Means, motive and opportunity are the keys to solving any crime, and cyberattacks are no exception. While all threat actors have motives, insiders have ideal means and opportunity. This places them in an optimal position to carry out damaging activities.
The ability to quickly detect and respond to insider threats has never been more crucial. A 2020 Insider Threat Report from Cybersecurity Insiders found that 68% of organizations think that insider attacks have become more frequent in the past 12 months and 70% have experienced one or more insider attack within that same time period.
Insider threat archetypes
Who are these people whose behavior exposes us to data loss and brand damage? There are various descriptions out there of the different types of insiders behind these threats, with labels ranging from “turncloaks” to “pawns.”
The insider threat archetypes boil down to three basic descriptions:
- Mistake-Makers: Current employees, contractors or other business partners who either fall for phishing schemes and become pawns for external attackers, or inadvertently misuse or expose sensitive data through carelessness or a lack of security awareness training.
- Malicious Insiders: Current and former employees, contactors or other business partners who have authorized access and intentionally abuse it. While their behavioral patterns may seem normal from an internal IT team’s perspective, their intentions are not, and the outcome may be data loss or disclosure.
- Imposters: Outside threat actors that have stolen the credentials of an authorized user and leverage that user’s tools and access for their own purposes. The outcome is usually a behavior pattern in which privileges are escalated, and critical data is either exfiltrated or disclosed to the public.
A recent study from the Ponemon Institute showed how insider incidents break down into these categories:
The impact is costly
Insider threats are among the most damaging. The Ponemon Institute 2020 Cost of Insider Threats Global Report found that incidents involving negligent employees or contractors cost an average of $307,111. The average cost more than doubles to $756,760 for insiders who intentionally steal data or conduct other malicious activity. The cost for damage done by external imposters is nearly triple at $871,686. Additionally, the study found that on average it takes more than two months—77 days—to contain insider incidents.
From a defensive standpoint, it makes no difference if data loss stems from an external attacker with stolen credentials or an employee acting carelessly. Sensitive data needs to be protected, no matter who accesses it. What unifies these types as a significant threat is that they’re already inside your network. If you don’t protect your data by monitoring their activity and behavior, you’ll be unable to respond to any threats they pose, and the results can be devastating.
Take Edward Snowden, for example. He was an NSA contractor working as a SharePoint administrator. He took advantage of accrued administrative access gained through various contractor positions and his colleague’s credentials to gain access to data he had no need to access in his role. With this access, he was able to copy the data to a USB drive and remove it from the site.
This was accomplished without raising any red flags because his behavior as a user was not being continuously monitored and audited. Visibility into behavioral patterns was not aligned with identity and access management processes in a way that would have enabled the NSA to quickly identify his malicious activity.
Developing an insider threat program
Many organizations are struggling to obtain the resources they need to devote to an insider threat program, and they can be restricted in the types of data they can proactively collect and analyze for insider threats for legal reasons.
How do you know if your organization is doing enough to address insider threats?
If you are surprised by how many of these questions you can’t answer, you’re not alone.
Many organizations are primarily focused on the latest external threats, so they overlook their own business ecosystem and are not equipped to detect or respond to internal threats in a timely manner.
Building your strategy
It’s important to remember that dealing with these threats—and cybersecurity in general—should be a continuous, programmatic process that combines technical and non-technical controls. In addition to best practices such as personnel background checks, security awareness programs, and policy strategies for social media, BYOD and IoT devices, here are five key steps that can help your organization address insider threats.
1. Know your assets
You can’t protect what you don’t know. Prioritize threats by pinpointing the areas in which problems are likely to occur, and determine your organization’s risk tolerance.
- What are your most valuable information assets?
- Where are they?
- Who has access to them and why?
- When are they being accessed?
- Are the security controls in line with your risk tolerance?
Answering these questions can provide visibility into the critical pieces in your infrastructure that need attention, and the users most likely to be targeted by attackers. It will also provide insight into what normal activity looks like, which will better enable you to recognize abnormal patterns of behavior. Assess outside partnerships and business relationships to identify those who can potentially provide access to your company’s information in the event of an inside or imposter attack, and vice versa. This in-depth evaluation requires collaboration between IT, security and the business.
2. Continuously assess your security posture
Careful evaluation of your organization’s security posture is critical, and it should be an ongoing process.
Consider threats from insiders and partners, as well as malicious unknowns in your security assessments. Professional services such as:
- Security program assessments help to evaluate the overall state of your organization’s security by providing an objective view of your organization’s policies, controls and processes.
- An effective threat and vulnerability management program will identify vulnerabilities exposing the organization to malicious activity.
- Compromise assessments can determine whether malicious activity is already taking place on your network. They should be regularly scheduled as a part of your vulnerability management practices and integrated with incident-response capabilities.
Ensure that basic security practices are in place. Proper password and authentication policies, patch-management procedures, firewall and intrusion detection and intrusion prevention system (IDS/IPS) configuration, and log review procedures are among the practices that should be well-established within your organization, as well as with your partners and contractors. Ensure that the information from these tools and systems are visible and correlated between key teams and incident responders. Remember to focus appropriately on third-party relationships and deploy compensating controls if your partners are not at the level of security you desire.
Identify the security tools, technologies and strategies you currently employ, and maximize their effectiveness against today’s internal and external threats.
- Is your security information and event management system (SIEM) properly logging, monitoring and auditing employee actions and activity?
- Does your SIEM provide user entity behavior analytics (UEBA) to identify changes in user or system behavior?
- Do you have data loss prevention (DLP) and analytics technology implemented and integrated to provide visibility into data movement?
