An insider threat is a malicious activity aimed at an organization and carried out by people who have authorized access to the organization’s network, applications, or databases. These individuals are typically current employees, former employees, contractors, partners, or vendors. The objectives of these breaches range from malicious exploitation, theft, or destruction of data to the compromise of networks, communications, or other information technology resources.
Primarily motivated by financial gain, an insider threat can be for espionage, retaliation, or revenge. Most commonly used to describe deliberately harmful activities, insider threats can also refer to unintentional or accidental damage caused by individuals.
Let’s jump in and learn:
Insider Threat Types
There are three main types of insider threats.
An individual with authorized access who knowingly takes action to steal digital assets or sabotage operations is considered a malicious insider threat. Common motivations for malicious insider threats include gaining access to information that can be sold or which can help them personally (e.g., professional gain achieved with stolen trade secrets), finding ways to hurt an organization, or punishing or embarrassing an organization or specific people who are involved with it.
An authorized user who does not follow proper IT procedures is described as a negligent insider threat. Also known as careless insider threats, these individuals unknowingly or accidentally create vulnerabilities that expose computer systems, applications, and network infrastructures to cyberattacks.
Negligent insider threats are the most prevalent, because there are many points of weakness, including falling for phishing attacks, leaving systems unattended without locking the screen or logging out, saving sensitive information on flash drives, using insecure networks, using weak passwords, or sharing login credentials.
A compromised insider threat is actually an outsider who achieves insider access. A common tactic for gaining access is to pose as a user with legitimate access, such as an employee, contractor, vendor, or partner. Another approach is by using malware to infect an employee’s computer, typically engineered through phishing attacks.
Once access has been established, the compromised insider threat can be very harmful. Cyberattacks can be launched from the infected computer to access files, infect other systems, and even escalate privileges.
Insider Threat Data Exfiltration
Regardless of the type of insider threat, if the objective is to steal information, the perpetrator must be able to get the data out. Data exfiltration can occur through a number of vectors. The most common channels through which insider threats leak data include:
- Removable media
- Hard copies
- Cloud storage
- Personal email
- Mobile devices
- Cloud applications
- Social media
- Developer tools
- Screen clipping and screen sharing
- FTP sharing sites
Insider Threat Detection and Prevention
Detecting an insider threat requires constant vigilance. Key things to monitor include:
- Unauthorized access
- Privileged access abuse
- Suspicious behavior
- Remote access from all endpoints, including mobile devices
Identifying and stopping an insider threat before it causes damage can be facilitated with the following tactics. These policies and controls must be documented and consistently enforced.
- Establish physical security
- Implement security software and appliances, such as:
- Active Directory
- Endpoint protection system
- Intrusion prevention system
- Intrusion detection system
- Web filtering solution
- Traffic monitoring software
- Spam filter
- Privileged access management system
- Encryption software
- Password management policy and system, with a minimum standard of two-factor authentication
- Call manager
- Data loss prevention system
- Security information and event management system (SIEM)
- Enable e-mailbox journaling
- Require strong passwords
- Manage and monitor remote access
- Harden perimeter security
- Enforce least privilege access policies
- Log, monitor, and audit employee actions
- Purge dormant or orphan accounts
- Control third-party access
- Prevent data exfiltration
- Detect compromised accounts
- Define security agreements for cloud service providers, especially related to access and monitoring
Insider Threat Indicators and Triggers
Insider threats can sometimes be detected by identifying unusual behavior. Common indicators of malicious or compromised insiders include:
- Badging into work at unusual times
- Logging in at unusual times
- Logging in from unusual locations
- Accessing systems / applications for the first time
- Copying large amounts of information
Paying attention to employee behavior and influencing events can help identify someone who could be an insider threat. There are numerous insider threat triggers and signals, including:
- Poor performance reviews
- Disagreements over an organization’s policies and excessive negative commentary
- Conflicts between an organization and its employees, former employees, vendors, or partners
- Changes in someone’s behavior, such as making more mistakes than usual, missing deadlines, and skipping meetings
- Financial difficulties and indebtedness
- Drug or alcohol abuse
- Interest in areas outside the user’s traditional scope of duties
- Suspicious financial gain
- Resignation and layoff notifications
Insider Threat Response Plans
An insider threat response plan’s objective is to provide guidance on preventing, detecting, and responding to an insider threat, whether malicious or accidental.
