Stopping insider threats isn’t easy. There are a number of behavioral indicators that can help you see where a potential threat is coming from, but this is only half the battle. Reliable insider threat detection also requires tools that allow you to gather full data on user activities. However, fully discounting behavioral indicators is also a mistake. They allow you to detect users that pose increased risks of being malicious insiders and better prepare you for a potential attack by turning your attention to them.
In this article, we cover four behavioral indicators of insider threats and touch on effective insider threat detection tools.
What is an insider?
First things first: we need to define who insiders actually are.
In the simplest way, an insider can be defined as a person belonging to a particular group or organization. More often than not, this person has legitimate access to secure data, putting them into an ideal position to threaten the security of that data.
However, not every insider has the same level of access, and thus not every insider presents the same level of threat. The Verizon Insider Threat Report 2019 outlines the five most common types of dangerous insiders:
- Disgruntled employees — A lot of things can make employees dissatisfied: getting turned down for a promotion or raise, poor relations with colleagues and managers, etc. Disgruntled insiders may use their position to take revenge on and cause severe harm to your company.
- Malicious insiders — These are employees who misuse or abuse their access to steal, leak, or delete valuable corporate data out of malicious intentions. The main difference between malicious insiders and disgruntled employees lies in their motivation. Disgruntled employees abuse data as an emotional response.
- Inside agents — These are corporate or government spies inside your company. An inside agent can be either a newcomer or a trusted employee. Their aim is to steal your professional secrets in favor of your competitors in exchange for a reward.
- Regular employees – With limited access to sensitive data, employees rarely conduct full-fledged insider attacks. However, they can often leak data or compromise your corporate infrastructure inadvertently, either by mistake or by becoming a victim of phishing.
- Third-party providers and contractors – Usually, you have little control over cybersecurity on the side of third-party providers. While you may audit their security controls as part of your selection process, this still does not guarantee the complete safety of your sensitive data. It is best to protect your remote connections from malicious subcontractors or compromised accounts.
As you can see, not every dangerous insider is a malicious one. There is also a big threat of inadvertent mistakes, which are most often committed by employees and subcontractors. Every company can fall victim to these mistakes, and trying to eliminate human error is extremely hard.
Your best bet is to improve the cyber awareness of your employees with regard to cybersecurity best practices and put policies in place that will limit the possibility of devastating human errors and help mitigate damage in case of a mistake.
When it comes to malicious insiders, there are numerous things that can help you actually deter and detect them, not the least of which is user behavior monitoring. Next, let’s take a more detailed look at insider threat indicators.
Goals of insider attacks
Insiders can target a variety of assets depending on their motivation. Usually, they focus on data that can be either easily sold on the black market (like personal information of clients or employees) or that can be crucial to company operations (such as marketing data, financial information, or intellectual property). Frequent targets of insider attacks include:
- File servers
- Specific applications
- Mobile devices
- Cloud storage
The most frequent goals of insider attacks include data theft, fraud, sabotage, and espionage. In his book Beyond Fear, famous security expert Bruce Schneier discusses categories of malicious insiders and their motivations:
- Opportunists – These insiders don’t plan any malicious actions beforehand but decide to attack when an opportunity presents itself. Financial difficulties and a history of previous problematic behavior can be warning signs of such an attack. Opportunists can usually be easily deterred by basic security measures, such as access control and user action monitoring.
- Calculated attackers – These insiders are usually much harder to deter. They plan their actions beforehand and usually target very specific data. It can be extremely hard to detect such attacks even after they’ve happened.
- Emotional attackers – These are employees whose main motivation for an attack is emotions and feelings like fear, greed, or anger. Instead of waiting for an opportunity, they attack spontaneously, without a detailed plan. Sometimes they even want to get caught in order to bring attention to their issues. A common example of emotional attackers are disgruntled employees.
- Terrorists and digital activists – These insiders usually plan their attacks and often, instead of stealing data, simply try to do as much damage as possible (for example, by compromising corporate network infrastructure and taking it out from within). They usually can’t be deterred by regular security measures and can even think of them as an additional challenge that validates their beliefs.
Apart from the four categories above, Bruce Schneier also mentions friends and relations as another group of malicious insiders that can commit fraud or data theft by accessing computers of their friends or family. This group of insiders is worth considering when dealing with subcontractors and remote workers.
An insider attack (whether planned or spontaneous) has indicators. Detecting them allows you to prevent the attack or at least get an early warning. Let’s talk about the most common signs of malicious intent you need to pay attention to.
4 сommon behavioral indicators of malicious insiders
Detecting a malicious insider attack can be extremely difficult, particularly when you’re dealing with a calculated attacker or a disgruntled former employee that knows all the ins and outs of your company. One way to detect such an attack is to pay attention to various indicators of suspicious behavior.
Of course, behavioral tells that indicate a potential insider threat can vary depending on the personality and motivation of a malicious insider. However, there are certain common things you need to watch out for:
- 1. Disgruntlement
As mentioned above, when employees are not satisfied with their jobs or perceive wrongdoing on the part of the company, they are much more likely to conduct an insider attack.
There are many signs of disgruntled employees. The most obvious are:
- Frequent conflicts with workers and supervisors
- Declining performance and general tardiness (being late to work, making more mistakes than usual, constantly missing deadlines, etc.)
Employees that exhibit such behavior need to be closely monitored.
This indicator is best spotted by the employee’s team lead, colleagues, or HR. Of course, unhappiness with work doesn’t necessarily lead to an insider attack, but it can serve as an additional motivation. A timely conversation can mitigate this threat and improve the employee’s productivity.
