be administrators or other superusers.

Prevent Shutdown/Restart

Another helpful measure to take is to prevent users on your network from being able to shutdown or restart devices. Tails and other USB operating systems requires that the user is able to restart and configure from the BIOS setup menu to load from the USB drive first before the HDD on the device. If an insider is able to do this then they can use Tails without ever touching the main hard drive. By removing the ability to shutdown or restart a device on your network, you prevent them from being able to use any darknet tools on your network. While this control seems simple is does a lot to remove power from a malicious insider’s toolkit.

Endpoint Control (Devices)

One of the most overlooked areas of security that insiders take advantage of is poor endpoint security management. In order to protect your network you will need to manage what devices connect to your network. This is referred to endpoint security management, which consists of policy controls that require the device to meet certain criteria before the device is able to connect to your network. The requirements can include things such as defined operating system, antivirus, software requirements, or permissions settings. Most of the controls that are able to be implemented can be set up to a degree that you could prevent insiders from customizing their devices to get around network controls.

Document Control

While Microsoft office has been useful for many organizations, it is one of the most targeted software for hackers to use. Regardless of the application, Office, PowerPoint, Excel, it is the use of macros that allow hackers to load an Office file with malware upon being opened. Some of the most high profile insider data breaches have happened because an employee downloaded a suspicious file and opened it exactly as a hacker told them to in an email. The macro based viruses are able to impact both PCs and Macs. If you want devices to be secure across your network it may help to start using an online office suite. One of the most popular is Google Docs, but some companies are concerned about their data being used by a third party. So in these cases you’re able to use other online office applications such as OnlyOffice and Collabora Online. These would exist on your servers and network thus giving you complete control over how data is shared.

Activity Monitoring

While it may seem tough to catch insiders who go on the darkweb, there is one thing they cannot get around while being on your network, monitoring. In the case of Tor while it is able to obscure traffic it cannot block activity monitoring. While activity monitoring can be considered a catch-all for a variety of tools, it has one basic purpose, to record. Whether it is email monitoring, website monitoring, keystroke logging, session playback, or application monitoring, the function is to record activity and track suspicious behavior. Keylogging is one of the best methods to catch an insider. Even if an insider somehow was able to circumvent the measures above you can still track what they are typing on the device. With keylogging and other monitoring tools you can easily compile enough evidence to take action on a malicious insider.

User Behavior Analytics

Behavior analytics provides the best return on investment when it comes to insider threat detection. The technology establishes a baseline behavior profile for each user on your network and for the network itself. Once a baseline is established administrators and managers can be notified when there are suspicious deviations in behavior from any user or the network itself. An example of this is if an insider circumvented access controls and started to download files they were not allowed access to, administrators would be notified and so would their manager. Depending on the setup of the system, the user could be automatically locked out of their account until further notice. When it comes to darknet enabled insiders, behavior analytics would help detect suspicious behavior immediately.

If there is one thing to take away from this series and it’s brief exploration of darknet dynamics, it would be that insiders today are never truly alone. Any insider at anytime can strike with the full capability of a professional hacker. Your best bet is to be prepared against insider caused data breaches.

This post was originally published in IT Security Central and was reprinted with permission.