Through a joint venture between the National Counterintelligence and Security Center (NSC) and the National Insider Threat Task Force (NITTF), September has been declared National Insider Threat Awareness Month (NITAM). The purpose of this initiative is to educate organizations and their workers on the danger, to help them understand how it can happen by both deliberate and accidental means, and to help staff identify and report suspicious activity.
COVID-19 is taking a toll on the world. A higher chance of fraud, theft, and to put it simply, insider danger comes with this. This is supported by a report conducted by The Ponemon Institute that shows that since 2018, insider threats have risen by 47%.
So what is an insider threat exactly? We will take a deep dive into what constitutes an insider danger in this blog post, including the various forms and a walk-through of examples and common indicators. In addition, I will include some information about different ways in which you can protect your organisation from insider threats.
What is a Threat from an Insider?
An Insider Threat is usually a person who uses the access they have been given to the resources of an organisation to cause harm to the company. Although associating danger with malicious intent can be enticing, the fact is that most insider risks come from negligent insiders vs. malicious insiders. Let’s describe these forms of insider threats better.
Malevolent Insider vs. Negligent Insider
A Malicious Insider is a person who deliberately steals information from an organisation or conducts an action with the purpose of causing harm to the organisation. Usually, this is someone with valid access to the network and who exploits that access for personal gain or satisfaction. For these “poor actors,” typical drivers and objectives include:
- Gain in Finance
- Vendetta Personal
- Theft of Intellectual Property
- On behalf of a different agency, espionage
A Negligent Insider is anyone who, because of insecure conduct, inadvertently compromises information or positions the company at increased risk. This not only concerns an organization’s own workers, but also extends to contractors and third-party suppliers. Insecure actions examples include:
- Emailing personal information to the wrong person
- Losing a Notebook
- Falling prey to an assault by phishing
- Circumventing security policies or using poor decisions when obtaining resources from companies
Understanding the Main Insider Danger Risks
There are a variety of reasons why, even more risky than external attackers, insiders can be.
They have legitimate access to essential resources, such that security vulnerabilities that would be far easier to detect need not be detected and exploited.
They already know the lay of the land, so they do not need to go through the exercise of discovering where confidential information resides or recognizing the organization’s most important assets or resources.
Beyond merely stealing or losing confidential data, they face risks. They can take down critical systems or hack them, spread malware, exploit assets for personal benefit, and more.
Each of these variables results in an inherent challenge in being able to identify an insider threat quickly. Malicious insiders are able to cover their tracks much better than foreign threats with legitimate access to resources, knowledge of where sensitive data resides, and security measures in place, and can thus remain undetected for much longer. In certain cases, negligent insiders pose an even higher risk, especially if the nature of their job refers to the routine handling of sensitive systems or data properties.
The Common Indicators
It is necessary to beware of these common indicators in order to avoid a possible data breach or catastrophic problem due to an insider threat:
- Accessing systems or data outside usual job duties (or trying to access them)
- Request for data access without a legitimate “need-to-know”
- Unusual or unexplained patterns of access, such as attempts to download or copy vast quantities of sensitive information
- Accessing or using unauthorised apps, programmes, or computers for storage
- Trying to circumvent security protocols or breach corporate policies
- Showing odd, unpredictable, or disgruntled conduct
- During irregular time periods, such as after work hours or weekends, accessing systems or data
With insider risks being so prevalent, let’s discuss some real-life situations where the root cause of a data breach was an insider with legitimate access to a scheme.
Anthem was told of an employee who had been stealing and misusing Medicaid member data since July 2016 by LaunchPoint, Anthem’s Medicare insurance coordination services provider. The worker had sent to their personal email a file containing PHI like Medicare ID numbers, Social Security numbers, Health Plan ID numbers, member names, and enrollment dates.
A Boeing employee named Greg Chung is one of the most notorious and serious examples of a malicious insider. While working at Rockwell and later Boeing, Greg worked as a Chinese spy for over 25 years, stealing classified information to help develop and advance the Chinese space programme. This took place all the way from 1979 until he was eventually caught in 2006. Owing to the existence of the knowledge that he was exfiltrating, Chung not only undermined the businesses he operated in but also national security.
In an AWS hosted resource, the 2019 Capital One data breach was eventually due to a misconfigured web application. In this case, this vulnerability was taken advantage of by a software developer who worked for AWS and eventually stole over 100 million customer records that included account and credit card application information. The hacker debated her exploits with colleagues over Slack and even used her full name to publish the data on GitHub.
Protect Your Organization From Insider Threat:
In order to protect the data of a company and preserve the privacy of its personnel and consumers, effective insider threat prevention and identification are essential. The following key processes and related technologies provide an effective insider threat programme:
Effective Threat Program for Insiders Includes:
The ability to track user behaviour through the entire network is one of the most integral aspects of an insider threat programme. It is necessary to understand exactly who accesses what data, what they do with it, and how they have access to it. Start monitoring critical systems and data and when required, extend the scope. In addition to providing raw user activity events, a proper monitoring solution can include additional analysis that is capable of detecting suspicious or irregular activity.
The ability to escape insider threats begins by providing a collection of security policies, technologies, and procedures designed to protect the vital infrastructure and confidential data of an organisation. This entails incorporating technologies such as Identity and Access Management, Multi-Factor Authentication, Privileged Access Management, Active Directory Protection and Data Access Governance. This mixture of technologies helps to guarantee that…
- Access to data is limited and regularly checked when required and
- Through effective controls, confidential data is secured.
- To minimize possible threat vectors, Active Directory is hardened to
- Limited ability to exploit privileged credentials
The value of education, in addition to these innovations, cannot be understated. Employees should be aware of common vectors of attack and how their activities lead to the potential for attacks from insiders. They should know what kinds of behaviors, especially when it comes to confidential information, are off-limits. Your staff and partners should usually be aware of internal security procedures and best practices for basic cybersecurity. Employees should also be aware of how an insider threat may be identified, such as a coworker exhibiting unusual actions and who to reach out to in these situations.
The longer an insider threat remains undetected, the greater its financial impact on a company would be. The Ponemon Institute study found that annualised accidents that took 90 days to contain cost organisations $13.71 million, while incidents that lasted less than 30 days cost about half of that. You need a robust threat detection and response system to identify an insider attack in time to avoid a possible catastrophe or a full breach of your network or critical infrastructure, which should include:
- The ability to identify particular methods, strategies and procedures that attackers typically use when trying to compromise credentials or information. This involves the ability to identify hazard criteria for organisations based on their specific requirements.
- Comprehensive investigative potential to support consumers and associated operations with forensic investigations
- Compared to standard access trends, machine learning and user behaviour analytics detect anomalous, outlier behaviour.
In order to minimise the possible damage from an insider threat, the ability to automate response activities based on detected threats is key. Because specific attacks will require specific responses, it is essential to have a catalogue of response actions that are customizable based on the needs of an organisation. Basic actions in response can include:
- Blocking data access temporarily
- Disabling credentials that are compromised
- Delete files that are malicious
- Sending updates and warnings
- Blocking an application or method