Benefits of an Insider Response Plan
Taking the time to develop an insider threat response plan has a number of benefits, including:
- Compliance with corporate, industry, and government regulations
- Early detection of insider threats
- Expedited response to insider threats
- Minimized damage from an insider attack
- Reduced cost for responding to insider threats
Insider Response Plan Preparation Checklist
- Assess current cybersecurity measures
- Research IT requirements for the insider threat program with which the organization needs to comply
- Define the desired results for the program
- Formulate a list of stakeholders to include
- Perform a risk assessment
- Enumerate resources required to create the program
- Secure the support of executive management
Key Tactics When Developing an Insider Threat Plan
- Assign an insider threat response team.
This should be a cross-functional team of employees that acts as the front line of defense against insider threats. They should have training on the processes and tools needed to detect and respond to an insider threat.
Considerations when creating an insider team include:
- Articulating the objectives of the insider threat response team
- Selecting a leader for the team and the hierarchy of other team members
- Establishing the responsibilities of each team member
- Arming the team with policies, processes, and tools (e.g., software) to support their efforts
- Implement insider threat detection tools and processes.
To enable early detection of and rapid response to insider threats, a combination of software and processes must be put in place. These include:
- Monitoring user activity
- Collecting detailed logs of user activity
- Managing user access to sensitive information
- Analyzing user behavior to detect early indicators of an insider threat (e.g., with user and entity behavior analytics (UEBA))
- Create insider threat incident response strategies.
Consider common insider attacks and have responses documented so that the response team can act quickly. Insider threat response plans should include:
- Description of the insider threat
- Threat indicators—both technical and non-technical
- Individuals responsible for the threat
- Mitigation tactics
- Documentation of related evidence
- Depending on the severity of the attack, support from your public relations and investor relations teams
- Plan insider threat incident investigation.
Effective insider threat plans must include investigations and documentation of findings. This not only helps facilitate an understanding of the impact of the insider threat, but also provides information that helps prevent similar incidents in the future. When conducting an insider threat investigation, it is important to:
- Collect data on the incident—reviewing digital resources (e.g., log files, UEBA) and interviewing people connected with the incident (i.e., witnesses)
- Assess the damage and data loss caused by the insider threat
- Secure all evidence
- Report the incident—per internal protocols and compliance requirements
- Train employees.
Educating employees is one of the most effective tactics when combatting insider threats. Employee training helps team members become aware of the issue and teaches them to identify and report suspicious or risky behavior.
Training programs should include the following elements:
- Explanation of why the program is being put in place
- Examples of insider attacks and the damage done
- Description of activities that can lead to accidental incidents by negligent insider threats, such as social engineering and phishing attacks
- Information about malicious insider threat tactics and how to spot them
- Training on how to avoid phishing and social engineering attacks
- Contact information for reporting a possible insider threat
- Plan for measuring the efficacy of the insider threat program
- Connect security and HR teams.
Human resources teams can help head off an insider threat by letting the security team know about employees who may pose a risk. The security team can then put the employee on a watchlist and closely monitor their behavior.
- Review insider threat program regularly.
Because insider threats change, it is important to keep insider threat response plans up to date. They should take into account the latest insider threat vectors and tools.
Insider threat plans should be reviewed:
- At set intervals
- After an incident
- When new compliance requirements are released
- When new technologies are available—for users and the insider threat response team
- If there are changes in the response team
- When the company experiences a merger or an acquisition
- Prior to a significant reduction in force
Follow Best Practices to Avoid Damage from an Insider Threat
Although it is not possible to eliminate insider threats, awareness and diligence are critical to detection and reducing potential damage. Understanding the types of threats, training employees, using monitoring tools, and remaining vigilant will mitigate the risk of insider threats.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000 customers with millions of customers worldwide.