Insider threats pose a significant risk to organizations, as they originate from individuals with legitimate access to an organization’s systems and data. In this article, we will delve into the concept of insider threats, explore the different types of insiders, and discuss effective defensive strategies to mitigate these risks.
What is an Insider Threat?
Insider threats are malicious activities perpetrated against an organization by individuals with authorized access to its network, applications, or databases. These insiders can include current and former employees, third-party partners, contractors, or temporary workers with access to the organization’s physical or digital assets. Insider threats can be financially motivated, driven by espionage, retaliation, grudges, or even arise from unintentional actions or poor security hygiene.
Types of Insider Threats
A. Malicious Insider
Malicious insiders intentionally seek to steal information or disrupt operations. They may be opportunistic individuals looking to sell stolen information or gain a competitive advantage, or they may be disgruntled employees seeking to harm the organization. For example, the case of Apple engineers charged with stealing driverless car secrets for a China-based company highlights the actions of a malicious insider.
B. Negligent Insider
Negligent insiders inadvertently cause harm by failing to follow proper IT procedures. They may leave their computers unlocked, use weak passwords, or fail to apply security patches. A notable example is the data analyst who, without authorization, took home a hard drive with personal data from 26.5 million U.S. military veterans, which was later stolen in a home burglary.
C. Compromised Insider
Compromised insiders are individuals whose systems have been infected with malware. This often occurs through phishing scams or malicious downloads. Cybercriminals can exploit the compromised insider’s access to launch further attacks, such as scanning file shares, escalating privileges, or infecting other systems. The recent Twitter breach, where attackers gained access to employee credentials through a phone spear phishing attack, exemplifies the actions of compromised insiders.
Technical Indicators of Insider Threats
When dealing with insider threats, it is crucial to be able to identify the tactics and tools insiders may use to gain unauthorized access or exploit vulnerabilities. By recognizing these technical indicators, organizations can detect and mitigate insider attacks more effectively. Here are some telltale signs to watch out for:
1. Backdoors that enable unauthorized access:
Insiders may create backdoors to maintain persistent access to systems or data. Regularly scan for backdoor files or monitor external requests to identify any suspicious activity that may indicate the presence of a backdoor.
2. Hardware or software enabling remote access:
Keep an eye out for remote access software installed on workstations or servers, such as TeamViewer or AnyDesk. Additionally, monitor physical servers installed within your organization’s premises, as these could be used to establish unauthorized remote access.
3. Changed passwords without user consent:
If users report that their passwords no longer work, investigate whether their passwords were changed without their knowledge. Insiders may alter passwords to gain unauthorized access to resources associated with the affected user’s account.
4. Unauthorized changes to firewalls and antivirus tools:
Insiders may modify firewall rules or disable antivirus software to bypass security measures. Regularly review firewall and antivirus logs for any unexpected changes or disablement, as these could indicate insider tampering.
5. Presence of malware:
The discovery of malware within your systems should raise concerns. Investigate the origin, time of installation, and affected areas to determine if it was introduced by an insider.
6. Installation of unauthorized software:
Unapproved software installations should be treated as potential insider threats. Insiders may install seemingly harmless software that contains hidden malware or acts as a backdoor for unauthorized access. Regularly monitor systems for unauthorized software and promptly investigate any findings.
7. Access attempts to sensitive servers or devices:
Any unauthorized attempts to access servers or devices that hold sensitive data should be thoroughly investigated. Insiders often require valid credentials issued by the organization to gain access to such areas, making this a critical indicator of potential insider threats.
Who Are Your Insiders?
Traditionally, insiders have been considered as employees who have authorized access to an organization’s network. However, it is essential to broaden this definition to include other individuals who may have access to sensitive information or systems. Insiders can be categorized into the following groups:
1. High-privileged users:
This category includes individuals with elevated privileges, such as network administrators, executives, and partners. They have broad access to sensitive data and systems, making them potential insider threats.
Potential Risks: Unauthorized data access, data theft, sabotage, unauthorized system modifications, privilege abuse.
2. Developers with access to data:
Developers who have access to data through development or staging environments can pose insider threats if their actions are not properly monitored and controlled.
