What is an Insider Threat?

September has been declared National Insider Threat Awareness Month (NITAM) through a joint venture between the National Counterintelligence and Security Center (NSC) and the National Insider Threat Task Force (NITTF).  The goal of this effort is to educate organizations and their employees on the threat, helping them understand how it can occur through both intentional and unintentional means, and to help employees recognize and report unusual behavior.

This is amidst a particularly trying time in the world with the COVID-19 pandemic and the unique strain and impacts it has had on individuals. With this comes a higher risk of fraud, theft, and to put it plainly, insider threat. This is confirmed through a study conducted by The Ponemon Institute that demonstrates insider threats have increased by 47% since 2018.  

So, what exactly is an insider threat? In this blog post, we will take a deep-dive into what constitutes an insider threat, including the different types and a walk-through of examples and common indicators. Additionally, I’ll provide some details on various ways you can protect your organization from insider threats.

What is an Insider Threat?

An Insider Threat is typically an individual who uses the access that they have been granted to an organization’s resources to cause harm to the business. While it may be tempting to associate threat with malicious intent, the reality is that the majority of insider threats come from negligent insiders vs malicious insiders. Let’s better define these types of insider threats.

A Malicious Insider is an individual who is purposefully stealing data from an organization or performing an activity with the intention of causing the organization harm. This is typically someone who has legitimate access to the network and is abusing that access for personal gain or satisfaction. Common drivers and goals for these “bad actors” include:

• Financial Gain
• Personal Vendetta
• Intellectual Property theft
• Espionage on behalf of a different organization

A Negligent Insider is someone who unintentionally compromises data or puts the organization at increases risk due to insecure behavior. This not only includes direct employees of an organization, but also applies to contractors and third-party vendors. Examples of insecure behavior include:

• Emailing the wrong person sensitive information
• Losing a laptop
• Falling victim to a phishing attack
• Circumventing security policy or using bad judgement when accessing company resources

Key Risks of Insider Threat

There are a number of reasons why insiders can be even more dangerous than external attackers.

Reason 1: They have legitimate access to critical resources, so they do not need to identify and exploit security vulnerabilities which may be much easier to identify.

Reason 2: They already know the lay of the land, so they do not need to go through the exercise of finding where sensitive data exists or knowing which assets or resources are most valuable to the organization.

Reason 3: They pose risks above and beyond simply stealing or destroying sensitive data. They can take down or compromise critical systems, spread malware, misuse assets for personal gain, and more.

Each of these factors leads to an underlying difficulty in being able to easily detect an insider threat. With legitimate access to resources, knowledge of where sensitive data exists, and the security controls in place, malicious insiders are able to cover their tracks much easier than external attackers and thus can stay undetected for far longer. Negligent insiders pose an even higher risk in certain circumstances, especially if the nature of their job relates to the regular handling of critical systems or data assets.

Common Indicators

In order to prevent a potential breach of data or catastrophic issue due to an insider threat, it’s important to beware of these common indicators:

• Accessing (or attempting to access) systems or data outside of normal job duties
• Requesting access to data without a valid “need-to-know”
• Unusual or unexplainable access patterns, such as attempts to download or copy large amounts of sensitive data
• Accessing or using unauthorized software, systems, or storage devices
• Attempting to bypass security protocols or violate corporate policies
• Displaying unusual, erratic, or disgruntled behavior
• Accessing systems or data during unusual time periods such as after work hours or weekends

Examples

With insider threats being so prevalent, let’s explore some real-life scenarios where an insider with legitimate access to a system was the root cause of a data breach.

Anthem

LaunchPoint, Anthem’s Medicare insurance coordination services vendor, notified Anthem of an employee that had been stealing and misusing Medicaid member data since as early as July 2016. The employee had emailed a file containing PHI including Medicare ID numbers, Social Security numbers, Health Plan ID numbers, member names, and enrollment dates to their personal email.

