Every company has plenty of insiders: employees, business partners, third-party vendors. They all have a certain level of access to corporate infrastructure and business data: some have limited access to general information of low value, while others can easily access the most valuable and sensitive data.
This access is what makes insiders one of the greatest threats to a company’s cybersecurity. And this is why it’s important to understand what an insider attack is. In this article, we take a detailed look at insider threats in cybersecurity, the causes of insider threats, types of risky insiders, and key factors for preventing, detecting, and mitigating insider attacks.
What is an insider threat?
Sometimes, the biggest danger comes from within.
Insider threats are a vital cybersecurity problem for many organizations. According to the Ponemon Institute 2020 Cost of Insider Threats Global Report [PDF], the number of insider threat incidents has increased by 47% in just two years, from 3,200 in 2018 to 4,716 in 2020.
At the same time, the total average cost of a threat increased by 31%: from $8.76 in 2017 to $11.45 million in 2019.
But what is an insider threat at its core? The CERT Coordination Center at Carnegie Mellon University offers a general insider threat definition. They see an insider threat is “the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization”.
The definition of an insider threat by CERT
Another definition of an insider threats was proposed by Gartner (Gartner subscription required): “An insider threat is a malicious, careless or negligent threat to an organization that comes from people within the organization — such as employees, former employees, contractors or business associates — who have inside information concerning the organization’s security practices, data and computer systems.”
Sometimes, the term insider threat can also be used as an alternative for insider attack, meaning not the potential to act but the actual act of an insider compromising an organization’s network or computer system.
Types of insider threats
While a popular topic among cybersecurity specialists, there’s no gold standard for classifying insider threats.
There could be different types of insider threats, but one of the most common typologies is presented in a report by CA Technologies. They split all examples of insider threats into two large groups based on their intentions:
However, we can add a bit more granularity and specify three insider threat types:
- Malicious insiders
- Careless insiders
- Compromised insiders
In this classification, compromised accounts are also considered an insider threat because when an outsider enters your infrastructure under the credentials of a legitimate user, the system sees them as an insider.
Intruders can steal user credentials by:
- Sending a phishing email
- Infecting a computer with malware through a link in an email, files downloading from a website, USB devices, etc.
- Phishing phone calls
- Pass-the hash attacks, etc.
However, the most granular approach so far has been taken by Verizon in their recent 2020 Data Breach Investigations Report. They split all insider threats into five insider threat categories:
- Malicious insiders
- Inside agents
- Disgruntled employees
- Careless workers
- Third parties
This typology provides the most extensive classification of insider threats, covering a wide range of reasons for an insider attack: malicious intentions, industrial espionage, negligence, emotional motivations, and even third-party vendor-related risks. However, insider threat statistic shows that most insider attacks are caused by negligence.
By understanding the true nature of each type of insider threat, you’ll be able to better understand the risks they can pose to your company’s cybersecurity. In the next section, we talk about the main cybersecurity risks and challenges of insider threats.
The key risks and challenges of insider threats
You can’t prevent something you don’t know about.
The main problem with insider attacks is that in contrast to outside attacks, they can remain unnoticed not for weeks or months but for years. Outside attackers usually act suspiciously from the moment they invade your system. But malicious insiders, for the most part, act normally and perform their daily duties. They only spend a limited amount of time on their malicious actions, which makes it much harder to detect the exact moment of an attack.
Insiders have a number of obvious advantages over outside cyber criminals:
- They have legitimate access to your infrastructure
- They know (or can easily learn) where you store your most valuable data
- They know your cybersecurity system from within, which means it’s easier for them to bypass it
Thanks to such opportunities, insiders can steal or harm your valuable data. Gartner defines the tree following three types of insider threat activities:
Fraud activities include misusing your valuable assets for personal gain, phishing campaigns, and misrepresentation.
Data theft means carrying out an unauthorized data transfer from a corporate computer.
