Detecting malicious activity takes weeks or even months despite the many efforts companies put into building cybersecurity threat detection systems. You can increase your chances of uncovering malicious activity by studying insider threat techniques and applying diverse detection methods.
In this article, we discuss the most common techniques behind insider threats and their possible indicators as well as ways you can detect insider threats in an efficient manner.
Why is early insider threat detection so important?
Insider threats are hard to deal with. Usually, they are caused by trusted users with access to protected resources who abuse sensitive data or put the organization’s security at risk.
Threats caused by insiders are usually hard to contain: it takes 77 days on average to detect an insider incident according to the 2020 Cost of Insider Threats: Global Report [PDF] by the Ponemon Institute.
Several factors make insider threat detection challenging:
The activity of malicious insiders can cause a great deal of damage when it remains unnoticed for months. The average cost of handling an insider threat is $11.45 million according to the Insider Threat report by the Ponemon Institute.
In some insider threat examples, the attacks cause even more losses. For example, AT&T claims to have lost more than $201 million in potential profits because of several insider attacks in the mid-2010s. Back then, Muhammad Fahd spent more than $1 million bribing AT&T call center employees and developers to unlock phones and deploy malware in the company’s system. They unlocked almost 2 million phones before they were busted. Bribed employees were fired, and in 2021, Muhammad Fahd was sentenced to 12 years in jail.
Malicious insider activity also can lead organizations to lose their trade secrets and their competitive advantage. This almost happened to Corning Inc. when they worked on fiber laser research and development. Ji Wang, the lead scientist on the project, had been working for Corning for more than 20 years. He abused his access privileges and stole confidential research files before being terminated. With this information, he planned to start his own fiber laser business in China but was caught before he could do so.
In each of these cases, an organization’s cybersecurity suffered from the consequences of different insider threat techniques. Let’s take a closer look at some of the most common ones in the next section.
Key insider threat techniques
The way a cyberattack is executed can be referred to as a technique, tactic, process, method, or any number of other things. For the sake of clarity, in this article we’ll use MITRE’s definition of an attack technique:
The technique behind an insider threat usually depends on an attacker’s:
- Level of technical skills
- Knowledge of the organization’s security system
- Privilege access level
Note: Keep in mind that not all insider threats are caused by people with malicious intent. Some insiders may break security rules out of negligence or forgetfulness, a desire to speed up their work, or because they fall for social engineering tricks. Such incidents are much more common than you might think: 63% of insider-related incidents are related to negligence.
Malicious insider activity can be much more harmful than negligent insider activity because a malicious insider usually plans their attack in advance. That’s why you need to be able to keep an eye on anyone in your network who uses these malicious insiders’ common techniques:
This type of insider threat technique is probably the most widespread and diverse. There can be many motivations for stealing sensitive information: financial gain, revenge by a disgruntled employee, industrial espionage, or even hacktivism. There are also a variety of ways to execute this technique, from sending data to a private email to taking pictures of sensitive documents.
The following activities can be indicators of data theft:
- Accessing sensitive data at odd hours
- Downloading data to personal devices (especially if an organization hasn’t implemented a bring your own device policy)
- Sending data outside the protected perimeter
- Failing to create or damaging data backups
- And more
Users with elevated access rights can abuse sensitive resources in many ways: upload data to an unprotected cloud service, create a backdoor, edit or even delete activity logs. This type of insider threat is particularly tricky to detect because privileged insiders have many opportunities to cover their actions. However, there are possible indicators to pay attention to:
- Massive downloads of sensitive data
- Sending of sensitive files outside the protected perimeter
- Unusual activity in the organization’s network
- Creation of privileged accounts without a request
- Deployment of suspicious or forbidden software
- Changes to security configurations without a request
It can be challenging for a regular user to harm an organization because their access rights are usually limited. Challenging, but not impossible. Without proper access management, a trusted user can gain enough privileges to access — and abuse — protected resources. Another way to escalate access privileges is by exploiting vulnerabilities and configuration errors in security software.
These actions can point to privilege escalation:
- Frequent and unnecessary access requests
- Unusual interest in data and projects that a user can’t access
- Lateral movement in the network
- Installing unauthorized software and administrative tools
The motivation behind trying to sabotage an organization’s assets can vary: revenge by an employee for unfair treatment, a desire to blackmail a company, a diversion by a competitor or even another state. Unlike attackers who use other insider threat techniques, saboteurs rarely steal data. They would rather delete or corrupt data, destroy parts of the organization’s infrastructure, or physically damage corporate equipment.