Boeing

One of the most infamous and severe examples of a malicious insider is a Boeing employee named Greg Chung. Greg served as a Chinese spy for over 25 years while employed at Rockwell and later Boeing, stealing sensitive information to help establish and progress the Chinese space program. This was happening from 1979 all the way until 2006 when he was finally caught. Chung not only compromised the companies at which he worked but also national security due to the nature of the information that he was exfiltrating.

Capital One

The 2019 Capital One data breach was ultimately due to a misconfigured web application in an AWS hosted resource. In this case, a software engineer who worked for AWS was able to take advantage of this vulnerability and ultimately steal over 100 million customer records which included account and credit card application information. The hacker discussed her exploits with colleagues over Slack and even posted the information on GitHub using her full name.

Protect your Organization from Insider Threats

Proactive insider threat prevention and detection are critical in order to protect an organization’s data and maintain the privacy of its employees and customers. A successful insider threat program includes the following key processes and corresponding technologies:

Monitoring

One of the most integral components of an insider threat program is the ability to monitor user activity across the entire network. It’s important to understand exactly who is accessing what data, what they are doing with it, and how they got that access. Start with monitoring critical systems and data and expand the scope as necessary. A proper monitoring solution should not only provide the raw user activity events but should provide additional analysis that is able to identify suspicious or unusual activity.

Prevention

The ability to prevent insider threats starts with having a set of security policies, technologies, and procedures that are crafted to protect an organization’s critical systems and sensitive data. This includes leveraging technology such as Identity and Access Management, Privileged Access Management, Multi-Factor Authentication, Active Directory Security, and Data Access Governance. This combination of technologies helps to ensure

• Access to data is being restricted as necessary and reviewed frequently
• Sensitive data is being protected through appropriate controls
• Active Directory is hardened to reduce potential threat vectors
• The ability to exploit privileged credentials is limited

In addition to these technologies, the importance of education cannot be understated. Employees should be aware of common attack vectors and how their actions contribute to the potential for insider threats. They should know what types of activities are off-limits, especially as it pertains to sensitive information. In general, your employees and partners should be aware of internal security policies and basic cybersecurity best practices. Employees should also be aware of how to potentially identify an insider threat, such as a coworker displaying suspicious behavior along with who to reach out to in these instances.

Threat Detection

The longer an insider threat remains undetected, the larger financial impact it will have on an organization. The Ponemon Institute study showed that incidents that took 90 days to contain cost organizations $13.71 million on an annualized basis, while incidents that lasted less than 30 days cost roughly half of that. In order to detect an insider attack in time to prevent the potential disaster or a complete compromise of your network or critical systems, you need a comprehensive threat detection and response system which should include:

• The ability to detect specific tactics, techniques, and procedures which are commonly leveraged by attackers when attempting to compromise credentials or data. This includes the ability for organizations to define threat parameters based on their unique requirements.
• Comprehensive investigation capability to help aid forensic investigations on users and related activities
• Machine Learning and User Behavior Analytics to identify anomalous, outlier behavior as compared to typical access patterns

Response

The ability to automate response activities based on detected threats is key in order to minimize the possible damage from an insider threat. Since specific attacks will require specific responses, having a catalog of response actions that are customizable based on an organization’s needs is key. Basic response actions may include:

• Temporarily blocking access to data
• Disabling compromised credentials
• Remove malicious files
• Sending alerts and notifications
• Blocking a process or application

Insider Threat is Not Going Away

Insider threats are unfortunately not going anywhere – they should continue to be a top concern and priority for organizations worldwide. By understanding the types of insider threats, the common indicators and behaviors, and the tools that can be leveraged to help detect and prevent these threats, organizations can prepare themselves and minimize the risks associated with a potential breach. Learn more about common attack techniques and indicators of compromise, along with how organizations can detect, mitigate, and prevent these threats by visiting the Stealthbits Attack site.