Insider threats continue to make news. In the fall of 2018, a senior scientist from Genentech was indicted for stealing trade secrets to give to a rival firm in Taiwan. He and three other employees were paid by JHL Biotech as consultants in exchange for information that could be used to make generic versions of Genentech drugs.
In early 2018, Legacy Health, a Portland, Oregon hospital group, announced it had suffered a data breach from a different type of insider threat. The medical records of 38,000 patients were taken via a phishing attack against one of its employees. Sometimes the insider is a threat not because of malicious intent, but because they were compromised and used in an attack.
There are many more stories like these, and it’s not a new phenomenon. While we may be distracted by ransomware or cryptojacking, insider threats are a much bigger issue. And while they have gone on for years, there are ways to mitigate risk and respond.
What is an insider threat?
An insider threat is malicious activity against an organization that comes from people within. The usual suspects are employees or contractors with access to an organization’s network, applications or databases. The term is most commonly used to describe illicit or damaging online actions.
Are insider threats always theft?
While most often associated with stealing information, any action that could negatively impact an organization falls into the insider threat category. These include sabotage, fraud, and espionage. A disgruntled or recently terminated employee might, for example, shut down or lock critical systems in a deliberate attempt to damage the business or reputation of an organization.
Typically, insiders carry out their plans via abuse of access rights – both physical and online. In its simplest form, employees or contractors may search file shares looking for sensitive information that is not properly secured via system access controls. In the case of a compromised insider, the attacker may try what is known as privilege escalation, which is taking advantage of system or application flaws to gain access to resources they do not have permission to access.
Figure 1 – Using privilege escalation, an attacker can move horizontally, gaining access to other user or service accounts, or vertically, gaining greater access via power users or administrators
In some cases, abuse of access rights takes the form of someone with privileged access abusing their power. In 2008, a system administrator working for the San Francisco city government blocked access to the city’s network and refused to surrender the admin passwords. The worker was disgruntled, and his job was in jeopardy, it was revealed.
The types of insiders who are threats
Organizations that are looking to stop insider threats need to understand the three different types of insiders and their motives. Since they are each very different, the approach to preventing them will also be quite different.
Malicious Insider – this is an employee or contractor who knowingly looks to steal information or disrupt operations. This type of individual typically has two motives. Opportunists look for ways to steal information that they can sell or which can help them in their career. As with the Genentech example above, malicious insiders can be paid handsomely for stealing valuable intellectual property. On the other hand, disgruntled employees are looking for ways to hurt an organization they feel has not done right by them. This may involve theft of intellectual property, where they would give it to a competing organization to hurt their own. Or, as was the case with the San Francisco city government, they are looking for a way to punish or embarrass their employer.
Negligent Insider – an employee who does not follow proper IT procedures is considered a negligent insider. This may be as simple as someone who leaves their computer without logging out. Or it may be a system administrator who has not properly configured systems or applied patches to fix known security flaws. Perhaps the most egregious is the administrator who does not change default passwords when configuring new systems.
Compromised Insider – an employee whose computer has been infected with malware is the most common example of a compromised insider. These employees are typically infected via phishing scams or by clicking on links that cause surreptitious malware downloads. Computers of compromised insiders can be used as a “home base” for cybercriminals insider of an organization. From there they can scan file shares, escalate privileges, infect other systems and more.
|Malicious||Making money or avenging a slight||Theft of core company intellectual property. Disruption of operations. Damage to company reputation.|
|Negligent||Ignorance or carelessness||Theft of core company intellectual property. Disruption of operations. Damage to company reputation.|
|Compromised||Oblivious to the risk they pose||Access to sensitive company systems or assets. Theft of core company intellectual property.|
How are employees compromised
There are several means by which an employee can become a compromised insider:
Phishing – a cybercrime in which a target individual is contacted via email or text message by someone posing as a legitimate institution in order to lure the individual into providing sensitive data, such as personally identifiable information (PII), banking and credit card details, and passwords. Some phishing schemes may also try to entice a target to click on a link that triggers a malware download.