Potential Risks: Unauthorized data access, data leakage, unauthorized code modifications, introduction of vulnerabilities.
3. Resigned or terminated employees:
Former employees who still have active profiles and credentials pose a significant insider threat. If their access is not promptly revoked, they can exploit it for malicious purposes.
Potential Risks: Unauthorized data access, data deletion, sabotage, unauthorized system modifications, data theft.
4. Acquisition managers and employees:
Individuals involved in mergers or acquisitions may have access to sensitive information from both organizations. If not properly vetted and monitored, they can become insider threats.
Potential Risks: Unauthorized data access, data leakage, unauthorized sharing of sensitive information, data theft.
5. Vendors with internal access:
External vendors or contractors who have internal access to systems or data can pose insider threats if their activities are not closely monitored and controlled.
Potential Risks: Unauthorized data access, unauthorized system modifications, data theft, sabotage, unauthorized sharing of sensitive information.
6. Contractors with internal access:
Contractors working within an organization, especially those with access to critical systems or data, can pose insider threats if proper oversight and controls are not in place.
Potential Risks: Unauthorized data access, unauthorized system modifications, data theft, sabotage.
7. Partners with internal access:
Business partners who have internal access to systems or data can also pose insider threats if their activities are not adequately monitored and controlled.
Potential Risks: Unauthorized data access, unauthorized system modifications, data theft, unauthorized sharing of sensitive information.
Insider threat statistics: How big is the problem?
Insider threat statistics highlight the significant impact and challenges associated with detecting and mitigating these threats. The following statistics from the Ponemon study “2020 Cost of Insider Threats: Global Report” provide insights into the magnitude of the problem:
1. 60% of organizations experienced more than 30 insider-related incidents per year, indicating a high frequency of such incidents.
2. 62% of insider-related incidents were attributed to negligence, suggesting that unintentional actions or mistakes by insiders contribute significantly to the problem.
3. 23% of insider-related incidents were attributed to criminal insiders, indicating that intentional malicious actions by insiders are also a significant concern.
4. 14% of insider-related incidents were attributed to user credential theft, highlighting the risk of insiders exploiting stolen credentials for unauthorized access.
5. The number of insider-related incidents increased by 47% in just two years, indicating a growing trend and the need for heightened vigilance.
6. Companies spend an average of $755,760 on each insider-related incident, emphasizing the financial impact of these incidents on organizations.
Detecting insider threats is challenging because the threat actors possess legitimate access to systems and data within the organization. Traditional security products may not flag their behavior as abnormal, as insiders require access to perform their job responsibilities. This makes it easier for insiders to hide their malicious activities and evade detection.
Insider threats become even more difficult to detect as they become more sophisticated. Threat actors may employ tactics like lateral movement to conceal their actions and gain access to high-value targets. Additionally, insiders may exploit vulnerabilities in systems to escalate their privileges and gain unauthorized access to sensitive information.
How to Find Insider Threats
To find insider threats, organizations can employ various strategies and techniques to identify suspicious behavior patterns. Here are some approaches to consider:
1. Implement User Activity Monitoring:
Utilize monitoring tools and software that track user activity across systems, networks, and applications. This includes monitoring logins, file access, data transfers, and other actions. User activity monitoring helps identify anomalies and deviations from normal behavior, potentially indicating insider threats.
2. Establish Baseline Behavior Profiles:
Create baseline profiles of normal user behavior for different roles within the organization. By understanding typical patterns of activity, it becomes easier to identify deviations or unusual behavior that may indicate insider threats. Machine learning algorithms can help establish these baseline profiles and detect anomalies.
3. Use Data Loss Prevention (DLP) Solutions:
Deploy DLP solutions that monitor and control the movement of sensitive data within the organization. These solutions can detect and prevent unauthorized data transfers, whether they are intentional or accidental. DLP solutions can also identify patterns of data access or exfiltration that may indicate insider threats.
4 Implement User Behavior Analytics (UBA):
Leverage UBA tools that use machine learning and behavior analytics to identify patterns and anomalies in user behavior. UBA solutions can detect unusual access patterns, excessive data downloads, or abnormal data access requests, helping to identify potential insider threats.
