Watch Out for the Inside Job—It’s Worse than the External Attack

Insider threats are on the rise—in one survey^[1] of more than 500 cybersecurity professionals, 62 percent saw a rise in insider attacks over the last 12 months. At the same time, another recent survey^[2] of more than 770 IT/security professionals revealed that 32 percent have no technology or process in place to prevent an insider attack. This is unfortunate, given the same survey found such attacks cause at least $231 million worth of losses every year—and that’s just the detected attacks.

Dr. Eric Cole, author of the recent SANS report on insider threats, is adamant that virtually every organization has experienced some form of insider attack. “Though only 34 percent of respondents report experiencing an insider attack, I’m certain that every organization has indeed been attacked—they just don’t know it yet,” he says.

Look again at the insiders

Attacks from inside the company can be the most damaging because insiders have legitimate access and inside knowledge, so attacks continue for long periods of time. Companies typically take 15 months to discover they’ve been compromised. Even then, most learn about the attack from a third party, usually a law enforcement agency.

Insider attacks can be malicious or accidental. The different motivations of these attackers lead them to behave in different ways, so let’s take a look both types and how organizations can defend against them.

Malicious insiders: a rogues’ gallery

Malicious insiders access privileged data and systems and seek to harm an organization by affecting the confidentiality, integrity, or availability of information.

The Imposter is an external actor who has gained access to insider credentials or a former insider who has retained access logins. This person typically targets individual, service, or shared accounts as well as other privileged credentials for fraud or information theft.

Combat imposters by enforcing least-privileged access, so they can’t leapfrog from one system to another. Use technologies that detect overt activities such as password cracking and spikes in the volume of information being accessed. Knowing the network baseline will allow you to spot network suspicious activity and move in to investigate it.  Knowing what normal user behavior looks like will allow you to spot suspicious user activity and move in to investigate. 

Entitled Eddie believes he has the right to take his work product with him to use in competing with his current employer. His goal is IP theft and he typically acts alone.

Be clear with Eddie from the outset, discussing work-product ownership and ensuring IP and other agreements are clear. Don’t tolerate “forgetting” of company policies and be suspicious of “accidental” miscommunication. And review Eddie’s online activity at the first sign that he might be thinking of leaving.

The Ringleader wants information that falls outside the scope of her responsibilities. She plans to go into business for herself or work for a competitor, and aims to get a head start by bringing your IP and your employees.

To stymie ringleaders, heighten security awareness so employees get suspicious when asked for confidential information.  Ensure all IP and other agreements are clear and review online activity as soon as you become aware an employee is leaving the organization.

Disgruntled Debbie feels wronged by the organization—perhaps she had a poor review or conflict with her boss, or expects to be laid off. In her mind this justifies revenge, which could lead to theft or damage to corporate data or information systems.

Watch for signs of disgruntlement, like a negative shift in the tone and intensity of communication. Alert IT when events occur that may trigger disgruntlement, so they can monitor activity and behaviors more closely. 

The Mole works inside one company, but for the benefit of an outside entity. This double agent typically possesses specialized skills involved in creating IP and has access to your most critical data.

To guard against moles, foster a strong culture that supports security and protection of IP. Monitor employees and use encryption and log access to protect privileged data.

Hacktivist Harry sabotages computer systems to make a political or social statement, targeting government systems, high-profile corporations, or any organization or industry he doesn’t like.

Foster an internal culture that emphasizes shared goals and an open, transparent environment, and it will be hard for hacktivists to fit in and carry out sabotage. Leverage data encryption and anomaly detection to identify any suspicious activities.

Non-malicious insiders

Despite their benign intentions, non-malicious insiders can expose sensitive data, fall prey to phishing scams, and open the door for Advanced Persistent Threats (APTs) that compromise the network. Looking for change in user behavior is the only reliable way to detect non-malicious insiders, because when a legitimate account becomes compromised, behavior of that account will change. Anyone can unknowingly become exploited through:

• Credential compromise, when your systems leak credentials, credentials are stolen from another site, or temporary credentials such as cookies are stolen. Help prevent this by keeping your systems’ security vulnerabilities patched.
• Phishing, in which users get an email that looks like it comes from a legitimate business, asking them to log in. Users click on the link and enter their login and password information—which the fake page transmits to the criminal. Train users to never follow links or fill out forms in an email message, and ask them to flag and forward any such emails to IT.
• Keylogging malware logs each thing the user types, including logons and passwords, and then transmits it to the cybercriminal. Stymie this attack by setting up systems to detect any unusual transmissions.
• Password guessing programs crack weak passwords in minutes. Set up your systems to enforce password strength and frequent password change.

While compromise can happen in different ways, all compromised user accounts will start to show unusual behaviors. Your best fallback defense is rapid, automatic user behavior analytics to detect any anomaly that suggests suspicious behavior.

About the Author