System sabotage stands for changing critical configurations of your network or computer systems, preventing your systems from operating normally, installing malware, creating backdoors for outside attackers, etc.
What’s most important, stealing or harming valuable data is not the only threat they pose. Insiders can do a lot of other risky things:
- Change critical configurations of your network or computer systems
- Prevent your systems from operating normally
- Install malware
- Create backdoors for outside attackers
- Misuse your valuable assets for personal gain
- And more
Basically, if there’s an ongoing insider attack in your company, all your valuable IT assets are in danger: networks, file servers, cloud storage, databases, and even endpoints. There are also a number of risk factors that can increase the possibility of such an attack. The most common and critical are:
- Excessive access privileges – When too many people gain access to the most critical assets, it creates additional risk for data misuse or compromise.
- Shadow IT – When employees install software that wasn’t approved and isn’t managed by your IT department, it creates additional risks for malware being installed. Plus, unapproved software may be incompatible with other software used in your company, harming the operation of your systems.
- Bring Your Own Device (BYOD) policies – When employees use personal devices for corporate purposes, it creates additional cybersecurity risks.
Detecting and mitigating an insider threat in a timely manner should be a top priority for any cybersecurity officer and business owner. In the next section, we talk about the indicators that can help you detect an internal threat and the most effective ways of mitigating the risks of insider threats.
Handling an insider threat: active or proactive?
Prevention is the key.
There are two basic scenarios for dealing with an insider attack: You can act preventively, trying to prevent an attack from happening in the first place, or actively, responding to it efficiently and in a timely manner. Of course, to get the best possible result, it’s best to combine these two approaches:
- Insider attack prevention– Build up your cybersecurity policy and configure all your systems in a way that allows you to keep the risk of insider attacks as low as possible.
- Detection and response – Create an insider threat detection system that allows you to detect an attack at an early stage and build an efficient incident response system in order to limit possible damage.
You can detect a potential insider threat by paying attention to various indicators of suspicious behavior:
How can you prevent an insider attack?
Five best practices to avoid attacks
There is various software on the market that helps organizations enhance their cybersecurity and mitigate insider threats. In general, their idea is to monitor employees' activity and detect potential threats.
Depending on a solution and business needs, such software can collect various data, including:
- Online activity: visited websites, emails exchange, files and applications downloading and uploading, online searches.
- General activity: manipulations with files and data, launched applications, connected USB devices.
Modern technologies significantly enhanced user monitoring solutions, and now Gartner observes two primary categories of such software:
- Insider-threat-focused tools
- Solutions that provide broad-based user and entity behavior analytics (UEBA)
There are several key points you should pay attention to in order to minimize the risk of an insider compromising your company’s cybersecurity:
Cybersecurity policies and guidelines. Having detailed and thoroughly planned cybersecurity policies and guidelines is the first step toward securing your valuable assets.
Your employees should know exactly what they can and cannot do:
- What are the allowed scenarios for working with sensitive information
- What they should do in case of a cybersecurity incident
- What are the rules for working with corporate systems, etc.
All this information should be included in your cybersecurity policy and personalized in smaller guides for particular departments and roles.
Access management. The best way to prevent employees from misusing their access privileges is to grant them only the permissions they really need. Role-based access control and just in time PAM are perfect ways to ensure the required level of access granularity. They also can help you limit the scope of allowed operations for each role to a secure minimum.
Multi-factor authentication (MFA) is a commonly acknowledged best practice for securing valuable assets and effectively managing access to them. Another possible approach is implementing a zero trust security model, when access to a critical asset is always limited and always requires additional approval or user identity verification.
Technical controls. Since data is usually one of the main targets of cyber criminals, you need to make it harder to tamper with your critical data. For instance, regular data backups and the deployment of data loss prevention tools can limit the risks associated with damage or loss of valuable information.
USB management tools, on the other hand, will come in handy for preventing your employees from using unauthorized USB devices for installing malware or copying corporate data for personal use.
