While organizations are spending a good deal of money protecting against unauthorized access from the outside, various industry analyses have revealed that malicious insiders may pose no less harm to organizations.
Edward Snowden is probably the most famous example of a malicious insider, but disgruntled employees can appear in any organization. According to a recent study conducted by the Ponemon Institute, companies all over the world bore nearly $9 million in losses as the result of insider threats in 2017.
Organizations that become victims of malicious insider attacks may face many negative consequences starting from loss of confidential data, revenue, and clients to reputational harm or even going out of business.
Let’s look closer at how organizations can detect malicious insider threats and what measures can be taken to prevent them.
Who are malicious insiders?
The United States Computer Emergency Readiness Team (CERT) defines a malicious insider as one of an organization’s current or former employees, contractors, or trusted business partners who misuses their authorized access to critical assets in a manner that negatively affects the organization.
Malicious insiders are harder to detect than outside attackers, as they have legitimate access to an organization’s data and spend most of their time performing regular work duties. Thus, detecting malicious insider attacks takes a long time. Malicious insider attacks often become obvious only when an organization is faced with the consequences of the attack.
In their guide to insider threats, CERT describes the common malicious actions of three main types of malicious insiders.
- Information technology sabotage is abusing information technology to direct specific harm to an organization or an individual. These types of attacks are usually performed by system administrators, programmers, or other technically savvy employees who can hide their malicious actions and disable an organization’s operations. These people are typically motivated by a desire to get revenge for a negative work experience and generally execute their attacks during employment or shortly after termination.
- Data theft is stealing intellectual property or sensitive data from an organization for monetary gain or personal benefit. Insiders who steal data are usually current employees who are engineers, programmers, scientists, or salespeople. Most of them steal the same information that they access during their normal work activity with the intention to use it on their new job or to start their own business. This type of insider can act alone or in cooperation with other employees. Corporate espionage also belongs to this category of insider incidents. During corporate espionage, insiders steal trade secrets so a third party can gain a competitive advantage. Data theft is usually performed during a two-month window before an employee leaves but after they’ve resigned.
- Insider fraud is unauthorized access or modification of an organization’s data for personal gain or data theft with the intention of identity theft or credit card fraud. These attacks are usually committed by lower-level employees like administrative assistants, customer service specialists, or data entry clerks. In most cases, these people are motivated by personal financial problems or greed, and only in some cases are they hired by outsiders. Most perform their malicious actions during normal work hours and continue to act maliciously even after their financial problems are solved.
Each of these types of malicious insiders has their own reasons for executing insider attacks. It’s necessary to understand that attacks by malicious insiders are rarely committed randomly, as insiders usually thoroughly plan their actions or take them following a triggering event. Thus, there are typical behavioral indicators of malicious insiders and technical indicators of planned attacks.
Behavioral indicators of malicious insiders
Not all employees become malicious insiders, so there’s no need to suspect all people with whom your organization has business relations. There are certain common predispositions of malicious insiders that distinguish them from their coworkers.
The following things that you can identify during the hiring process can be warning signs of a potentially risky insider:
- Official records of arrests, harassment, hacking, or security violations at former workplaces
- Cases of unprofessional behavior
- Cases of bullying or intimidation of other employees
- Personality conflicts
- Misuse of travel, time, or expenses at former workplaces
- Conflicts with former coworkers or supervisors
Behavioral indicators can also appear during work at your organization and signal an employee’s disgruntlement and potential readiness to take malicious actions. Your human resources department should pay closer attention to employees or contractors who violate corporate policies, have conflicts with colleagues, perform poorly, often sick leaves, or work without vacations.
A triggering or precipitating event that leads to an insider attack can be downsizing, transferring to another department, dismissal, unmet expectations about raises or financial rewards, or conflicts with team leaders. In these cases, the HR department should inform security officers so they can conduct targeted technical monitoring of these employees. While there may be no signals of an ongoing attack during these periods, it’s important to constantly monitor critical events and detect anomalies.
Technical indicators of malicious insiders
Technical indicators include actions of malicious insiders that involve computers or electronic media. To execute their attacks, insiders misuse their authorized access to critical corporate data or create a new path in order to access unauthorized assets and conceal their identity or actions.
Indicators of IT sabotage
Technically savvy insiders usually try to bypass protection measures and conceal their activity or identity. To achieve this, they can try the following:
- Creating backdoor accounts and hidden servers or installing a modem for access after leaving
- Changing all passwords so that nobody can access data
- Disabling system logs or removing history files to hide malicious actions
- Failing to create backups with the intention to insert changes to critical assets that can’t be undone
- Installing a remote network administration tool
- Installing malware such as a virus, password cracker, rootkit, or logic bomb
- Accessing customers’ systems or machines of other employees without authorization
For instance, in 2011, Jason Cornish, a former IT employee at Shionogi, a Japanese pharmaceutical company with branches in the US, remotely infiltrated and attacked the company’s IT infrastructure. Using a previously created hidden virtual server, he logged into the corporate network and wiped out all virtual servers, deactivating the company’s financial, email, and order tracking services. This disabled Shionogi’s activity for several days and cost the company more than $800,000.
New technologies such as cloud computing open new opportunities for attacks. Malicious insiders in cloud computing can compromise information about all customers of a cloud provider. Thus, lack of privileged user monitoring can put at stake the reputation of your company.
