Cybersecurity Awareness Month – Insider Threats and How to Detect Them

We previously looked at incident response and the top security terms. In the last of our three article-series for National Cybersecurity Awareness Month (NCAM), we focus on the continuing challenge organizations face with insider threats. This primer on insider threat covers common threats, detection and behavior analytics.

What are cybersecurity threats?

Cybersecurity threats can come in many forms and are ever-evolving. Likely intentional and most often malicious, they can target systems operated by individuals or entire organizations. Attackers’ motivations include data theft, financial exploitation, espionage, or sabotage.

Threat types include:

• Distributed denial of service (DDoS)
• Man-in-the-middle attack (MITM)
• Social engineering attacks
• Malware and spyware attacks
• Password attacks
• Advanced persistent threats (APT)

Threats present potential risks that could be exploited if left unaddressed, leading to an attack in many cases. This blog post explains each type of threat in more detail.

What is insider threat?

Insider threats can come from employees or contractors having authorized access to your systems, network, applications, and its high target-value data. Anything an insider could do to harm the organization in any way is considered an insider threat. Beyond data theft, sabotage, fraud, and espionage are included in this category.

The most-cited example is that of a resentful employee—perhaps one who has been recently terminated—seeking revenge. With their permissions possibly remaining valid, they might lock critical systems or disable them altogether. Or they might scan file shares to locate insecure, high-value data.

But attackers can also target unsuspecting insiders, compromising their system to gain access from the outside. Through an intrusive method known as privilege escalation, the adversary systematically makes an increasing level of sensitive resources available to themselves.

Unpatched flaws in operating systems, browsers, applications, and ancillary software can also provide unwarranted access to such attackers. Find out how insider threats could be affecting your organization.

How to detect insider threats

Discovering threats on your network involves a robust detection methodology. Your goal is to become aware of their existence before they manifest themselves as any type of attack.

In becoming more preemptive, SOC teams have shifted from the former reactionary method of focusing on indicators of compromise (IoC) such as a malware infection. Instead they’re relying on known techniques, tactics, and procedures (TTPs) used by attackers that leave telltale signs. This is the preferred responsive strategy that can preempt threats and attacks.

The publicly available MITRE ATT&CK framework is regularly updated with new TTPs for security practitioners to learn about. Today, Exabeam technology aligns with MITRE tactics, techniques and procedures to improve how analysts detect, investigate and respond to cyberattacks.

User and entity behavior analytics (UEBA)

The rise in the adoption of user and entity behavior analytics to detect threats came as a direct response to the limitations of legacy security tools. Traditional security tools don’t conform to predefined correlation rules. Frequently spanning multiple organizational systems and data sources, they also don’t correspond to known attack patterns.

Five years ago Gartner defined user behavior analytics as a set of cybersecurity tools to assess and apply advanced analytics — the goal being to detect anomalies and malicious behavior among network users. Analytics can be used to discover security threats such as malicious insiders and privileged account compromise — those that traditional security tools can’t detect.

A year later UBA encompassed entities, such as routers, servers, endpoints, IoT and even IP addresses, to become user and entity behavior analytics or UEBA. This approach can detect complex attacks deployed by today’s more sophisticated attackers. The terms UBA and UEBA are discussed in detail in this post.

Essential UEBA capabilities

A user behavior analytics solution will have the following capabilities:

• User and entity monitoring and behavioral analysis — Collect system data and create
  behavioral baselines for all network users and entities
• Detect anomalous behavior — Any significant baseline deviation could indicate an insider attack or other security threat
• Leverage machine learning and advanced analytics — Detect unknown threats and learn from big data sets—even for those attacks no one has previously experienced
• Combines multiple activities into a single security incident — Not only be able to identify security incidents across multiple users, entities or IPs, but also combine data from many other sources, including anti-malware, firewalls, proxies, DLP, and VPNs to tell the complete story
• Near real-time performance — To be effective as an incident response tool, UEBA technology must collect data and alert security analysts ASAP after an event has occurred, all the while reducing false positives that plague your overburdened security operations center (SOC) team

What’s Next?

Security information and event management (SIEM) solutions comprise the foundation of the modern SOC. Coupled with correlation rules and statistical analysis, UEBA is a core component of a SIEM as it collects data from across your entire network, performs behavioral analysis to detect anomalies, and alerts analysts about security incidents it has identified. A robust next-generation SIEM can help protect your organization against insider threats.

Interested in how SIEM can help you detect insider threats? Our comprehensive SIEM guide covers its benefits, use cases and more.

Further reading

• Insider Risk Management Ebook
• How to Find Malicious Insiders Webinar