- Do you have risk-based multi-factor authentication (MFA) to limit potential damage if credentials are lost or stolen?
- What technologies and solutions exist to fill gaps in your existing security infrastructure?
Should you upgrade your current vendors’ products, or invest in new technologies? Many organizations fail to optimize their existing tools and technologies, and programs and processes often have gaps that can be exploited. Focus on what currently exists within the organization, and perform programmatic gap assessments to enhance your efforts. Many companies leverage a vendor-independent technology partner to test additional solutions and find the right fit for their organization.
How strong is your existing identity management infrastructure? It’s important to monitor employee roles carefully as they change, as well as the accessibility of information by partners and outside consultants. Your IAM controls should ensure only those who require access to sensitive information have it. If an employee leaves the organization or moves to another department, your identity-management system should make appropriate changes to access or wipe data on mobile and other devices as necessary. Privilege management should be a key area of focus. Ensure controls are in place to cross-reference identities with data protection strategies.
3. Develop a formal insider threat program
The development of an insider threat program that synchronizes people, policies, processes and technology will help you understand and deter the threats that insiders in your organization pose.
- Identify internal and external stakeholders, and form a team that understands the information needs of employees, contractors and service providers, as well as the assets that need to be protected.
- Start with a risk assessment to prioritize efforts. A thorough evaluation of existing vulnerabilities and threats that focuses on the flow of data in and out of the organization, weighed against overall risk appetite, is essential. However, it is important to tie business impact and an organization’s overall security strategy to the results of the assessment, enabling an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively. A poorly conducted risk assessment can overload the security team and create paralysis.
- Take a programmatic approach that is not exclusive to the security team. Human resources, legal and business groups should be involved along with IT.
- Planning, design and baselining should be considered a continuous process, and include a fluid playbook and drills that test the efficacy of the program.
- Consider the lifecycle of an employee—from interview to exit—and determine areas of risk. Access rules should be enforced from day one, and activity outside of access rights flagged.
- Continuously review privileged access to sensitive information and remove it when deemed unnecessary or high risk.
- Maintain insider incident-response plans that define response, which should include an extended team (legal, human resources and departmental management) if an employee is involved.
- Be careful not to implement policies or procedures that degrade performance; it is important not to hinder productivity and innovation.
4. Enforce separation of duties and least privilege
Two key controls for reducing the potential for malicious or unintended insider activity are separation of duties and least privilege.
Separation of duties—requiring more than one person to complete a high-risk task—reduces the risk of malicious behavior by a single actor.
Least privilege—restricting use and system access to only the resources required to perform the necessary role or function—reduces the surface area in which a malicious actor can operate.
In the case of Edward Snowden, requiring two-person access to sensitive data (separation of duties) and/or blocking write access to removable media (least privilege) would have likely prevented this NSA breach.
These controls should also extend to business partners and contractors. Consider the Target breach: an external HVAC contractor was unnecessarily given access to Target’s point-of-sale system. Contractors shouldn’t be allowed to operate on the same logical network layer as sensitive data. Ensure that service level agreements (SLAs) account for connectivity that is separate from corporate data. You need to be aware of what contractors and third parties have access to and monitor their activities.
5. Continuously monitor user behavior
Perhaps the most important step you can take to address insider threats is to learn what’s normal, and what’s not. The way to accomplish this is through improved behavior monitoring and analytics capabilities. Tools that are already embedded in the network such as DLP, IAM controls and SIEM are a foundational part of the effort to address threats—ensure that they are working effectively. Many SIEM vendors are incorporating user and entity behavior analytics (UEBA) for advanced analytics, user behavior analysis, and cognitive computing-based (i.e. smarter) orchestration and response.
There’s a good chance that if several organizations that fell victim to high-profile attacks had continuous monitoring via context-aware UEBA at the time of their breach, abnormal behavior coming from authorized users, contractors, partners, or suppliers could have been quickly identified.
UEBA solutions offer profiling and anomaly detection based on a variety of analytics approaches that combine basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) with advanced analytics (e.g., supervised and unsupervised machine learning). They help to establish baselines of normal user behavior and facilitate the detection of users with high-risk identity profiles as well as high-risk activity, access, and events associated with insider threats. Through these tools, organizations can quickly identify threats based on actions that stray from normal patterns and address them through manual or automated remediation.
Integrating UEBA with IAM enables proactive remediation based on real-time user behavior. The volume of IAM data that organizations already collect provides valuable context for behavior and facilitates preventive control for potential security incidents.
Bridge the gap between prevention and resistance
Traditional preventive controls can have a negative impact on the user’s experience as they are doing their jobs. Be careful to link security awareness training to employee monitoring and build transparency and trust into the process. People are among the best alerting mechanisms in any organization; awareness training should run the gamut from overall education to phishing exercises. It’s critical for businesses to reiterate to employees that although there will be monitoring for security purposes, their privacy will be considered.
Stop insider threats
Outsiders such as hackers, organized crime groups and nation-states may be the “bad guys” we don’t know and love to hate, but insider threats can be just as costly and damaging.
Insiders—and the malicious outsiders who emulate them—have the means and opportunity to access our most critical data. A comprehensive approach to mitigating the threats they present crosses people, process and technology.
By enabling a detailed understanding of your assets and security posture, a clear separation of duties, continuous monitoring, and a cross-organizational insider threat program, you can gain visibility into the highest-risk users in your environment and the tools to monitor, report on and investigate them. This will help you transform user data into an asset and prevent your organization from making the wrong kind of headlines.