Indicators of data theft
In the case of data theft, insiders try to access critical data and steal it to share it with competitors or future employers or keep it for personal use. Since insiders perform their regular duties most of their time, it may be quite difficult to detect data theft. However, security officers should pay attention to the following actions that may indicate data exfiltration:
- Massive downloading of corporate data to a laptop or USB device
- Constant sending of small pieces of sensitive data to a non-corporate address
- Sending emails with heavy attachments to competitor’s or personal addresses
- Extensive use of corporate printers
- Remotely accessing a server through a virtual private network during non-working hours or during vacations
- Attempts to access websites prohibited by the organization’s acceptable use policy
- Transferring files outside of the corporate network using File Transfer Protocol or other methods
For example, in 2018, Sinovel, a Chinese wind turbine company, was convicted of stealing trade secrets that belonged to AMSC, an American clean energy company. The data theft was committed by Dejan Karabasevic, a former AMSC worker. Before he resigned from the company, Karabasevic secretly downloaded corporate data about a new technology for increasing the efficiency of wind turbines. Later, Sinovel employed Karabasevic and used these trade secrets to retrofit their wind turbines. As a result of this data breach, AMSC faced the risk of being wiped out of the market.
Another famous case of data theft is the story of Anthony Levandowski, who worked for Google in the autonomous car department. During his work for Google, Lewandowsky allegedly downloaded thousands of files with trade secrets. Shortly after leaving Google, he founded Otto Motors, a company that manufactures self-driving vehicles. After Uber acquired Otto Motors, they were very surprised when Waymo, Google’s former self-driving car unit, accused the company of stealing trade secrets.
Indicators of insider fraud
When it comes to fraud, insiders try to steal information to which they have access. In some cases, they cooperate with their coworkers and share credentials to access sensitive data. Indicators of insider fraud are very similar to technical indicators of data theft. Only in some cases, when committing insider fraud employees may try to share or print files they don’t usually use.
In addition, insiders can look up sensitive data on a corporate server and use it immediately for their malicious actions. Only in rare cases do insiders who are committing fraud use such technical tools as keylogger software or anonymous remailers to mask their involvement.
Typically, fraud includes making changes to a small piece of data that benefits the insider through some small financial reward. While these actions are hard to notice, the fraud can continue as long as an insider wants. Insiders can also abuse their authorized access and sell data to external parties who might carry out identity theft.
One example of insider fraud is an incident with AT&T in 2015. AT&T had to pay a $25 million fine for an insider breach caused by their employees after call center workers stole personal information of approximately 280,000 customers and sold it to third parties. The stolen data could be potentially used to unlock AT&T mobile phones.
Fortunately, all these malicious actions can be detected by security operators or system administrators who use special tools for employee monitoring, log management, and data loss prevention.
How to detect malicious insiders
Security specialists can detect malicious insiders through technical means by prioritizing alerts and building rules that indicate abnormal actions as well as by establishing a baseline of normal user behavior. Other things that can help you detect and prevent insider threats are website and application monitoring, keystroke logging, USB management, and file transfer monitoring.
First of all, you need to identify high-priority files and systems and control any access or changes to them with prioritized alerts. Prioritizing alerts can be difficult, but once priorities are set, security operators will be immediately informed about any suspicious actions involving sensitive data. After defining sensitive data, you can establish high-priority alerts that inform about:
- Unauthorized access to critical or sensitive information that’s inconsistent with job duties
- Sending of emails to competitors or emails with unusually large attachments
- Use of unauthorized USB devices and laptops
- Extensive printing or copying of files that contain IP addresses or other sensitive information
- Access to corporate servers during non-working hours or from non-typical locations
- Multiple failed authorization attempts
- Installation of any additional software
- Blocking of security software
- Accessing of log data
- Creation of new accounts that are not confirmed by the HR department
To check your system’s readiness to withstand insider attacks, you can launch an attack against yourself and refine the rules as needed. If alerts are triggered too often, you can tune the thresholds.
In addition, you can define insider attack patterns by combining several events typical of known types of attacks. For instance, security officers can create alerts that indicate possible data exfiltration based on one of these six action sequences:
- 1. Unusual login time –> Unusual file access activity –> Unusual number of emails with attachments sent to personal email account
- 2. Unusual login time –> Unusual file access activity –> USB device insertion
- 3. Accessing a VPN with colleague’s credentials –> Unusual login time –> Unusual number of files deleted
- 4. Unusual visits to competitors’ domains –> Unusual login time –> Unusual file access activity
- 5. Drop in file access activity –> Drop in web activity –> Drop in email correspondence –> Unusual visits to competitors’ domains
- 6. Increased use of social media –> Unusual login time –> Unusual file access activity –> Unusual email activity
A modern alternative to predefined correlation rules is user and entity behavior analytics (UEBA), which provides more precise detection of malicious activity by using machine learning algorithms and advanced analytics. UEBA systems create a baseline of normal behavior for each user and then correlate it with the user’s current activity. This approach allows you to perform more targeted monitoring of suspicious employees and reveals abnormal user activity that’s typically not easily found or is missing from logs.
When employees are familiar with security solutions applied by their organizations, they can try to fly under the radar. However, UEBA solutions can detect even slight changes in user behavior as well as patterns.
For instance, a UEBA system can detect anomalous activity if insiders try to send small pieces of customer data or trade secrets to private email accounts over an extended period. Moreover, security officers can be alerted when a user tries to print sensitive files along with other data they usually print.
Behavioral analysis also allows you to compare a user’s activity to activities of other employees with similar duties. Thus, the system can detect when a user exceeds their authority or begins to look for something that might be stolen and sold for financial gain.
Detecting a malicious insider is a complicated task for organizations, as it’s not only a technical problem. With close cooperation between human resources and security departments, an organization can identify early indicators of potential risk. This allows the company to implement targeted monitoring and detect malicious insiders before they cause damage.
Using Ekran System for employee monitoring, you can identify malicious actions in real time and stop any actual attack immediately.