The secret sauce to detect insider threats
Apr 2010 min read
Organizations are finding solutions to tackle external security threats, but are they prepared to face threats that emerge from within the organization? IT admins and security analysts are the ones who usually monitor employees' activities, but what if they become a threat to the organization? Read on to learn more about insider threats.
An insider is a person who is a recognized identity within an organization. Insiders can be current or former employees, vendors, contractors, or partners who have authorized access to the organization's confidential assets like financial records. Accountants, software developers, IT admins, and analysts are some examples of an insider.
Insider threats originate from employees or users of a network that intentionally or unintentionally exploit a vulnerability, expose confidential data, or do something like accidentally download malicious software, resulting in an attack. For example, an accountant who leaks their organization’s financial records is an example of an insider threat.
Insider threats are a growing concern for many organizations. The Verizon 2021 Data Breach Investigations Report suggests that in the year 2021, insiders were responsible for around 22% of security incidents.
Malicious insiders are the ones who intentionally engage in malicious activities. They have an edge over outside attackers as they are familiar with the enterprise network, its security protocols, processes, and may possess the privileged credentials needed to carry out the attack.
Did you know?
According to Russian secret services, employees at Russia's foremost nuclear research laboratory were arrested in 2018 on suspicion of exploiting a powerful supercomputer for bitcoin mining.
Negligent insiders are the ones who unintentionally expose data or exploit a vulnerability. Negligent insiders are employees who are careless and they are often unaware of the various security risks that their actions pose. They do not have any motive to harm the organization, but their actions leave the organization at risk. Security incidents due to negligent insiders are one of most common types of insider threats.
Compromised insiders are the users whose accounts are taken over by external adversaries. This usually occurs when employees fall victim to phishing scams or business email compromise (BEC) attacks, or when they unknowingly download malware. Attackers can also use leaked credentials to compromise an account and pose as an employee.
Did you know?
In 2020, Twitter employees were contacted by a group of hackers who pretended to be Twitter IT administrators. They convinced some employees to reveal their account passwords during these calls. This led to a 4% drop in Twitter’s share price.
Users who are not part of the organization's payroll but have certain privileges to access the company's network are called third-party insiders. They include vendors, contractors, and business partners who are given access to the organization’s network. Often, IT administrators fail to monitor such third-party user activities. This is why attackers target third-party users to launch attacks.
Did you know?
In 2020, at least 10 universities in the UK, US, and Canada have had data stolen about students after hackers attacked a third-party cloud computing provider.
Collusive insiders are the ones who work with external malicious threat actors to infiltrate an organization’s security and privacy. Collusive insiders are rare, but the possibility of threat actors joining forces with an organization's employees over the dark web is significantly dangerous.
Shadow IT is the use of third-party applications, hardware, and services by employees without the approval of the IT administrator. Employees engage in shadow IT because it improves their productivity. Adversaries leverage shadow IT to lurk in the network for long periods to carry out persistent attacks.
Social engineering plays an imperative role in BEC attacks. It involves tricking someone inside the company to make a security error, make a fraudulent payment, or disclose critical information. While social engineering is theoretically an external threat, it is only effective if an insider can be persuaded to provide information. Threat actors use terms like immediately and urgent in their email subject lines with the goal of provoking a response from the employee.
Confidential data can be publicly shared by employees with unauthorized parties, entities, and users. This could be done unintentionally by the employees. For example, two employees could be sharing files with each other over a public Wi-Fi connection, which is not monitored by the IT administrator and could be prone to external security threats.
In some cases, after employees log out for the day, they take their office devices like their laptops home with them. Since these devices aren't on the business premises, they become vulnerable to theft during a home burglary. In 2006, a data analyst took home a hard drive that stored the personal data of 26.5 million U.S. military veterans. It was later stolen in a home burglary and the FBI stated that the data analyst was not authorized to take the hard drive home.
Most of the above problems happen due to human error. Organizations often find it challenging to prevent human error since actions labelled as "human error" are often simply the result of normal human behavior. Organizations need to focus on minimizing human errors from employees. If human error does occur, then the organization should be prepared and equipped with proper security tools to readily execute action to stop any further damage.
Educating and training employees can play an imperative role in preventing compromised and negligent insiders. Organizations must ensure that employees are aware of the security risks that their actions pose and how they can be managed safely. Cybersecurity training should be conducted on a regular basis. Organizations can conduct uninformed tests by sending out phishing emails to test employees, and the employees who fail the test can be trained accordingly. Employees should also be trained to recognize and report any suspicious activity among their colleagues to their managers or IT administrators.
Organizations need to adopt Zero Trust and MFA to ensure users have the right access to the right resources at the right time. Another important part of preventing insider threats is documenting organizational policies. Procedures for preventing and detecting harmful conduct along with incident response protocols should be included in the policy. Every employee should be aware of the security protocols and understand their intellectual property (IP) rights so that the privileged content developed by them is not exposed or shared.
Some of the organization’s critical assets will include financial detail, legal records, and intellectual property such as schematics, proprietary software, and customer data. IT administrators should identify who has access to the organization's inventory. This information helps in a more comprehensive diagnosis of the vulnerability of assets and what actions need to be taken based on it.
User and entity behavior analytics (UEBA) uses machine learning, statistical models, and algorithms to monitor and analyze any suspicious activity of users and devices in the network. Employees have their own unique work routine, which is used as the baseline for their behavior. Anything that deviates from this normal behavior is considered an anomaly and the IT administrator is alerted. Since UEBA solutions use deep learning and other analytical methods to take automated actions, the entire process easy.
Combating insider threats is complicated as anyone within the organization can become a threat actor. Detecting insider threats can be challenging because the detection is focused more on proactivity than responsiveness. It is like predicting the future and then taking the precautions accordingly. It requires a lot of effort to constantly ensure such threats are not hiding around the corner.
Organizations need a robust threat intelligence mechanism that empowers them to take decisive actions to preempt and prevent cyberattacks. This is where UEBA can help. With UEBA solutions, threat hunting takes place automatically and informs IT admins if employees are involved in malicious activities. Implementing a UEBA solution can bolster an organization's cybersecurity infrastructure by helping admins proactively detect, investigate, and remediate malicious logins, lateral movements, privilege abuse, data breaches, and malware.