When Daniel Rhyne pleaded guilty on April 1 to having launched an insider extortion attack against his then-employer, authorities enumerated the techniques he used, including unauthorized remote desktop sessions, deletion of network administrator accounts, changing of passwords, and scheduling unauthorized tasks on the domain controller.
After he shut down key systems and accounts, he sent a note to employees in which he claimed to have deleted all backups, and threatened to continue shutting down servers unless he was given bitcoin worth roughly $750,000.
But what consultants and analysts found most concerning is how commonplace and routine were the techniques he used. In other words, standard security procedures should have blocked almost all of them.
Preventive actions missing
Enterprise insider threats are hardly new, but consultants and analysts said that many enterprises don’t take every preventive move that they can, and should, because the IT staff resists, seeing the efforts as excessive monitoring of their activities, and something that also slows down their work.
Cybersecurity consultant Brian Levine, executive director of FormerGov, said, “what makes the case interesting was how boringly predictable the attack path was.”
Levine noted that backups need to always be immutable. “Nobody in the company should be able to delete or modify or encrypt the backup for a set period of time,” he said. He also stressed that the principle of least privilege needs to be applied to workers whose jobs change for any reason.
Critically, he argued that the use of various tools should be instantly flagged as concerning. “Instrument Task Scheduler, PsExec, PsPasswd, and net user are high‑risk signals. These are the insider’s equivalent of lockpicks,” he said. “They should generate behavioral alerts when used at scale, off‑hours, or from unusual hosts.”
Levine also suggested extensive system monitoring. “If someone is RDP’ing into a domain controller at 7:48 a.m. and creating 16 scheduled tasks, you should have a video‑like audit trail.”
Paul Furtado, a distinguished VP analyst at Gartner, said he encourages clients to make sure that no single admin can cause this kind of damage.
“Create a tiered administration model with fragmented authority. This rotates ownership of crown jewel processes, even among senior engineers and administrators,” Furtado advised. IT should also include “a break-glass admin credential stored in hardware security modules or digital vaults [that are] only to be used via testing drills and in case of emergency.”
Added Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, “the same accounts used to administer their networks [in the Rhyne case] seemed to be able to irreversibly destroy their backups too, which is an indication that strong segregation of duties was not in place.”
Rhyne now faces considerable jail time. US Justice Department filings said, “the extortion charge to which Rhyne pleaded guilty carries a maximum penalty of five years in prison, and the intentional damage to a protected computer violation to which Rhyne pleaded guilty carries a maximum penalty of 10 years in prison.”
No Responses