5. Conduct Regular Audits and Reviews:
Regularly review access controls, permissions, and user privileges to ensure they are appropriate and aligned with job responsibilities. Conduct periodic audits to identify any discrepancies or unauthorized access. This can help identify insider threats by detecting unauthorized access or privilege abuse.
6. Foster a Culture of Security Awareness:
Promote a culture of security awareness among employees, emphasizing the importance of identifying and reporting suspicious activities. Encourage employees to report any concerns or observations related to insider threats, providing them with a clear reporting process and anonymous reporting options.
7. Monitor Employee Engagement and Job Satisfaction:
Pay attention to employee engagement and job satisfaction levels. Disgruntled or disengaged employees may be more likely to engage in insider threats. Regularly assess employee morale and address any concerns or issues to mitigate potential risks.
8. Conduct Background Checks and Vetting Processes:
Implement rigorous background checks and vetting processes for employees, contractors, and third-party individuals with access to sensitive systems or data. This can help identify any potential red flags or risks associated with insider threats.
Malicious Insider Threat Indicators
Detecting malicious insider threats requires a combination of monitoring tools, policies, and proactive measures. Here are some steps to help detect malicious insiders:
1. Implement Role-Based Access Controls:
Assign access permissions and privileges based on employees’ job roles and responsibilities. This ensures that employees only have access to the data and systems necessary to perform their duties, reducing the risk of unauthorized access or misuse.
2. Monitor Access Requests:
Regularly monitor and review access requests, both successful and unsuccessful. Look for patterns of unusual or unauthorized access attempts, such as repeated attempts to access sensitive data or systems outside of an employee’s normal scope of work.
3. Utilize Cybersecurity Solutions with Monitoring Capabilities:
Deploy cybersecurity solutions that provide monitoring capabilities for both external and internal network traffic. This includes tools that can detect and alert on suspicious activities, such as unusual login times, excessive data transfers, or unauthorized access attempts.
4. Implement User Behavior Monitoring:
Leverage monitoring solutions that focus specifically on user behavior to detect insider threats. These solutions use advanced analytics and machine learning algorithms to identify anomalous behavior, such as accessing unusual resources, installing unauthorized software, or attempting to access sensitive data on other user devices or servers.
5. Enable Alerting and Notification Systems:
Configure your monitoring tools to generate alerts and notifications when users display suspicious activity. This allows security teams to respond quickly and investigate potential insider threats in real-time.
6. Conduct Regular Security Audits:
Perform regular security audits to identify any unauthorized hardware or software installations, changes to passwords or account settings, or attempts to disable antivirus tools and firewalls. These audits can help detect potential indicators of malicious insider activity.
7. Encourage Reporting and Whistleblowing:
Establish a culture that encourages employees to report any suspicious behavior or concerns related to insider threats. Provide clear channels for reporting and ensure anonymity if desired. Whistleblowing programs can help identify potential insider threats early on.
8. Conduct Insider Threat Awareness Training:
Educate employees about the risks and indicators of insider threats through regular training sessions. Increase awareness about the potential consequences of insider threats and the importance of reporting any suspicious activities.
Who Is at Risk of Insider Threats?
Insider threats are a significant concern for organizations across various industries. While every organization is at risk, certain industries are more prone to insider threats due to the nature of the data they handle and store. These industries include:
1. Financial Services: Banks, investment firms, and other financial institutions deal with sensitive customer financial data, making them attractive targets for insider threats seeking to exploit this information for personal gain.
2. Telecommunications: Companies in the telecommunications industry handle vast amounts of customer data, including personal information and communication records. Insider threats can potentially compromise this data for various purposes, such as identity theft or corporate espionage.
3. Technical Services: Organizations that provide technical services, such as IT consulting firms or software development companies, often have access to proprietary information, trade secrets, and intellectual property. This makes them vulnerable to insider threats aiming to steal or leak valuable data.
4. Healthcare: The healthcare industry holds a wealth of sensitive patient information, including medical records, insurance details, and personal data. Insider threats in this sector can lead to privacy breaches, medical fraud, or the misuse of patient information.
5. Government: Government agencies and departments handle classified information, national security data, and citizen records. Insider threats within government organizations can have severe consequences, including compromising national security or leaking confidential information.
