Insider Threat Detection: Recognizing and Preventing One of Today’s Worst Threats
What Is an Insider Threat?
As the name plainly suggests, insider threats are risks caused by insiders who have access to internal company resources. They cost the average mid-size American business $5.79 million in 2018, and are a top threat vector—one which seems to grow worse every year.
To illustrate, according to a recent study by CA Technologies, 20% of organizations polled experienced six or more insider threats during the past year, and 66% consider insider threats to be more likely than an external threat. Meanwhile, 49% of organizations are increasing their insider-threat detection budget in 2019.
Types of Insider Threats
There are many reasons someone inside an organization may go rogue, and there are many types of insider threats. Let’s take a look at the most common scenarios.
A Current Employee
While most employees are trustworthy, some may not be as innocent as they appear. Often motivated by greed, revenge, or power, these employees may try to steal information or sabotage company property or IP for their own monetary gain. They may also be working on behalf of competitors.
Someone Who Has Been Terminated
Often, recently terminated employees feel compelled to seek revenge. This isn’t all that hard to do if the IT department has not yet revoked their access to internal networks. Revoking access after an employee has been dismissed should therefore be a top priority. Unfortunately, this doesn’t always happen as swiftly as it should, which allows former employees with a grudge to move through your network just as they did when they were employed.
Even your best, most trustworthy employees may inadvertently cause harm to your business by falling for phishing ploys or clicking infected links and attachments. In fact, according to the Ponemon Institute, two-thirds of insider threats stem from innocent employee mistakes.
Today, businesses are dependent on integrations with third parties, such as supply chain vendors and contractors. But opening up your networks to these entities may provide them with enough access to move through your systems undetected, collecting or destroying information along the way.
Regardless of the motivations behind incidents such as those described above, the information leaked/stolen/damaged in an insider attack can be of incredibly high value. Employee data sets often contain health information, which can be sold on the dark web for premium prices. Company IPs are sold for almost as much on dark-web marketplaces. And then there is the potential damage to a company’s reputation. Clearly, insider threats are an issue that cannot be ignored.
What Comprises User Behavior?
Recognizing an insider threat is no easy feat; after all, most of the actions performed by malicious insiders are completely sanctioned, and, therefore, do not raise any alarms. But there are some user behaviors that, when considered together, can be used as insider threat indicators, such as:
- Elevating privileges (privilege creep).
- Keeping important assets at home or in other unauthorized locations.
- Showing interest in information and material that doesn’t pertain to usual job functions.
- Downloading unauthorized material.
- Copying unauthorized files.
- Exfiltrating data off site.
- Switching user accounts, IPs, and computers.
- Working outside normal hours.
- Communicating with a command and control domain.
- Visiting countries known for data theft.
Problematically, on their own, every one of these activities may be completely benign. But when these factors converge, you have to explore the possibility that one of your own may be plotting against your business.
The Challenges of Insider Threats
Insider threats are challenging to handle because:
There is no initial compromise: Malicious insiders don’t need any special tools or malware to make their way inside, thus there is no malware to be flagged.
Access is legitimate: Since these entities are authorized, there is nothing noteworthy about their presence on the network.
Insider knowledge: Insiders may know exactly what security tools they need to circumvent in order to remain undetected. They may also know what high-value information your organization has and where it can be found.
You know and trust them: Unless the employee in question displays unethical or unpleasant characteristics, it’s unlikely that anyone will suspect that their own colleague is duping them.
It’s difficult to prove: It’s relatively easy for rogue employees to cover their tracks, and, if caught, claim that anything that occurred was merely accidental.
Tools for Insider Threat Detection
Traditional tools such as firewalls and antivirus software are able to detect outside intruders, but are powerless when it comes to insider threat detection. Fortunately, there are some tools that can help expose malicious insiders. Importantly, if you’re planning on using any monitoring tools, you must first establish a baseline for normal network traffic/usage. This will allow the anomalies to stand out.
Let’s take a look at some variations of insider threat detection software.
Network Flow Analysis Tools
As opposed to perimeter tools, network flow analysis determines the types of traffic taking place inside the network. To help find rogue insiders, it looks at the four “W’s”: who is on your network, what they are doing, where they are doing it, and when it was done.
Data Loss Prevention Tools
Data loss prevention (DLP) solutions are used to tag, categorize, and control the movement of data in the network. The downside of DLP solutions is that they don’t help you see what trusted users are doing. They can also be time and resource-sapping because everything is rule based.
SIEM platforms log, monitor, and track events from firewalls, appliances, and workstations. While this generally helps organizations see anomalous behavior, SIEM platforms aren’t purpose-built to catch insider threats and are often unable to zero in on these cases.
Whitelisting ensures any unauthorized program is blocked from running on the network, but it can be challenging to decide how applications should be blocked or allowed.
The Shift to Behavior Modeling Methods
Trying to prevent insider threats with tools that aren’t properly suited for the job won’t protect against calamity. Therefore, there has been an understandable shift to more behavioral-based methods that can prevent these threats. Here we’ll look at some of them.
ML solutions can automatically detect patterns like privilege and networking abuse, as well as compromise. It’s still early in the development stages, but, eventually, ML will be used more often to disregard “noise,” speed up security processes, and recognize more complex behavioral patterns.
Heuristics/User Behavior Analytics
This approach is similar to that of SIEM solutions (for example, it looks at baselines for anomalous behavior), but it provides greater visibility. User behavior analytics tracks, collects, and analyzes user behavior within the network over time to create a baseline. It focuses on what the user does, looking for patterns of anomalous behavior to see how they differ from regular baseline usage. It can also patch together different events to find malicious outliers.
The Cynet 360 platform provides various complementing layers to protect from insider threats:
UBA: Continuously monitors user account logins, initiated network connections and file interactions, forming a live baseline that reflects the legitimate behavior of each user.
User Activity Rules: Cynet 360 enables operators to flag suspicious behavior patterns (such as connecting to resources at irregular times, accessing resources that are out of the employee’s professional domain, etc.)
Network Behavior Monitoring: Cynet 360 monitors all network traffic to disclose various data exfiltration attempts (connecting to unique address, DNS\ICMP tunneling, etc.)
While other threats, such as ransomware and advanced persistent threats, may get more fanfare, insider threats are one of the greatest challenges any business can face. This will only become more true as networks grow more complex and interconnected. Understanding your risks, along with ensuring you’ve got the right technology and processes in place, can help your business remain fortified against malicious—and even innocent—insiders who cause harm.