An insider threat is a security risk that originates from within the targeted Organization. It typically involves a current or former employee or business associate who has access to sensitive information or privileged accounts within the network of an Organization, and who misuses this access.
Traditional security measures tend to focus on external threats and are not always capable of identifying an internal threat emanating from inside the organization. 34% of data breaches in the 2019 Verizon Data Breach Investigations Report involve internal actors.
Insiders have the capabilities, motivations, and privileges needed to steal important data – which makes it a CISO’s job to identify and build a defense against all of those attack vectors.
Who Are Your Insiders?
- Employees
- Privileged users, such as IT team members and Superusers
- Knowledge workers, such as Analysts or Developers
- Resigned or terminated employees
- Employees involved in a merger or acquisition
Third Parties
- Vendors
- Contractors
- Partners
Types of insider threats include:
Malicious insider—also known as a Turncloak. This is someone who maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives. For example, an individual who holds a grudge against a former employer, or an opportunistic employee who sells secret information to a competitor.
Turncloaks have an advantage over other attackers because they are familiar with the security policies and procedures of an organization, as well as its vulnerabilities.
Careless insider—This person is an innocent Pawn who unknowingly exposes the system to outside threats. This is the most common type of insider threat, resulting from mistakes, such as leaving a device exposed or falling victim to a scam.
For example, an employee who intends no harm may click on an insecure link, infecting the system with malware.
A mole—This person is an imposter who is technically an outsider but has managed to gain insider access to a privileged network.
This is someone from outside the Organization who poses as an employee or partner.
Malicious Insider Threat Indicators
Anomalous activity at the network level could indicate an insider threat. Likewise, if an employee appears to be dissatisfied or holds a grudge, or if an employee starts to take on more tasks with excessive enthusiasm, this could be an indication of foul play.
Trackable insider threat indicators include:
Digital Warning Signs
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with their job function
- Accessing data that is outside of their unique behavioral profile
- Multiple requests for access to resources not associated with their job function
- Using unauthorized storage devices (e.g., USB drives or floppy disks)
- Network crawling and searches for sensitive data
- Data hoarding, copying files from sensitive folders
- Emailing sensitive data outside the organization
Behavioral Warning Signs
- Attempts to bypass security
- Frequently in the office during off-hours
- Displays disgruntled behavior toward co-workers
- Violation of corporate policies
- Discussions of resigning or new opportunities
While human behavioral warnings can be an indication of potential issues, digital forensics and analytics are the most efficient ways to detect insider threats. User and Event Behavior Analytics (UEBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.
Insider Threat Examples
Here are a few recent examples of insider threats from the news.
Tesla: A malicious insider sabotaged systems and sent proprietary data to third parties.
Facebook: A security engineer abused his access to stalk women.
Coca-Cola: A malicious insider stole a hard drive full of personnel data.
Suntrust Bank: A malicious insider stole personal data, including account information, for 1.5 million customers to provide to a criminal organization.
Insider Threat Defense Response Plan
- Monitor files, emails, and activity on your core data sources
- Identify and discover where your sensitive files live
- Determine who has access to that data and who should have access to that data
- Implement and maintain a least privilege model through your infrastructure which includes:
- Eliminating Global Access Group
- Placing data owners in charge of managing permissions for their data and expire temporary access quickly
5. Apply security analytics to alert on abnormal behaviors including:
- Attempts to access sensitive data that isn’t part of normal job function
- Attempts to gain access permissions to sensitive data outside of normal processes
- Increased file activity in sensitive folders
- Attempts to change system logs or delete large volumes of data
- Large amounts of data emailed out of the company, outside of normal job function
6. Socialize and train your employees to adopt a data security mindset.
Insider Breach Response Plan
It’s equally important to have a response plan in place to respond to a potential data breach:
- Identify the threat and take action by:
- Disabling and/or log out the user when suspicious activity or behavior is detected
- Determine what users and files have been affected
2. Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
3. Remediate
- Restore deleted data if necessary
- Remove any additional access rights used by the insider
- Scan and remove any malware used during the attack
- Re-enable any circumvented security measures
4. Investigate and perform forensics on the security incident
5. Alert Compliance and Regulatory Agencies as needed
Conclusion:
The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavior. Your biggest Asset is also your biggest Risk. The root cause of insider threats…..? “People”.
Yet most security tools only analyze Computer, Network, or System Data. To stop insider threats–both malicious and inadvertent–you must continuously monitor all user activity and take action when incidents arise. Cyber Criminals never sleep, nor should your prevention strategies.