Malware infection – a cybercrime when a machine is infected with malicious software – malware – infiltrates your computer. The goal of the malware in the case of a compromised insider is to steal sensitive information or user credentials. Malyware infection can be initiated by clicking on a link, downloading a file, or plugging in an infected MP3, among other ways.
Credential theft – a cybercrime aimed at stealing a the username and password – the credentials – of a targeted individual. Credential theft can be done in a variety of ways. Phishing and malware infection, mentioned above, are common. Some criminals may engage in social engineering, which is the use of deception to manipulate individuals into divulging their credentials. A bogus call from the IT helpdesk, where the user is asked by the attacker to confirm their username and password, is a common technique.
Pass-the-hash – a more advanced form of credential theft where the hashed – encrypted or digested – authentication credential is intercepted from one computer and used to gain access to other computers on the network. A pass-the-hash attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plain text password.
Detecting insider threats
Organizations can spot or predict insider threats by observing user behavior in the workplace and online. Being proactive may allow organizations to catch potential malicious insiders before they exfiltrate proprietary information or disrupt operations.
Risk signs that should be heeded in the workplace include an employee’s interest in matters outside the scope of their duties, working odd hours without authorization, and excessive negative commentary about the organization. Individuals who exhibit signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, and poor mental health should be carefully monitored.
|Employee/Contractor Behavioral Trait||Organizational Event|
|Interest outside scope of their duties||Layoff|
|Working unusual hours without authorization||Annual merit cycle – individuals not promoted|
|Excessive negative commentary about organization||Annual merit cycle – individuals not given raises|
|Drug or alcohol abuse|
|Change in mental state|
HR and IT security teams should be vigilant in the wake of significant organizational events. Just before and after a layoff, employees may become embittered and look to steal from or harm an organization they feel mistreated them. Also, after annual merit cycles, if certain employees were passed over for promotion or feel they were not rewarded for their work, these workers may also become an insider threat. Most important is coordination between HR and IT security around these events.
IT security should observe how users are behaving online in any of the above scenarios. Employees and contractors may exhibit online behaviors that tip off the security team to a problem. In the case of compromised users, there will likely be unusual access patterns that can be spotted. Table 3 below lists some of the most common suspicious behaviors.
|Behavior||Malicious Insider||Compromised Insider|
|Badging into work at unusual times|
|Logging in at unusual times|
|Logging in from unusual location|
|Accessing systems/applications for the first time|
|Copying large amounts of information|
How to prepare for insider threats
There are many things an organization can do to combat insider threats. Here are the four main areas to focus on.
Train Your Employees
Conduct regular anti-phishing training. The most effective technique is for the organization to send phishing emails to its users and focus training on those users who do not recognize the email as a phishing attempt. This will help reduce the number of employees and contractors who may become compromised insiders.
Organizations should also train employees to spot risky behavior among their peers and report it to HR or IT security. An anonymous tip about a disgruntled employee may head off a malicious insider threat.
Coordinate IT Security and HR
There is no shortage of stories about IT security teams that were blindsided by layoffs. Coordination between the CISO and head of HR can help prepare IT security. Simply putting affected employees on a watchlist and monitoring their behavior can thwart many threats. Likewise, HR may advise IT security about certain employees that were passed over for promotion or not given a raise.
Build a Threat Hunting Team
Many companies have dedicated threat hunting teams. Rather than reacting to incidents after they are discovered, threat hunting takes a proactive approach. Dedicated individuals on the IT security team look for telltale signs, such as those listed above, to head off theft or disruption before they occur.
Employ User Behavioral Analytics
User Behavior Analytics (UBA), also known as User and Entity Behavior Analytics (UEBA), is the tracking, collecting, and analyzing of user and machine data. Using various analytical techniques, UBA determines normal from anomalous behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. UBA can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs ofn insider threats. Importantly, UBA can often spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.
Insider threats are not going away. By better understanding the different types of insiders and the behaviors they exhibit, organizations can be better prepared to fight these threats. A combination of training, organizational alignment, and technology is the right approach.