However, it’s important to clarify that preventive measures only help to minimize the risk of an insider attack. For defending your company against this cybersecurity threat, you need to thoroughly plan ways to detect and respond to insider attacks.
How to detect insider threats and respond to them?
Fighting insider threats
Just as with prevention, there are a number of key factors affecting your ability to effectively detect and respond to insider threats. Let’s take a look:
User activity monitoring. Having full visibility across your network is one of the main conditions for effective insider threat detection. And the best way to achieve the required level of visibility across your network is by monitoring all activity within your network 24/7.
First comes monitoring employee activity. You need to know who does what, when, and how. Start with monitoring privileged accounts and critical assets, then expand the scope of monitored users and instances as you need.
Next, you need to take additional care about monitoring and auditing subcontractors. As they may have legitimate access to certain critical assets, you need to be able to make sure they aren’t misusing their access privileges.
Logging and auditing. Simple monitoring won’t be enough to secure your valuable assets. It’s important that your monitoring solutions gather and log data about monitored instances and users.
Also, you need to be able to audit and analyze gathered data; otherwise, you won’t be able to act on it. So make sure your activity monitoring solution allows you to form detailed reports for further auditing.
Incident detection and response. The longer an attack remains undetected, the more it will cost to remediate. But in order to detect an insider attack in time, you need to create a comprehensive incident response system. There are a number of features that you may find useful for building such a system, including:
- Alerts and notifications. Setting alerts for specific events such as the creation of a new privileged account or deletion of a particular set of data will help you detect suspicious actions and take proper actions at the early stage of a possible attack. Of course, it would be best if these alerts were sent in real time.
- Automatic response. Being able to block a process, application, or user that acts suspiciously or violates a security rule can help you limit possible damage from a cybersecurity incident.
User and entity behavior analytics (UEBA). In order to combine the benefits of user activity monitoring and active incident response, you may consider implementing a UEBA solution. Such a solution gathers information on entities, both human and non-human, analyzes their behavior, and builds a baseline profile for each. This profile can then be used to stop an insider threat. When the activity of a monitored entity deviates from the defined baseline, it might be an indicator of an ongoing insider attack.
The biggest advantage of such an approach is that all data is processed by an artificial intelligence algorithm and not a human. Algorithms can analyze data more precisely and may detect suspicious patterns a human analyst would have missed.
Employee education. Finally, it’s crucial to educate your employees and third-party partners on your cybersecurity policies and general cybersecurity best practices. People tend to ignore security rules not because they’re rebels at heart but because they either don’t see the importance of following these rules or find them inconvenient. For instance, a problem of shadow IT is usually a sign that your corporate system doesn’t offer the most comfortable or effective tools for solving day-to-day tasks.
Deter, detect, and disrupt insider threats with Ekran System
When it comes to dealing with insider threats, you can either deploy a set of separate tools for each specific task or use a comprehensive platform that provides you with all the functionality you need.
As a comprehensive insider threat management platform, Ekran System helps you prevent, detect, and proactively respond to insider threats, focusing on the three core goals:
1. Deter potential insider threats
2. Detect abnormal activity
3. Disrupt the effort to perform a malicious action
Ekran System also provides you with UEBA functionality for detecting possible account compromise.
Insiders pose a significant threat to an organization’s cybersecurity. They have a number of advantages over outside attackers, as they have legitimate access to the organization’s network and know its cybersecurity system from the inside.
Not all insiders are malicious by nature: some may compromise an organization’s cybersecurity unintentionally, due to human error, personal negligence, or the malicious actions of outsiders.
The best way to mitigate the risks posed by insider threats is by combining preventive measures with insider threat detection tools and incident response practices. Ekran System covers all three tasks, allowing you to limit the risk of insider attacks, monitor and audit user activity, manage access, and respond to insider threat incidents fast and efficiently.