Advantages of Insider Threats Over Others
Insider threats have several advantages over external threats:
1. Legitimate Access: Insiders already have authorized access to the organization’s systems, networks, and data. They don’t need to bypass security measures or breach firewalls, making it harder to detect their malicious activities.
2. Knowledge of Systems and Processes: Insiders typically possess an in-depth understanding of the organization’s infrastructure, processes, and security protocols. This knowledge allows them to navigate the system more effectively and cover their tracks, making detection more challenging.
3. Trust and Reduced Suspicion: Insiders often enjoy a level of trust within the organization, which can lower suspicion and make it easier for them to carry out their malicious activities without raising alarms.
Characteristics of an Insider Threat
Characteristics of an insider threat can vary, but some common indicators to watch for include:
1. Unusual Behavior: Look for employees or users exhibiting unusual behavior patterns, such as accessing sensitive data outside of their normal job responsibilities or working odd hours.
2. Excessive Privileges: Insiders with excessive privileges or access rights may pose a higher risk. This includes employees who have access to sensitive data or systems beyond what is necessary for their job role.
3. Disgruntled or Dissatisfied Employees: Individuals who show signs of dissatisfaction, resentment, or grudges against the organization may be more likely to engage in malicious activities.
4. Financial Difficulties: Employees facing financial difficulties or personal financial crises may be more susceptible to engaging in insider threats, especially if they believe they can profit from it.
5. Poor Work Performance or Disciplinary Issues: Employees with a history of poor performance or disciplinary issues may be more prone to engaging in insider threats as a form of retaliation or to harm the organization.
6. Unauthorized Device or Software Usage: Insiders who use unauthorized devices or install unauthorized software on company systems may be attempting to gain unauthorized access or bypass security controls.
7. Unusual Data Access or Transfer: Look for insiders who access or transfer large amounts of data, especially if it is outside of their normal job duties or if it involves sensitive or confidential information.
8. Social Engineering Vulnerabilities: Insiders who are easily manipulated or fall victim to social engineering attacks may unknowingly facilitate insider threats by providing access to sensitive data or systems.
9. Lack of Security Awareness: Employees who lack awareness of security best practices or who do not adhere to security policies and procedures may inadvertently create vulnerabilities that can be exploited by malicious insiders.
Examples Insider threats
1. Yahoo: In this case, an employee named Qian Sang downloaded a significant amount of intellectual property from Yahoo’s computer systems to his personal devices. This included about 570,000 pages of information, such as details about Yahoo’s AdLearn product and a competitive analysis of a company called The Trade Desk. Sang did this because he had received a job offer from The Trade Desk, which is against the rules as it involves taking valuable information from one company to another. Yahoo discovered the data theft a few weeks later and took legal action against Sang, accusing him of stealing their trade secrets.
2. Microsoft: In this incident, several Microsoft employees accidentally shared their login credentials with a website called GitHub. GitHub is a platform where developers can store and share code. The problem was that these credentials could potentially be used to access Microsoft’s internal computer systems, including their Azure servers. While Microsoft did not disclose which systems were affected, they conducted an internal investigation and found that no one had tried to access any sensitive data using the exposed credentials. To prevent similar incidents in the future, Microsoft likely implemented additional security measures and provided further training to employees about the importance of protecting their login information.
3. Proofpoint: An ex-employee named Samuel Boone stole confidential sales enablement data from Proofpoint just before he started working at a competitor called Abnormal Security. This data included important information that could give Abnormal Security an advantage in sales. Despite Proofpoint having a data loss prevention (DLP) solution in place, Boone was able to download the sensitive documents to a USB drive without being detected. It was only several months later that Proofpoint discovered the theft. They filed a lawsuit against Boone, alleging that he unlawfully shared the stolen information with his new employer.
4. Twitter: Hackers targeted Twitter by using a phone-based spearphishing campaign. They posed as internal IT staff and tricked several Twitter employees into revealing their login credentials. With access to these employee accounts, the hackers were able to use account support tools to compromise 130 high-profile Twitter accounts. This included accounts belonging to celebrities and influential individuals. The hackers used the compromised accounts to carry out a Bitcoin scam, asking followers to send them Bitcoin with the promise of doubling the amount. While Twitter was able to fix the issue and refund the affected users, the incident highlighted the vulnerability of even large companies like Twitter to insider threats.
