Hackers, cybercriminals, malware infections, and other external threats dominate the headlines. And for good reason. The loss of millions of data records as part of a security breach now seems to be a common occurrence. And as we move towards an integrated digital economy, the impact of a massive or coordinated cyber attack could have devastating consequences.
But the reality is, the vast majority of cyberattacks still fall below the radar. While we don’t see or hear about them, smaller, targeted attacks were responsible for the majority of the $600 billion lost to cyberattacks last year. Even less well understood is that nearly half of data breaches and system compromises come from within an organization rather than from an outside source. Of these, nearly half are intentional, while the rest are accidental.
From a security perspective, protecting against an insider compromise is quite different from defending against an external network attack. Gaining access to vulnerable devices and systems or escalating network privilege are also generally much easier to perform from the inside. Many security systems simply don’t pay that much attention to what a known user is doing—especially in an environment built around implicit trust, or one where the majority of security resources are focused on perimeter control.
Identifying Potential Insider Threats
Enterprises can get a step ahead of insider threats by identifying not just insider actions that compromise resources, but also by identifying those people likely to perform such actions. There are two types of insider who represent a risk on you and your organization:
Type A – Malicious Actors
These individuals are willing to put an enterprise at risk for a number of reasons. These can include personal gain, the desire to take revenge against a perceived injustice—such as being overlooked for a promotion or having a bad manager, political motivations, or industrial espionage funded by a nation-state or competitor.
Insider attacks can result in the theft of valuable data and Intellectual Property (IP), the exposure of potentially embarrassing or proprietary data to the public or competitors, and hijacking or sabotaging databases and servers. Customer and employee information, including personally identifiable information (PII) and personal health information (PHI) are favorite targets because they have the highest resale value on the Dark Web. Intellectual property (IP) and payment card information are the next most popular types of data to steal.
With a more traditional external attack, abnormal data flows due to rapid data exfilt
ration to an unusual destination can be hard to disguise. Activities may be in conflict with an enterprise security policy, happen at a strange time, originate from a strange access point, show movement to an unusual network address, or include an unexpectedly high volume of data. Any of these should trigger a security response that could shut down an active breach.
But because insiders already have continuous and trusted access, attacks and data exfiltration can happen over time, giving an attacker more time to plan his strategy, cover his tracks, disguise data so it is difficult or impossible for security tools to identify, and keep data movement below the threshold of detection. Many users can also take advantage of inconsistent security enforcement across ecosystems by moving data between core and multi-cloud environments to outrun detection.
Type B – Negligence
It is not unusual for organizations to give certain users more privilege than they have skill to manage. An executive who insists on being given escalated privilege to a database, for example, can do something as simple as change a field length and cause critical applications to malfunction. Whether such users are unaware of basic precautions for handling sensitive applications or information, are error-prone, or are simply careless, for the most part they do not intend to do harm.
Data loss or exposure, however, does not have to be the result of the improper granting of privilege. Losing mobile devices, laptops, or thumb drives, failing to wipe discs and hard drives on discarded hardware, or even giving away business information when chatting on social networks, can result in mistakes that can be as costly as the deliberate attacks of others.
Addressing your Internal Risk
Organizations need complete visibility of their data flow—they need to know who is accessing what data, where, and when, including in core, multi-cloud, or SD-WAN environments. Security teams also need to especially identify and categorize risky users, including executives, administrators, and super users who have access to sensitive information and privilege, as well as by maintaining and monitoring a list of everyone that can access critical data, resources, and applications.
By putting controls in place to help security staff spot attacks earlier, you can begin to create an effective insider threat program. For example, you should be carefully watching for things like privilege escalation; applications, probes, and traffic moving outside of their normal parameters; and unusual traffic patterns of applications and workflows, especially between different network domains.
Behavioral analytics need to see across the distributed network to intelligently flag abnormal incidents and immediately report them to security personnel. Moving to a zero trust model and implementing strict internal segmentation can prevent the sort of lateral movement across the network that many attacks require. And protocols need to be put in place so that priority alerts are seen right away without swamping security teams with a deluge of low-level information.
Things to watch for include:
Unauthorized use of IT resources and applications
- Employees using personal clouds for corporate information
- Rogue use of shadow IT
- Accessing, sharing, or distributing PII
- Installing unapproved and unlicensed software
- Unauthorized use of restricted applications, including network sniffing and remote desktop tools
Unauthorized transfer of data
- Using removable media to store or move data
- Unauthorized copying of business-critical data to a cloud or web service
- Transferring file transfers to and from unusual destinations
- Moving files using instant messenger or social media applications
Misuse, abuse, and malicious behavior
- Misusing file system admin rights
- Disabling or overriding endpoint security products
- Using password stealing tools
- Accessing the Dark Web
Prevention is a Critical First Step
Prevention of problems can also be taken a step further by creating workplace conditions that encourage good employee behavior.
For example, employees may seek to leave an organization and take confidential information with them when salary levels, career prospects, or other aspects of their job are below certain measurable levels of satisfaction. Measuring and responding to levels of employee satisfaction, therefore, is a key part of preventing insider security risks. A regular information security awareness program coordinated between HR and IT can help reduce careless behavior.
The risk of insider threats is often bigger than we think, especially as networks become larger and more complex. Carelessness and malicious intent are the two major causes, but both can be mitigated. Solutions to improving awareness and careful information handling include training and awareness, and the monitoring of privileged users and critical data across the distributed network, from the core to the cloud. This needs to be combined with dynamic network segmentation and the integration of security tools into a single fabric, including advanced behavioral analytics.
These technical solutions are only half of the answer. Creating and maintaining attractive working conditions also go a long way to preventing malicious behavior. Remember that salary is just one factor, and not always the critical one. A sense of ownership, team comradery, and creating the sense that your employees are performing a vital task can be just as important as any internal security solution you may have in place.