Apart from that, employees that have received notice of termination also pose additional risks and should be monitored regardless of their behavior up until they leave the workplace, at which point their access to corporate infrastructure should be immediately revoked.
- 2. Unusual enthusiasm
Sometimes, an employee will express unusual enthusiasm over additional work. This may include:
- Staying late at work without any specific requests
- Repeatedly volunteering for extra work
- Working at odd hours
- Trying to perform work outside the scope of their normal duties
- Working from home without a good reason
All of these actions can be considered an attempt on the part of the employee to expand their access to sensitive data. While not necessarily malicious, such actions are a great indication that you should keep an eye on the employee and make sure they aren’t copying or otherwise tampering with sensitive data inside your company.
- 3. Unusually frequent trips and vacations
We believe espionage to be merely a thing of James Bond movies, but statistics tell us it’s actually a real threat. For example, the Verizon 2019 Data Breach Investigations Report indicates that commercial or political espionage was the reason for 24% of all data breaches in 2018. Espionage is especially dangerous for public administration (accounting for 42% of all breaches in 2018).
Recurring trips to other cities or even countries may be a good indicator of industrial espionage. An employee may work for a competing company – or even government agency – and transfer them your sensitive data.
Another indication of a potential threat is when an employee expresses questionable national loyalty. This may not only mean that they’re working with government agents or companies in other nations but that they are more likely to take an opportunity to steal or compromise data when it presents itself.
Apart from that, frequent travels can also indicate a change in financial circumstances, which is in and of itself a good indicator of a potential insider threat.
- 4. Unexplained changes in financial circumstances
If an employee unexpectedly pays off their debts or makes expensive purchases without having any obvious additional income sources, it can be an indicator that they may be profiting from your sensitive data on the side.
There are several scenarios for this:
- An employee may be approached by a competitor and coerced into conducting industrial espionage (financially insecure employees are vulnerable, so you need to watch out for this).
- An employee may copy and sell your data for profit.
- An employee may start a competing business and use your data, such as client lists, in order to take away your market share.
Overall, any unexpected and quick changes in financial circumstances are a cause of concern and should be taken as a serious indicator for close monitoring. If you want to learn more about behavioral indicators related to insider threats, refer to this PDF version of an insider threat awareness course by the Center for Development of Security Excellence.
But money isn’t the only way to coerce employees – even loyal ones – into industrial espionage. Sometimes, competing companies and foreign states can engage in blackmail or threats.
Damaging information – for example, information about previous drug addiction or problems with the law – can be effectively used against an employee if it falls into the wrong hands. One way to limit this is to use background checks to make sure employees have no undisclosed history that could be used for blackmail.
Apart from being helpful for predicting insider attacks, user behavior can also help you detect an attack in action. There are potential insider threat indicators that signal users are gathering valuable data without authorization:
- Unauthorized downloading or copying of sensitive data, particularly when conducted by employees that have received a notice of termination
- Taking and keeping sensitive information at home
- Operating unauthorized equipment (such as cameras, recording or USB devices, mass storage devices, internet access points, etc.)
- Asking other employees for their credentials
- Accessing data that has little to no relation to the employee’s present role at the company
Such behavior patterns should be considered red flags and should be taken seriously. In order to limit the damage from a potential insider attack, you should exercise thorough access control and make sure to prohibit mass storage devices and other unauthorized devices.
Protect yourself against insider threats with Ekran System
In order to make your insider threat detection process effective, it’s best to use a dedicated platform such as Ekran System. Ekran helps you identify malicious intent and mitigate threats.
How can you do that? With the help of several tools:
Identity and access management. Ekran System verifies the identity of a person trying to access your protected assets. After confirmation is received, Ekran ensures that the user is authorized to access data and resources. This is done using tools such as:
- Multi-factor authentication – Ensures a user’s identity by checking credentials and sending a verification code to the user’s smartphone.
- One-time passwords – Grant one-time access to sensitive assets by sending a time-based one-time password by email.
- Privileged access management – Granular access control, temporary credentials, and continuous monitoring help to stop malicious insiders with any access level.
User activity monitoring – Thorough monitoring and recording is the basis for threat detection. Ekran System records video and audio of anything happening on a workstation. This data is useful for establishing the context of an event and further investigation.
User and entity behavior analytics – Profiling your users and predicting insider threats based on their behavior is one of the newest insider threat protection techniques. A machine learning algorithm collects patterns of normal user operations, establishes a baseline, and alerts on insider threat behavioral indicators.
Alerting and responding to suspicious events – Ekran allows for creating a rules-based alerting system using monitoring data. When a rule is broken, a security officer receives an alert with a link to an online video of the suspicious session. Suspicious sessions can be viewed in real time and users can be manually blocked if necessary.
Investigating incidents – With Ekran System monitoring data, you can clearly establish the context of any user activity, both by employees and third-party vendors. This data can also be exported in an encrypted file for a report or forensic investigation.
Insider threat detection is tough. There are no ifs, ands, or buts about it. However, every company is vulnerable, and when an insider attack eventually happens, effective detection, a quick response, and thorough investigation can save the company a ton of money in remediation costs and reputational damage. Therefore, it is always best to be ready now than to be sorry later.
In order to make insider threat detection work, you need to know about potential behavioral tells that will point you in the direction of a potential perpetrator. However, indicators are not a panacea and should be used in tandem with other measures, such as insider threat protection solutions.
Ekran System combines identity and access management, user activity monitoring, behavioral analytics, alerting, investigating, and other useful features. Using all of these tools, you will be able to get truly impressive results when it comes to insider threat detection.