An insider threat is a security risk that originates within the targeted organization. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner, or board member.
34% of data breaches in the 2019 Verizon Data Breach Investigations Report involve internal actors.
According to the 2019 Varonis Data Risk Report, 17% of all sensitive files were accessible to every employee.
So what do these statistics tell us? Insiders have the capabilities, motivations, and privileges needed to steal important data – which makes it a CISO’s job to identify and build a defense against all of those attack vectors.
Anyone who has insider knowledge and/or access to the organization’s confidential data, IT, or network resources is a potential insider threat.
Types of Insider Threats
In order to protect your organization from insider threats, it’s important to understand what insider threats look like. The two main types of insider threats are turncloaks and pawns, which are malicious insiders and unwilling participants, respectively.
A turncloak is an insider who is maliciously stealing data. In most cases, it’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials but is abusing their access for fun or profit. We’ve seen all sorts of motives that drive this type of behavior: some as sinister as selling secrets to foreign governments, others as simple as taking a few documents to a competitor upon resignation.
Gregory Chung, an engineer at Boeing, is an infamous turncloak. Mr. Chung is convicted of using his security clearance at Boeing to smuggle trade secrets to China in exchange for a small fortune.
A pawn is just a normal employee – a do-gooder who makes a mistake that is exploited by a bad actor or otherwise leads to data loss or compromise. Whether it’s a lost laptop, mistakenly emailing a sensitive document to the wrong person, or executing a malicious Word macro, the pawn is an unintentional participant in a security incident.
How to Detect an Insider Threat
There are common behaviors that suggest an active insider threat – whether digitally or in person. These indicators are important for CISOs, security architects, and their teams to monitor, detect, and stop potential insider threats.
Common Indicators of an Insider Threat
See the common digital and behavioral signs of an insider threat below.
Digital Warning Signs
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with their job function
- Accessing data that is outside of their unique behavioral profile
- Multiple requests for access to resources not associated with their job function
- Using unauthorized storage devices (e.g., USB drives or floppy disks)
- Network crawling and searches for sensitive data
- Data hoarding, copying files from sensitive folders
- Emailing sensitive data outside the organization
Behavioral Warning Signs
- Attempts to bypass security
- Frequently in the office during off-hours
- Displays disgruntled behavior toward co-workers
- Violation of corporate policies
- Discussions of resigning or new opportunities
While human behavioral warnings can be an indication of potential issues, digital forensics and analytics are the most efficient ways to detect insider threats. User Behavior Analytics (UBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.
Insider Threat Examples
Here are a few recent examples of insider threats from the news.
Tesla: A malicious insider sabotaged systems and sent proprietary data to third parties.
Coca-Cola: A malicious insider stole a hard drive full of personnel data.
Suntrust Bank: A malicious insider stole personal data, including account information, for 1.5 million customers to provide to a criminal organization.
Fighting Insider Threats
A data breach of 10 million records costs an organization around $3 million – and as the adage says, “an ounce of prevention is worth a pound of cure.”
Because insiders are already inside, you can’t rely on traditional perimeter security measures to protect your company. Furthermore, since it’s an insider – who is primarily responsible for dealing with the situation? Is it IT, or HR, is it a legal issue? Or is it all three and the CISO’s team? Creating and socializing a policy to act on potential insider threats needs to come from the top of the organization.
The key to account for and remediate insider threats is to have the right approach – and the right solutions in place to detect and protect against insider threats.
Insider Threat Defense and Response Plan
Monitor files, emails, and activity on your core data sources
Identify and discover where your sensitive files live
Determine who has access to that data and who should have access to that data
Implement and maintain a least privilege model through your infrastructure (Eliminate Global Access Group and put data owners in charge of managing permissions for their data and expire temporary access quickly)
Apply security analytics to alert on abnormal behaviors
Socialize and train your employees to adopt a data security mindset
It’s equally important to have a response plan in place to respond to a potential data breach:
- Identify the threat and take action
- Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
Restore deleted data if necessary
Remove any additional access rights used by the insider
Scan and remove any malware used during the attack
Re-enable any circumvented security measures
Investigate and perform forensics on the security incident
Alert Compliance and Regulatory Agencies as needed
The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavi
Credit: Varonis, WSJ.com, Verizon
© De Angelis & Associates 2019. All Rights Reserved.