What’s the Big Deal?
By Ross Moore
Trusting coworkers is an important part of the workplace. And, by and large, they are trustworthy – many of them will never do anything nefarious or damaging, so for the most part all is well. But things happen – people make mistakes, and some people do bad things.
Insider threat is an essential topic – it has a month dedicated to it, is considered the Achilles Heel of organizations, is part of a national security strategy, is part of Zero Trust, has toolkits and fact sheets, and even has a graphic novel about it.
What is It?
An insider threat can be compared to a housekeeper who has access to every room in a house and can potentially steal valuable items and sensitive information. In the same way, an insider with access to an organization’s systems and data can misuse their privileges to cause harm.
The housekeeper can also accidentally break a vase or ruin the carpet. Insider threat isn’t all due to malfeasance, but whatever the result there can be a cost.
Corporate insiders are anyone with access to corporate data, and includes employees, consultants, contractors, and contingent workers.
In the big scheme of things, insider threat entails all areas of threats, including physical, posed to an organization’s assets and people, but here we’ll focus on the cybersecurity threat.
Just how much of a deal is insider threat? The average annual cost is $15.38 million, primarily caused by carelessness (56%) and malicious (26%).
The costs are substantial. What does it take to keep the costs down?
Understanding the Types and motivations
There are two general classes of Insider Threats: Unintentional and Malicious
Unintentional Insider Threats
These are Accidental or Negligent acts: accidentally deleting or moving files and folders; sending a confidential email to the wrong person or distribution list; being in a hurry and opening a malicious email attachment; not securing S3 buckets. The actions cause loss in various forms, but the intention was not criminal.
Malicious Insider Threats
These are crimes such theft of trade secrets and purposeful deletion of files.
The typical list of motivations includes Financial Gain, Revenge, Ideology, and Espionage.
An organization’s expectations of professional conduct need to be publicized. Encouragement to do what’s right and discouragement from doing what’s wrong go a long way in preventing malicious acts, and will go a long way in responding to and recovering from such activities.
Building a Foundation for the Program
A good question is worth a thousand answers, so here are some questions security leaders should ask when building the program.
- How do we verify the person logging into the corporate VPN is the employee, not an attacker?
- How can we verify an employee’s anomalous behavior?
- How can we ensure employees are connecting to the network?
Answers to these and other related questions provide internal guidance for relevant next steps.
What does it look like in real life?
Misconfiguration, phishing, sabotage – the list is long. But a couple examples are:
- (Malicious) A fast food chain employee who was caught stealing customer credit card details and buying personal items, and
- (Unintentional) An airline’s misconfigured/unsecured AWS bucket exposed 23 million files (6.5TB) to the public.
Best Practices
There’s no golden manual for insider threat, but there are some key components to include in an effective insider threat management program:
1. Risk Assessment: Conduct a comprehensive risk assessment to understand the organization’s vulnerabilities and realize the potential impacts. Include employees with access to sensitive data or systems, third-party vendors with access to company systems, and privileged users with elevated permissions.
2. Policies and Procedures: Establish clear policies and procedures for employee behavior, access control, and data management and communicate them regularly.
3. Training and Awareness: Provide regular training and awareness programs to employees to increase their awareness of the risks posed by insider threats and how to report suspicious activity.
4. Access Control: Limit employee access to only the systems and data needed to perform their job functions, using multi-factor authentication and other security measures.
5. Monitoring and Detection: Implement monitoring tools that detect anomalous activities such as data exfiltration, privilege escalation, and unauthorized access. Monitoring should “combines analysis of user behavior with analysis of the data to protect sensitive data that’s being mishandled.”
6. Incident Response (IR): The IR plan outlines the steps to take in the event of an insider threat incident. Include a process for conducting investigations, containing the threat, and notifying stakeholders.
give me a sign!
Here are some things to watch out for when monitoring for insider threat.
behavioral signs
1. Increased or unusual access to sensitive data or systems. An example is accessing sensitive information outside of business hours.
2. Unauthorized software installations or system modifications, such as an insider installing unauthorized software or making changes to systems without authorization.
3. Changes in behavior, such as sudden secrecy, avoidance of coworkers, or increased aggression or hostility can be red flags.
6. Departure from normal job duties. Employees who suddenly depart from normal job duties (e.g., spending excessive time in the server room, performing tasks outside of their area of responsibility) could be a sign of an insider threat.
These behaviors alone don’t necessarily indicate insider threat activity and should be evaluated in the context of the employee’s job responsibilities and other factors.
indicators for Technical Teams
SOC (Security Operations Center) teams and other personnel should watch for technical indicators. These include monitoring for:
1. User access to sensitive data or systems, particularly outside of normal business hours or when an employee is on leave.
2. Anomalous behavior such as excessive data downloads, unusual file access, unauthorized software installations, or system changes.
3. Elevated privileges such as administrative accounts and monitor for unauthorized attempts to escalate privileges.
4. Network traffic such as unauthorized external connections, data exfiltration, or communication with known malicious IP addresses.
5. Suspicious emails such as emails with large attachments, unsolicited emails, or emails with unusual or suspicious content.
It’s Simply Not Simple
Dr. Larry Ponemon said “…when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”
The threat landscape is complex, and Insider Threat is one worthy of putting toward the top of the stack for addressing.
Ross Moore is the Cyber Security Support Analyst with Passageways. He has experience with ISO 27001 and SOC 2 Type 2 implementation and maintenance. Over the course of his 20+ years of IT and Security, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP along with CompTIA’s Pentest+ and Security+ certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.