Five Steps to Effectively Identify Insider Threats

Discovering your organization has suffered a significant compromise or data breach due to rogue, negligent, or compromised insiders can be devastating. Regardless of the type of insider risk, security teams must have a plan in place that enables early detection and mitigation of breaches caused by them.

This amounts to more than just picking the right security solutions. It’s also a matter of defining and creating a security program that puts people, processes, and technology together to effectively defend against these kinds of threats—all the while with an eye to optimizing the resources they already have.

In many cases when users are equipped with inappropriate access rights, an insider can be any one or more of the following:

Not all insider attacks are deliberate. The “insider” could also be someone whose network credentials have been stolen. Or it could be a person “deceived into advancing… adversaries’ objectives without knowingly doing so,” says the National Insider Threat Task Force (NITTF).

With respect to insider threats, the National Counterintelligence and Security Center (NCSC) says, “The last year and a half presented an increasingly challenging risk environment, with significant adjustments to work and home life, disrupted supply chains, financial insecurity, unreliable or overwhelmed technology capabilities, political and cultural fissures, and serious health concerns.”

Here are five steps to effectively identify insider threats:

1. Not all users are the same – Group all of your users according to their location, role and function. Also group normal activities. Define levels of access for each role type. Regardless of their role, vet all personnel before granting access to organizational assets. Make it part of your process to periodically audit user groups to ensure no drift from approved access has occurred for any specific user.
   
   
2. Get to know normal – “Detection of potentially malicious behavior involves authorized… personnel gathering information from many sources and analyzing [it] for clues or behavior of concern,” says the NITTF. But doing all of this with limited human intervention is essential. The good news is there is technology available that automates the process of understanding normal. User Entity and Behavior Analysis (UEBA) is a great way for security teams to begin to learn how user accounts and assets are typically used. 
   
   Leverage advanced AI and machine learning UEBA can develop a baseline of your users and assets, then as new actions occur users and assets will be assigned risk scores, making it easy for security analysts to create watchlists to monitor those that are most important or are exhibiting behaviors that might indicate a threat. When risky users/assets are identified, security analysts should be able to use the data analyzed by the technology to gain full visibility into the potential threat, and if needed, take decisive automated response actions.
   
   This guide helps SOC managers determine where to leverage automation in their workflows with the goal to significantly reduce resourcing and budget constraints while ensuring the best security for their organization.
   
   
3. Manage wisely – A rogue user isn’t born most of the time, they are made. While no manager wants their employee to become disenfranchised with the organization it can happen. Holding periodic check-ins with your team members, paying close attention to those that may be exhibiting unusual behaviors is key to identifying a potential rogue insider early, before they take the fully turn to the darkside. Prompt action can save you and your organization the pain of a successful rogue insider attack.
   
   While not a rogue insider, a compromised insider might have unwittingly permitted their own workstation to be infected with malware or ransomware. “You can help your [users] avoid social missteps and prevent unintentional harm that can lead to increased risk of insider threats… by increasing awareness,” says the NITTF.
   
   The negligent insider is one who doesn’t adhere to established IT procedures. It could be a person who doesn’t log out of their computer, or possibly an administrator who failed to change a default password or apply a vital security patch. Real-world examples run from the mundane to the extreme, as we report in our “Preventing Insider Threats with UEBA” white paper.
   
   Plan to train all employees regarding cybersecurity and periodically challenge them to remain alert. Make sure your training includes hits on the various types of insider threat personas. Keep them up to date regarding current regulations, security threats, and practices.
   
   
4. If a user looks like they’re making a move, alert the SOC – Leverage relevant security solutions to monitor personnel and assets. Such visibility can reveal behaviors that are indicative of a threat and could negatively impact the organization. Carefully examine abnormal activity as defined by prior risk assessment.
   
   Unnecessary access privileges are an easy entry point to insider attacks. Regularly audit sensitive information entitlements such that they’re limited to authorized users, processes, or devices, and to authorized activities and transactions. Reduce the number of devices with such access, especially in relation to those personnel whose relationship has expired (e.g., temporary employees, contractors and business partners) or been terminated. “A single indicator may say little,” says the NITTF. “[But] if taken together with [others], a pattern of concerning behavior may arise that can add up to someone who could pose a threat.”
   
   Signals pointing to a malicious insider might exist in several places, making early detection difficult. It requires expertise that few systems and even fewer humans have to pull them together and add context to better determine if a threat exists. But deploying a user and entity behavior analytics (UEBA) solution can identify them well in advance.
   
   
5. A breach occurred…now what? – Despite your best efforts an insider may still go rogue. Be prepared by having a solid breach plan in place. If you plan for the worst case scenario you will be ready to spring to action if, or when, the insider carries out their nefarious plans.
   
   Build repeatable fast-acting checklists and response playbooks for your team to respond to significant threats. By evaluating the threats consistently, security teams can accurately determine where a real threat lies and dedicate their time to remediating them instead of chasing false positives.

In conclusion

An insider breach damages an organization far beyond the data lost or systems damaged. Trust between employees, managers, customers, and partners can quickly erode after such an event. We recommend taking an informed, stepwise approach in building an insider threat program that turns your reactive team into a highly effective, proactive one.

Learn more about Security Programs for Insider Risk

To learn more about how to create a security program for insider risk, read our “Insider Threat Checklist” To learn more about how to create a security program for insider risk, read our “Insider Threats Checklist” which expands on the following points:

• Governance and strategy
• Personnel assurance
• Training and awareness
• Asset management
• Entitlement control

• Monitoring
• Analysis
• Investigation
• Insider risk assessment
• Compliance and reporting