An insider threat is a cybersecurity risk that originates within an organization. This typically occurs when current or former employees, contractors, vendors, or partners, who possess legitimate user credentials, abuse access to an organization’s systems. This can result in compromise of an organization’s networks, systems, and data.
Insider threats can be intentional or unintentional, but regardless of intent, they can seriously compromise the confidentiality, availability, or integrity of critical enterprise systems and data.
Existing cybersecurity strategies, policies, procedures, and systems often focus on external threats, leaving organizations vulnerable to internal attacks. Insiders already have valid access to data and systems, making it difficult for security experts and applications to differentiate legitimate activity from malicious activity. However, with the right processes and technology threats, it is possible to detect and mitigate insider threats.
In this article:
According to industry research, insider threat incidents have increased over the past several years, and the cost of incidents is also growing rapidly. Insider threats can be difficult to identify even with advanced threat detection tools. This may be because insider threats often do not surface until an attack occurs.
Additionally, because malicious actors are similar to legitimate users, it can be difficult to distinguish benign activity from suspicious activity in the days, weeks, and months leading up to an attack.
In most organizations, a data breach caused by insider threats can be highly damaging, because few safeguards are in place to prevent valuable information from being stolen by someone with legitimate access.
Many organizations focus their insider threat management programs on dealing with malicious insiders. However, negligence is much more common. Research shows that over 60% of insider-involved data breaches are largely unintentional.
Insider threats of this type unintentionally take actions that put organizations at risk. For example, an employee may save sensitive information on unsecure cloud storage, or leave an unencrypted mobile device or laptop with sensitive data unattended, allowing them to be stolen.
Employees who leave a company voluntarily, and especially if they were dismissed by the company, are another common insider threat. The most common threat in this case is data theft.
All intellectual property or company data created or used by employees belongs to the company, but it is not uncommon for employees to consider their work as their own property. In one survey, a third of workers said it is a common practice to use data from previous employers for their next job. This kind of data theft can significantly impair an organization’s ability to compete in the marketplace.
Security policies and controls are designed to protect the company, company data, and employees. However, these rules are often viewed as inconvenient and disruptive by employees.
Therefore, employees can use security workarounds to make their lives easier. For example, they can bypass data sharing restrictions by storing files on personal cloud drives. However, these workarounds hinder and can significantly compromise an organization’s visibility and control over its data.
Malicious insiders are current or former employees, contractors, or trustees of organizations who abuse their authorized access to critical assets in a way that adversely affects the organization.
Malicious insiders have legitimate access to an organization’s data and are more difficult to detect than outside attackers, because they spend most of their time doing normal business. As a result, it can take a long time to detect attacks from malicious insiders. According to the Ponemon Institute’s Insider Threat Costs Report, organizations took an average of 77 days to detect and contain an insider-related security incident.
Inside agents are insiders who perform data breaches and other attacks on behalf of external parties. These insiders might be tricked through social engineering, recruited through bribery, or extorted. This type of insider threat is dangerous because it provides internal access and privileges to external parties.
Most organizations have limited control over network security practices of third-party vendors. Security controls can be audited as part of the selection process, but cannot guarantee complete security of sensitive data transferred to third parties. Therefore, it is important to protect remote connections by subcontractors, to protect against malicious employees and compromised accounts.
Research shows that most organizations provide some kind of access to networks and systems to third-party vendors or partners, and that most of these third parties have elevated privileges. These external parties pose the same risk and can cause the same harm as an organization’s personnel with similar access.
In late December 2019, security researchers uncovered a publicly accessible Microsoft customer support database containing 250 million entries accumulated over 14 years. The database contained support cases and details, customer email and IP addresses, customer geographic location, and notes made by Microsoft support agents.
The cause of the breach was a new version of security rules in the Microsoft Azure cloud. The leak was caused by a misconfiguration of these rules by a Microsoft employee. As a result, access to the database was not protected by passwords or two-factor authentication. This is an example of a negligent insider threat.
The database had been open to the public for about a month. Microsoft secured the breach the same day it was reported. Microsoft was not fined or penalized because the leaked data contained no personally identifiable information, and the company urgently addressed the breach and notified affected users.
