Five Steps to Effectively Identify Insider Threats
Not all insider attacks are deliberate. Here are five steps you can use to effectively identify emerging #insider threats in your network.
Discovering your organization has suffered a significant compromise or data breach due to rogue, negligent, or compromised insiders can be devastating. Regardless of the type of insider risk, security teams must have a plan in place that enables early detection and mitigation of breaches caused by them.
This amounts to more than just picking the right security solutions. It’s also a matter of defining and creating a security program that puts people, processes, and technology together to effectively defend against these kinds of threats—all the while with an eye to optimizing the resources they already have.
In many cases when users are equipped with inappropriate access rights, an insider can be any one or more of the following:
- Current employee
- Business partner
- Former employee
- Temporary worker
- Service provider
- Service provider
Not all insider attacks are deliberate. The “insider” could also be someone whose network credentials have been stolen. Or it could be a person “deceived into advancing… adversaries’ objectives without knowingly doing so,” says the National Insider Threat Task Force (NITTF).
With respect to insider threats, the National Counterintelligence and Security Center (NCSC) says, “The last year and a half presented an increasingly challenging risk environment, with significant adjustments to work and home life, disrupted supply chains, financial insecurity, unreliable or overwhelmed technology capabilities, political and cultural fissures, and serious health concerns.”
Here are five steps to effectively identify insider threats:
- Not all users are the same – Group all of your users according to their location, role and function. Also group normal activities. Define levels of access for each role type. Regardless of their role, vet all personnel before granting access to organizational assets.
- Get to know normal – “Detection of potentially malicious behavior involves authorized… personnel gathering information from many sources and analyzing [it] for clues or behavior of concern,” says the NITTF. But doing all of this with limited human intervention is essential.
Leverage advanced AI and machine learning technology to develop a baseline of your users and assets; create watchlists to monitor those that are most important. Include repeatable, fast-acting checklists and response playbooks.
This guide helps SOC managers determine where to leverage automation in their workflows with the goal to significantly reduce resourcing and budget constraints while ensuring the best security for their organization.
- Manage wisely – Educate all users as to how you’re working to protect them and the organization. Pay attention to your all personnel; praise them for jobs well done while taking responsibility for any missteps.
Not all insider threats are intentionally malicious. A compromised insider might have unwittingly permitted their own workstation to be infected with malware or ransomware. “You can help your [users] avoid social missteps and prevent unintentional harm that can lead to increased risk of insider threats… by increasing awareness,” says the NITTF.
The negligent insider is one who doesn’t adhere to established IT procedures. It could be a person who doesn’t log out of their computer, or possibly an administrator who failed to change a default password or apply a vital security patch. Real-world examples run from the mundane to the extreme, as we report in our “Preventing Insider Threats with UEBA” white paper.
Plan to train all employees regarding cybersecurity and periodically challenge them to remain alert. Make sure your training includes hits on the various types of insider threat personas. Keep them up to date regarding current regulations, security threats, and practices.
- If a user looks like they’re making a move, alert the SOC – Leverage relevant security solutions to monitor personnel and assets. Such visibility can reveal behaviors that are indicative of a threat and could negatively impact the organization. Carefully examine abnormal activity as defined by prior risk assessment.
Unnecessary access privileges are an easy entry point to insider attacks. Regularly audit sensitive information entitlements such that they’re limited to authorized users, processes, or devices, and to authorized activities and transactions. Reduce the number of devices with such access, especially in relation to those personnel whose relationship has expired (e.g., temporary employees, contractors and business partners) or been terminated.
“A single indicator may say little,” says the NITTF. “[But] if taken together with [others], a pattern of concerning behavior may arise that can add up to someone who could pose a threat.”
Signals pointing to a malicious insider might exist in several places, making early detection difficult. It requires expertise that few systems and even fewer humans have to pull them together and add context to better determine if a threat exists. But deploying a user and entity behavior analytics (UEBA) solution can identify them well in advance.
- A breach occurred…now what? – Rogue insiders are not born, they’re made. Sometimes they go rogue no matter what you’ve put in place. Be prepared by paying attention to your personnel and having an up-to-date, proactive security program.
Build repeatable fast-acting checklists and response playbooks for your team to respond to significant threats. By evaluating the threats consistently security teams can accurately determine where a real threat lies and dedicate their time to remediating them instead of chasing false positives.
An insider breach damages an organization far beyond the data lost or systems damaged. Trust between employees, managers, customers, and partners can quickly erode after such an event. We recommend taking an informed, stepwise approach in building an insider threat program that turns your reactive team into a highly effective, proactive one.
To learn more about how to create a security program for insider risk, read our “Insider Threat Checklist” which expands on the following points:
- Governance and strategy
- Personnel assurance
- Training and awareness
- Asset management
- Entitlement control
- Insider risk assessment
- Compliance and reporting
Download your free copy here.