Images of an elite hacker commandeering an organization’s network from halfway across the globe might play out well in Hollywood, but for many CISOs, an insider threat ranks high on the list of things keeping them up at night. Show
What is an insider threat? Put simply it’s the risk that someone’s privileged level of access inside an organization will wind up causing that organization harm. The individual doesn’t need to be an employee, and the harm may not even be deliberate, but insider threats are still a significant risk that many businesses don’t take seriously enough. In this post, we’ll dive deeper into insider threats, look at some infamous examples and discover how organizations of all sizes can mitigate risks associated with insider threats. What is an insider threat?The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a succinct yet complete insider threat definition: An “insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization.” That harm could come in many different forms, and what best describes an insider threat at your particular company could look quite different than the definition above, but CISA’s generic guidance is useful in gaining a general understanding of the risk. It’s important to note that not all insider threats are intentionally malicious. By most estimates, simply negligent or careless insiders actually cause a greater number of incidents than those with ill intent. A perfect example is an employee who downloads pirated software onto a company computer. The employee may not have intended to damage the organization, but as pirated software often contains malware and backdoors, this reckless action created a threat that external actors may not have been able to do on their own. While insider threats are not a new problem, the COVID-19 pandemic, growing geopolitical tensions and the realities the modern labor force face can exacerbate the issue. Remote work and increased employee churn both create significant challenges in identifying and mitigating insider threats, and a divisive political climate only brings additional challenges. To make matters worse, ransomware gangs have increasingly tempted insiders with promises of massive payouts in exchange for a foothold into a victim organization. Characteristics of an insider threat
Who is at risk of insider threats?While any organization is susceptible to an insider threat, certain industries tend to experience either more serious or more frequent incidents:
The Ponemon Institute’s Research also shows that the frequency of insider threat incidents is directly related to an organization’s headcount and that organizations in North America appear to be the most frequently attacked victims. Types of insider threatsThere’s seemingly no end to the variety of ways a privileged insider could do damage — that’s what makes insider threat prevention so difficult. However, most insider threats can be categorized based on their intent: TurncloaksMalicious insiders known as turncloaks knowingly take action to harm an organization. The insider could be an employee, a contractor or even a trusted business partner. Turncloaks could be motivated by financial gain, revenge or political ideology. Some perform covert actions such as stealing sensitive documents or proprietary information. Others prefer a path of destruction, wiping databases and leaving a trail of total chaos on their way out the door. PawnsIn contrast to the turncoat, pawns don’t intend for their actions to have an adverse impact. Some pawns are simply careless, reusing passwords between work and personal accounts or leaving flash drives full of sensitive information at a coffee shop. Others may perform negligent or reckless actions such as circumventing security measures for their own personal convenience. Still, others are completely unwitting participants, falling for phishing scams or other forms of social engineering. Pawns can sometimes skirt the line with a turncoat by knowingly cooperating with an external party, but failing to realize the true implications of their actions. MolesMoles operate much like turncloaks, but moles join a company intending to cause harm to the organization. They are very often driven by a strong political motive, whether to a nation-state or fringe cause. Moles are among the most difficult insider threats to detect and are potentially the most damaging. How to detect an insider threatInsider threat detection poses unique challenges for security teams because traditional defenses such as firewalls and access controls are often ineffective. Technologies similar to User Behavior Analytics (UBA) and Privileged Access Management (PAM) can help fill the gap where other controls can not. Be on the lookout for several warning signs which may be indicative of an insider threat or attack: Digital warning signs
Behavioral warning signs
How to protect against insider threatsComplete insider threat prevention is nearly impossible for any size organization, but there are a few things all organizations can do to help protect themselves:
Insider Threat FAQsQ: What are insider threat indicators?A: Insider threat indicators are clues that could help you stop an insider attack before it becomes a data breach. Technical controls can be ineffective at spotting or preventing insider threats, but human behavior is often a dead giveaway. Train your team to recognize different abnormal behaviors, and use Varonis to mitigate the damage of a potential insider threat before it becomes a frightening reality. Q: What motivates an insider attack?A: The motivations behind malicious insider threats vary, but a financial incentive is very often present. Research has consistently shown that both internal and external threat actors are very often motivated by financial gain. Other common motives include revenge, strong political affiliations or even interpersonal conflicts in the workplace. Q: How do you detect insiders who are accessing sensitive data as part of their job function?A: Given that insiders may naturally access sensitive data as part of their day-to-day responsibilities, accessing a single data point is often not sufficient when it comes to insider threat detection. Is the user accessing “SecretCocaColaFormula.doc” to perform a legitimate update, or to steal the data and give it to a competitor? Solutions like the Varonis DatAlert platform can provide additional context that is useful in answering these types of questions. Perhaps the user regularly needs to access the cola formula as part of his or her job function, but then one day begins to transfer out the complete list of ingredients, suppliers and manufacturing processes to a large number of previously unseen external contacts. This type of behavior shift might warrant further investigation from the security team. Q: Are threshold-based alerts prone to false positives? (like simply re-structuring folders)A: Threshold-based alerts are bad at determining intent, and can lead security pros on a wild goose chase. Here is a simple scenario: a user moves one folder of sensitive data to a new location. If you have a threshold-based alert for “500 file operations on sensitive data in one minute,” that user just tripped it. Your security team’s time is more precious than efforts spent chasing down every folder change. Use security analytics to create more intelligent alerting. Q: How useful are watch lists?A: Watch lists — lists of users you need to keep an eye on — can be helpful, but they have a downside as well. Watch lists can become overused and put your security team in a difficult position with the rest of your users. On the flip side, you do want your users to be “security aware” and have a safe method to report suspicious activity. You need to develop and keep best practices for your watch list; investigate and drop users off the watch list quickly and lean on your security analytics to keep tabs on the abnormal behavior for you. ConclusionWith the average employee able to access tens of millions of files, the risks from insider threats are unlikely to go away anytime soon. It’s important to take these kinds of threats seriously. Check out some of the resources below to learn more about insider threats and see how Varonis can help you manage them: |