However, only a few days after the breach, the California Consumer Privacy Act went into effect. The law imposes a fine of $750 for each person harmed as a result of a security violation. Under the new law, Microsoft would be fined millions of dollars.
A former vice president of finance of Stradis Healthcare, a US company, sabotaged shipments of personal protective equipment (PPE) during the COVID-19 crisis. He was repeatedly warned for abusing internal applications before being fired in March 2020.
Three days after departing, he logged into sensitive systems using a fake account he created while still at the company. This account was set up to provide access to sensitive company systems. He used this access to edit 115,000 records and delete 2,400, disrupting PPE deliveries for several days during the crucial early stages of the pandemic. The attack was motivated by a desire for revenge.
A Trend Micro employee gained unauthorized access to databases used for customer support, including customer names, email addresses, support ticket numbers, and phone numbers. The employee sold the data of 68,000 customers to a malicious third party, who used it to make fraudulent calls. During the call, the scammer masqueraded as a Trend Micro support representative.
It wasn’t until customers complained that Trend Micro discovered the attack. The employee’s account was deactivated and he was fired, and Trend Micro involved the law enforcement authorities.
Many companies have a regular pattern of user logins on a daily basis. Logins performed remotely from unusual locations or at unusual times can be a sign of a problem. Similarly, investigation of authentication logs can show unusual use of usernames like “test” or “admin” that indicate someone attempting unauthorized access. Any unusual login attempt should be investigated.
Mission-critical systems such as CRMs, financial management applications, and ERPs should be watched closely. These systems should have a strictly defined set of users and roles. Unauthorized access to these applications and the sensitive data they contain can be devastating to a business, and so any increase in login attempts to these systems, especially from unauthorized users or roles, should be investigated immediately.
People with increased access to systems are an inherent threat to businesses if those systems contain sensitive information that should not fall into the wrong hands. In some cases, someone with administrative privileges might start granting privileges to other users who shouldn’t have them. In other cases, administrators might give themselves escalated privileges to gain unauthorized access to applications or data.
IT teams should be aware of their organization’s regular bandwidth usage and data download patterns—for data accessed on on-site networks, accessed through cloud infrastructure, and copied to computers or external drives. If there are large, unexplained data downloads, or if they happen at unusual times of the day or from odd locations, this could indicate an insider threat.
Detecting insider threats is very different from traditional penetration testing, code review, or other vulnerability detection techniques. Security teams need to look at IT infrastructure differently. They should conduct an analysis of their organization’s internal teams and map each individual to potential risk areas.
Having valid credentials makes the attacker’s job much easier. It doesn’t matter if they received credentials from the IT administrator, via a phishing attack, or from a co-worker’s desk. A simple user ID and password combination is not sufficient—passwords should have minimal complexity and should not be reused. Multi-factor authentication (MFA) is mandatory for all sensitive systems because in most cases it can render stolen credentials useless.
If a third-party vendor is compromised, attackers can use their access to penetrate a target organization they work with. The challenge is to ensure third parties maintain the same security standards as the organization. Because this is not always possible, third-party access should be carefully controlled and monitored.
A common goal of insider threats is the theft of intellectual property or other sensitive data. Proper control of data, monitoring access, and preventing unauthorized data transfer can prevent them from achieving their goals, if they gain access to the data. Use tools like data loss prevention (DLP) to identify data exfiltration attempts as they happen and mitigate attacks.
Monitor security systems and respond to suspicious activity according to your incident response policy. User Behavior Analysis (UBA) technology can help effectively spot insider threats by automatically identifying anomalous behavior. Monitor and control remote access to your organization’s infrastructure, configure alerts on all critical systems, and notify security staff through all appropriate channels.
Learn more in our detailed guides to:
Traditional tools such as firewalls and antivirus software are able to detect outside intruders, but are powerless when it comes to insider threat detection. Fortunately, there are some tools that can help expose malicious insiders. When using any monitoring tools, it is important to first establish a baseline for normal network traffic/usage. This will allow the anomalies to stand out.
Types of insider threat detection software include:
The shift to behavior modeling methods
Trying to prevent insider threats with tools that aren’t properly suited for the job won’t protect against calamity. Therefore, there has been an understandable shift to more behavioral-based methods that can prevent these threats. These methods include:
The Cynet 360 platform provides various complementing layers to protect from insider threats: