The Norse Corporation performed research of the Sony Hack and determined that there was a disgruntled employee fired in May 2013 who had super privileges to most of the infrastructure. Norse also determined that the English written malware used to execute the attacks included system administrator credentials that were not changed after the disgruntled system administrator left and could have only been retrieved by an insider. Senior vice president of Norse Corporation, Kurt Stammberger, stated that there was a group involved in executed the attack that included two people in the U.S., one in Canada, one in Singapore, and one in Thailand. None of the members of the group have any ties to North Korea. Whether you believe it was North Korea behind the attack or not does not preclude the fact that employee credentials of system administrator were used, to include those of the disgruntled employee. In fact HyTrust president and co-founder Eric Chiu stated it clearly that, The insider threat is the number one attack vector today and can lead to the greatest damage.

Other examples include:
 January 2014 – a computer contractor stole 27 million records from Korea Credit Bureau (40% of the South Korea population)
 February 2014, Barclays Bank loss control of 27,000 customer files potentially worth millions on the black market
 February 2014, Target announced a thirty party heating and air conditioning contractor was behind the breach
 March 2014, DuPont announced a proprietary formula was sold by an employee to a competitor in China
 May 2014, EnerVest employee is convicted of causing hundreds of thousands of dollars indamage to EnerVest when he learned that he was going to be fired
 June 2014, an AT&T employee improperly access 1,600 customer accounts and possibly use the information to jail-break locked phones
 September 2014, UMB Bank reportedly lost more than $650,000 to an employee generating fraudulent checks over the course of 4 years
 In 2015, the OPM breach lost the data of millions of federal employees, contractors, and military and it was found a Unix systems administrator for the project was in Argentina and his co-worker was physically located in China and had privileged access to every row of data in every database.

So, these examples of insider threat and those similar to Bradley Manning and Edward Snowden data breaches, begs the questions of how could this happened with all the monitoring and security in place, and what could have been done to prevent it?
There are a bunch of common best practices that could have helped. These include changing passwords after a system administrator leaves, patching the system regularly, using cameras to monitor employees, two-factor authentication of privileged users, monitoring employees via background checks, financial checks, and their social media.

Although these practices do help, the most comprehensive solution to catch an insider is to use insider threat detection and monitoring software.
Phalanx Secure has a solution to record user and device activity using artificial intelligence software that monitors at the kernel level as well performs behavioural analysis for every user, group, and endpoint.
The software can be deployed via a group policy object or other means. This agent based software provides a comprehensive coverage. Phalanx Secure also offers a hosted solution model that allows Phalanx Secure Insider Threat Analysts to monitor systems twenty four a day, seven days a week, and 365days a year. The benefit of having an outside party monitoring is this prevent collusion between a system administrator and a security analyst within the same company. The software used also redacts any proprietary, confidential, or trade secret information so that the Phalanx Secure Insider Threat Analyst cannot be a possible insider threat source. Phalanx Secure also offers the all-source insider threat intelligence reporting that will take all the information security information and correlate it against employee records to include background checks, financial checks, psychological evaluations, etc etc. Contact Phalanx Secure to learn more or inquire via


Submit a Comment

Your email address will not be published. Required fields are marked *

Get protected now with
Trident CMP™

+44 207 096 0554

Get In Touch!

+44 (0) 207 096 0554


1 Berkeley Street, London W1J 8DJ


About us

GBMS Tech products and services are at the endpoint layer of your Defense In-Depth Security Strategy.