What Is an Insider Threat?
Insider threats are individuals who are or were employed or contracted by the organization, and carry out activities that harm the organization. These individuals often have access to corporate networks and assets like applications and databases storing sensitive information and trade secrets.
Types of Insider Threats
Insider threats are typically categorized according to the role they play in the attack and their intention:
- Turncloak—also called “malicious insider”. These individuals misuse their access privileges and personal credentials to perform activities. A turncloak attack is characterized by malicious intent and often carries out for the purpose of stealing information for personal and financial gain.
- Pawn—also called “careless insider”. These individuals create vulnerabilities and expose networks and systems to outside threats. A pawn is aiding attackers, but unknowingly or mistakenly. Pawns are the most common insider threats. Many are tricked into clicking on links, or they forget flash drives containing sensitive information.
- Imposter—also called “compromised insider”. These are outsiders who manage to gain insider access. Typically, imposters pose as users, like contractors, partners, or employees, with legitimate access. Imposters are known for their inclination towards corporate espionage.
Insider Threats Costs
An insider threat attack can result in huge losses for the organization. According to a report by Ponemon Institute, insider threats of the pawn variety can cost an average of $307,111. This average spikes up to $756,760 when the attack is performed by pawns. Imposters, the report found, can triple the costs to an average of $871,686. Another alarming finding was that related to the time it takes to contain insider incidents—an average of 77 days.
For defense purposes, it doesn’t matter if the data loss was achieved by an imposter or a pawn. What matters is that sensitive data should always be protected, regardless of who gains access to the data. The main problem is that the three types of insiders are already inside the network. To protect their data, organizations need to monitor the activity and behavior of users, and learn patterns that distinguish between typical authorized behavior and malicious behavior. This can help detect and respond to any type of insider threat, in a timely manner.
A famous example that shows the damage insider threats can do is the case of Edward Snowden, who was contracted by the NSA to work as a SharePoint administrator. Snowden misused the credentials given to him and his colleagues. Armed with these credentials, Snowden gained access to data, which he did not need to perform his job.
Snowden copied the data he accesses to a USB drive, removed it from the source, and made off with the stolen information. He didn’t raise any red flags while doing this. Why? Mainly because his user behavior was not monitored. Monitoring provides visibility into patterns of behavior that would have helped the NSA in quickly detecting Snowden’s malicious activity.
Strategies for Insider Threat Mitigation
Train your Employees
An effective strategy in reducing the amount of pawns is by conducting anti-phishing training on a regular basis. For example, you can send phishing emails to various users, to see who recognizes the email as a phishing scam and who does not. You can then focus on training the users who did not manage to recognize the email as a phishing attack. This can reduce the amount of potential pawns.
You can also train your employees to detect risky behavior among peers, and encourage them to report it to IT or HR. This way, if an employee places an anonymous tip, they can warn the organization against a disgruntled employee who might have turned into a turncloak.
Coordinate IT Security and HR
Many security incidents are a result of miscommunication between IT and HR. If IT departments are not aware of layoffs on time, they are also not aware they are supposed to revoke access and privileges. During this time, disgruntled ex-employees can use their credentials to steal data, delete data, and launch a wide range of attacks.
When HR and IT departments are communicating well, they can inform each other and prevent insider threat incidents from occurring in the first place. For example, they can put employees on a watchlist before the employee is let go, to detect any suspicious behavior. HR can also warn IT when employees were not given a promotion or a raise as they asked, and should be monitored. Together, the two departments can work to prevent insider threat incidents.
Organizations can set up technical controls, which are designed to analyze and identify suspicious user behavior. Technical controls have become highly popular, and this is partly due to their effectiveness in comparing user activity to past actions and then detecting abnormal behaviors. For example, technical controls can compare network traffic, file system access, endpoint activity, and logins.
Organizations can also use their stack of security technologies for insider threat detection. Network and endpoint Data Loss Prevention (DLP) solutions, for example, can alert organizations when large files suddenly disappear from corporate servers; and SIEM solutions can identify anomalies across entire networks and send alerts when malicious insider activity is detected.
Build a Threat Hunting Team
Organizations often choose to build their own threat hunting teams. Instead of passively reacting to incidents after they occur, a threat hunting team proactively looks for threats. These threat hunters, who are often part of the security team, hunt for signs that might warn against data theft or any disruption before it even happens.
Employ User Behavioral Analytics (UBA)
UBA, also called User and Entity Behavior Analytics (UEBA), practices and tools track, collect, and analyze machine and user data. UBA leverages a range of analytical techniques to distinguish between normal and anomalous behavior. Typically, this is accomplished in stages. First, you collect data during a period of time. This helps detect normal user behavior patterns. Then the process can flag behaviors that do not fit the normal pattern.
UBA is highly useful in detecting unusual online behaviors, such as unusual access patterns, large data uploads, and credential abuse. These behaviors are considered signs of insider threat behavior. The major advantage to this process is that UBA often detects these behaviors long before insider threats manage to gain unauthorized access to critical systems, thus preventing the incident from even occurring.
Insider threats are quickly becoming a main cause for breaches. As phishing scams become more common and sophisticated, even high level stakeholders are being tricked into becoming pawns. When users with high privilege levels become pawns, organizations can suffer major losses.
To ensure the safety of the corporate network and data, organizations need to combine a variety of techniques. Training on a regular basis, cooperation between IT and HR, threat hunting, technical controls, and UBA measures can provide adequate coverage that reduces the number of insider threats and hopefully prevent breaches before any attempt is even being made.
Author Bio: Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.