Insider Threat Awareness

25.10.2022

What are insider threats?

Insider threats originate from users who have authorized and legitimate access to an organization's assets and misuse it either intentionally or negligently.

Why are insider threats particularly dangerous?

Cyberattacks caused by access misuse can harm an organization, its employees and its customers. According to the "2020 IBM X-Force® Threat Intelligence Index," unintentional insider threats were the primary reason for the more than 200% increase in the number of data breaches in 2019 compared to 2018. 

It’s important to keep in mind that insiders often know exactly where an organization's sensitive data is located and they have elevated access privileges, whether they have malicious intent or not.

In addition, insider attacks are costly for companies. According to the Ponemon Institute's 2022 Cost of Insider Threats study statistics, the average annual cost of insider-related incidents is equal to  $15.4 million, with negligence accounting for 56% of incidents.

Whether accidental or intentional, insiders can misuse confidential customer data, intellectual property or financial resources.

Types of insider threats

Current employees, former employees, contractors, business partners or their associates are all potential insiders. In fact, any person with the access to an organization's infrastructure and data can affect the organization. 

Primarily, insiders may be divided into categories basing on the following:

• Motivation
• Awareness
• Level of access
• Intent

Let’s also consider the division provided by the Ponemon Institute and Gartner.

Ponemon Institute categorizes insiders as negligent, criminal or credible. 

The Gartner, in turn, divides insider threats into four categories: simpletons, do-nothings, collaborators and lone wolves. 

Simpleton

Simpletons are employees who are manipulated, so they commit malicious actions being not aware of what they are actually doing. Whether by downloading malware or sharing credentials with fraudsters, due to implementation of social engineering methods or because of phishing attacks, simpletons harm an organization.

Do-nothings

Do-nothings are ignorant or arrogant users who believe security policies do not apply to them. They actively try to bypass security controls because of their incompetence or in order to feel more comfortable. Thus, security policies are violated and vulnerable data and resources are left unprotected, what provides attackers easy access. 

Collaborator

Collaborators cooperate with outsiders, such as a company's competitors or foreign governments, to commit a crime. They use their access rights to steal intellectual property and customer information or cause business disruption, often for financial or personal gain.

Lone wolf

The next type lone wolves act independently and maliciously, often for financial gain, even without outside influence or manipulation. Lone wolves are especially dangerous if they have extended privileges, such as system or database administrators.

There are numerous attributes of each insider related incident; however, it is possible to name a few typical signs of insiders’ malicious activities. For instance:

• The number of employee’s outbound communications increases significantly regarding to this annual daily number –  user's credentials should be monitored
• The transmissions of large volumes of data beyond normal for a particular employee. 
• The usage of suspicious applications, which in turn could indicate malware activity. 

How fraudsters make insiders work for them

When a fraudsters target protected systems, they focus on gaining employees’ access privileges. In order to commit a cybercrime, fraudsters often target simpletons and do-nothings. They use a variety of tactics and practices to obtain credentials, for instance: phishing emails, watering holes and malware. With the help of the credentials, fraudsters can easily navigate within an organization’s infrastructure, extend their privileges, make changes, and access sensitive data or financial resources. Fraudsters can access data or information from unsecured locations via a command-and-control (C2) server during outbound communications. They can attempt to make changes or perform large-scale data transfers via outbound communications.

As it was mentioned earlier, there are plenty of various way how intruders perform their attack. The list of these methods includes but is not limited to: 

• Looking for vulnerabilities
• Using phishing emails or malware
• Identifying a malicious insider
• Obtaining compromised login information
• Exploiting access privileges
• Extending access privileges
• Access to assets
• Modification of data
• Data exfiltration

How to mitigate insider threats

There are several technical and non-technical techniques which organizations can apply in order to strengthen  their team and system detection and prevention capabilities in regard to each type of insider threat.

Each type of insider threat has different attributes that security teams can spot. However, it is strictly required to use complex comprehensive approaches. Below you can find some stages, which should help to mitigate insider risks.

First one is related to protective software implementation. The software should automatically:

• Check and revoke access rights (if necessary)
• Offer available out-of-the-box and flexibly customizable security policies 
• Monitor the infrastructure for potential threats and risky behavior
• Classify data and block access to critical data and it’s transmission to third parties 
• Report immediately to a person-in-charge about an incident and take proactive steps, such as access and operations block when necessary

It’s important to know precisely correlation between data and a specific user. Ask yourself the following questions:

• Who has access to sensitive data?
• Who should have access to it?
• What are end users doing with data?
• What do administrators do with data?
• What data is sensitive?
• Is sensitive information being exposed?
• What is the risk associated with sensitive data?
• Can administrators control privileged user access to sensitive data?

Detection and remediation

After creating a threat model, organizations focus on detecting and remediating insider threats and security breaches.

No one should forget, that the data leak starts with the data itself. So the first logical step is to put everything in order in your file system. A DCAP class solution is the useful option. For instance, you may try the FileAuditor, DCAP class tool by SearchInform for free. It will help to find, for instance, what critical data does your organization have, where is it kept and who has access to it.

Then, security teams must distinguish a user's normal activities and potentially malicious activities to detect insider threats. But in order to do so, organizations must first close existing visibility gaps. Then, they should aggregate security data into a central monitoring solution, whether as part of a security information and event management (SIEM) platform. Many teams start with access, authentication and account change logs. As a next step, they expand the scope to include additional data sources, such as a virtual private network (VPN) and endpoint logs.

DLP class tools are extremely important for blocking transfer of confidential, data that is why they are so popular. However, today, a classic DLP is not enough, that’s why SearchInform also offers a complex tool – Risk Monitor, which not only deals with the DLP tasks, but also provides forensic suit, time tracking module and number of other features. 

Once organizations centralize this information, they can model user behavior and assign risk scores. Risk scores are tied to specific risk events, such as changes in user geography or downloads to removable media. Assigning risk scores further empowers Security

Operations Center (SOC) teams to monitor risk across the enterprise, whether by creating watch lists or highlighting the highest risk users in the organization.

Insider Employee monitoring Human factor