5. Tesla: According to a memo from Elon Musk, a malicious insider at Tesla performed “quite extensive and damaging sabotage” to the company’s systems. This insider altered computer code in the Tesla Manufacturing Operating System and exported highly sensitive Tesla data to a third party. The motive behind this sabotage is unclear, but it caused problems for Tesla. The company discovered the insider’s actions and took steps to rectify the situation.
6. Facebook: In this case, a security engineer at Facebook misused internal tools and data to harass women. The engineer used their access to internal systems to gather personal information about women and engage in harassment. This behavior violated Facebook’s policies and code of conduct. Once Facebook became aware of the situation, they took action to stop the harassment and ensure the security of user data.
7. Coca Cola: An investigator discovered that a Coca Cola employee had copied data of approximately 8,000 employees to a personal external hard drive. This data included names, addresses, phone numbers, and potentially other sensitive information. Coca Cola promptly became aware of the data breach and took steps to investigate the incident. They notified the affected employees about the breach and offered free credit monitoring services for a year to mitigate potential risks.
8. SunTrust Bank: In this case, a former employee of SunTrust Bank stole customer information, including names, addresses, phone numbers, and account balances. While other sensitive data was not accessed, the breach posed a risk to the bank and its customers. SunTrust Bank discovered the breach and took immediate action to address the situation. They likely implemented additional security measures to prevent similar incidents in the future and notified the affected customers about the breach. It is important for companies to protect customer data and take appropriate measures to safeguard sensitive information.
Four Ways To Prepare Against Insider Threats
1. Train your employees: Regularly conduct anti-phishing training to educate employees about recognizing and avoiding phishing attempts. Simulating phishing attacks and providing training to those who fall for them can help reduce the number of employees who may become compromised insiders. Additionally, train employees to identify risky behavior among their peers and encourage them to report it to HR or IT security.
2. Coordinate IT security and HR: Foster collaboration between the Chief Information Security Officer (CISO) and the head of HR to ensure that IT security is aware of any potential insider threats. Establish a process to monitor employees who have been laid off or are disgruntled and keep them on a watchlist. HR can also provide insights into employees who may be exhibiting signs of dissatisfaction or potential malicious intent.
3. Build a threat hunting team: Establish a dedicated threat hunting team that proactively searches for signs of insider threats. These individuals should be trained to identify potential indicators of malicious behavior, such as unusual access patterns, data uploads, or credential abuse. By actively seeking out threats, organizations can detect and mitigate insider threats before they cause significant harm.
4. Employ user behavioral analytics: Utilize User Behavior Analytics (UBA) or User and Entity Behavior Analytics (UEBA) to track, collect, and analyze user and machine data to detect insider threats. By establishing a baseline of normal user behavior, UBA/UEBA tools can identify anomalous activities that may indicate insider threats. These tools can help detect unusual behaviors, such as unauthorized access or large data transfers, allowing organizations to take proactive measures to prevent potential threats.
To effectively stop insider threats, organizations should continuously monitor user activity, investigate suspicious incidents promptly, and take appropriate actions to prevent incidents from occurring. It is also important to protect user privacy, satisfy compliance requirements, and integrate insider threat management with other security tools for a comprehensive approach to mitigating insider threats.
How To Stop Insider Threats
To stop insider threats, organizations should implement an insider threat solution with the following capabilities:
1. Detect Insider Threats: Continuously monitor user activity to identify any anomalous behavior that could indicate a potential insider threat.
2. Investigate Incidents: Quickly investigate any suspicious user activity to determine the extent of the threat and take appropriate action.
3. Prevent Incidents: Implement real-time user notifications and blocking to reduce the risk of insider threats before they can cause harm.
4. Protect User Privacy: Anonymize user data to protect the privacy of employees and contractors while still identifying potential insider threats.
5. Satisfy Compliance: Ensure that the organization meets key compliance requirements related to insider threats in a streamlined manner.
6. Integrate Tools: Integrate the insider threat management and detection solution with other security tools, such as Security Information and Event Management (SIEM) systems, for a comprehensive view of the organization’s security posture.