Indicators that an insider may be planning to sabotage assets include:
- Repetitive cases of abusive behavior or conflicts with colleagues and superiors
- Strong disgruntlement over recent promotions or salary changes
- Sending emails with attachments to competitors
- Requesting access to resources the user doesn’t need
- Changing configurations of technologies for insider threat detection
- Deleting accounts intentionally or failing to create backups
- Making changes to data that no one requested
As you can see, these insider threat techniques have different motivations, execution methods, and indicators. That’s why you need to use diverse threat detection methods to be able to catch each of them. Let’s take a look at some of the best practices for insider threat detection below.
4 methods to detect insider threats
Choosing the right insider threat detection techniques is crucial for fast and efficient incident response. Your choice of detection method should depend on the threat indicators you need to detect and the cybersecurity tools and practices you can implement.
|Detection method||Security measures||Indicators to pick||Strong at detecting||Weak at detecting|
|Monitoring user activity||
|Detecting anomalies in user and entity behavior||
|Shifting attention from machines to people||
|Hunting insider threats||
Let’s examine some tips for insider threat detection in detail.
Monitoring user activity
Monitoring user activity inside your network is one of the most widespread insider threat detection methods. Monitoring tools watch over all user actions and compare them to security rules. If a user violates a rule, the tool sends an alert about it to security officers or IT administrators.
In 2020, 40% of insider threats were identified thanks to alerts generated by internal monitoring tools according to the 2021 IBM Security X-Force Insider Threat Report. User activity monitoring (UAM) is especially useful for detecting employee negligence, poorly covered attacks, and opportunistic insiders.
Of course, the efficiency of the UAM tool depends on its monitoring and alerting capabilities as well as customization options for security rules. Ekran System watches all actions of all users that access protected endpoints and saves this data. Our insider threat detection software comes with a set of predefined security rules, but you can also configure custom rules.
When Ekran System detects a potential threat, it sends an alert with a link to the real-time user session. Security officers can watch the session, decide whether the user indeed threatens the company’s security, and kill a process or block the user if needed.
Detecting anomalies in user and entity behavior
The activity of a malicious insider doesn’t always violate security rules, especially when the insider has elevated privileges or diverse job duties. If such a user tries to tamper with the data they usually access, the UAM tool won’t see it as a suspicious event.
You can detect such attacks if you employ a user and entity behavior analytics (UEBA) tool. UEBA technology is based on artificial intelligence (AI) algorithms that analyze data on ordinary user behavior, create a baseline for each user and entity, compare user behavior with the behavior of peer groups, and detect deviations in users’ actions. You can also integrate a UEBA tool with a UAM tool to get more precise analysis results.
For example, Ekran System’s UEBA module [PDF] alerts security officers if a user connects to an endpoint during unusual hours. This may indicate that the user wants to do something malicious. Ekran’s UEBA module also calculates a risk score for user activity, which can help security officers detect insider threats.
Shifting attention from machines to people
Turning your security system from reliance on detection technologies for insider threats to a people-centric approach helps to detect other behavioral indicators of insider threats. It also makes employees more aware of their actions and responsibilities, improves security awareness, and reduces the number of restrictive controls.
When your employees are aware of the types, indicators, and consequences of insider attacks, they can help you detect threats that slip through traditional security systems. Keep in mind that this method of securing sensitive data doesn’t mean you can fully give up on security tools.
If you configure Ekran System to show warning messages to educate a user that violates security rules, for instance, you can also use UAM records during insider threat security awareness training to show employees real examples of the best and worst security practices.
Hunting insider threats
Threat hunting is one of the active methods to detect insider threats. Instead of waiting for an alert, security officers assume that their network has already been compromised and look for possible indicators of compromise.
Insider threat hunting is similar to internal security audits with one key difference: during an audit, security officers check the compliance of the security system with certain standards, regulations, or laws. During threat hunting, they set the audit agenda themselves.
To hunt insider threats successfully, the security team needs to analyze massive amounts of data: reports of previous security events, results of risk assessments, logs of suspicious and negligent user activity, risk scores generated by AI-based tools, etc. Similar to audits, threat hunting has to be done regularly.
To hunt insider threats, the security team needs insider threat management tools that gather and analyze as much data as possible. Being the software for user session recording, Ekran System helps to review suspicious sessions, generate reports on various events that happened on monitored endpoints, and check risk scores calculated by the UEBA module. If they find evidence of malicious insider activity, they can export these records in a protected format for further forensic activities.
Insider threats come in all shapes and sizes. They can be malicious or accidental, well-planned or opportunistic, disruptive or quiet, hidden or in plain sight. Each insider threat technique requires a corresponding threat detection method. Implementing many threat detection methods by deploying a separate dedicated tool for each can be resource-consuming and cause confusion in your security system.
Ekran System helps you deploy several threat detection methods and avoid complex integration configurations. Our comprehensive insider risk management platform includes user activity tracking software, lightweight privileged access management, an AI-powered UEBA module, and a diverse toolset for audits and reporting.
Request a demo or a free trial to start enhancing your security with Ekran System!