Insider Threat Indicators: How to Identify & Mitigate…
What is an insider threat?
An insider threat is an internal persona acting as a trusted asset (employee, contractor, vendor, partner, etc.) behaving as a threat actor. Typically, the insider exhibits malicious behavior with intent, but sometimes, they are unaware of their actions are directed by an external threat actor. Regardless, the insider misuses their access and privileges for illicit purposes intentionally, or as directed by an external force.
Today, we need to be realistic about what an insider threat is and acknowledge that they have occurred, in various forms, for ages. Years of threat data shows us that insider threats are typically the hardest to detect, while also posing the most potential for damage. By recognizing insider threat indicators, organizations can detect insider attacks faster and prevent, or mitigate, the damage.
The risks of insider threats
By now, most security professionals are well-versed regarding the risks from insider threats. Years ago, these attacks regularly captured news headlines, but today they are the silent threat few organizations want to disclose or publicly admit.
Regardless of the malicious techniques an insider threat actor employs, they are not behaving in the best interest of the company. The insider is potentially breaking the law, and likely exfiltrating information they do not have permission to possess, or performing other damaging actions.
A longstanding example of an insider threat is the stealing of clients lists by a salesperson, executive, etc., who is planning to leave the organization. Perhaps they have photocopied or printed the client lists and purchase orders so they have a competitive edge when starting at their next role with a new employer.
Today, with electronic media, and the Internet, an insider can egresse substantive volumes of data without anyone noticing. And, as a reminder, that file cabinet of sensitive information can fit on a USB thumb drive in a person’s pocket or be posted to a personal cloud-based file share, making the contents even more susceptible to additional threats.
While insider threats are perpetrated with ever-more ease thanks to modern modern technology, it’s a subject most organizations find difficult to discuss.
Human beings will do unusual things in the most dire of situations, but if they are not permitted to, many insider threat risks can be mitigated.
A shortlist representing some of the more interesting and well-documented insider threats include:
- Edward Snowden – NSA insider threat and self-proclaimed whistle blower. (Government)
- Elliot Greenleaf Law Firm – Multiple attorneys extracted and deleted sensitive information (Legal)
- South Georgia Medical Center – A former employee downloaded personal information (Healthcare)
How to assess your vulnerability to insider threats
As we evaluate how to identify and mitigate the risks associated with insider threats, consider these facts regarding your organization:
- How many people have access to sensitive information en masse?
- Who can export large quantities of information from a query or third-party system?
- Are all the active accounts valid?
- Are all accounts related to people that are still employed at the organization or via third parties?
- How do you identify rogue or shadow IT accounts?
- How often do you change the passwords for sensitive accounts?
- Do you monitor privileged access to sensitive systems and data?
In fairness, honestly answering those questions could be opening Pandora’s box. You may not like the answers, or not even know where to begin to get the answers. Nonetheless, you should answer them all if you care about addressing insider threat risk. First, you need to understand your baseline risk and where you should prioritize your next mitigation actions.
Common insider threat indicators & how to detect them
The best way to detect insider threats is to look for indicators of compromise (IoCs) that can be attributed to inappropriate behavior. Sometimes, these can be difficult to detect compared to normal operations, but there is almost always a symptom that will allude to malicious intent.
To that end, consider the following insider threat indicators along with the detection methods:
- Unusual copying, downloading, or movement of sensitive information: This becomes especially concerning when the data or information is moved to an atypical or unauthorized destination. Simply interacting with sensitive data can be an indicator of compromise for unauthorized individuals. This is relatively easy to detect based on identities and access logs. However, if the insider normally and frequently interacts with the data, then it’s the unusual destination that may indicate illicit activity. Destinations can include unauthorized, removable media such as USB drives, cloud-based file storage solutions, and even email.
- Anomalous network search activity: A common assumption is that an insider threat actor knows what data they are looking for and where to find it. That is not always true. Insider threats can be as opportunistic as the next attacker. Malicious Insiders may actively search networks, intranets, ports, applications, etc. for sensitive information that they can extract and leverage. Therefore, monitor for applications and identities performing broad searches and network scans to locate files, buckets, and applications that can give up information as a part of the attack chain.
- Unusual access and login anomalies: If the insider lacks access to data or systems as a part of the business role, but suddenly starts making attempts at access, it could indicate an insider attack is underway. Monitoring authentication and authorization activity is critical to detect for indicators of compromise. If you consider all enterprise assets, consolidation of logs to a SIEM is crucial to gain this perspective. One-off activity will help identify potential anomalies, especially when such access is new. This requires more than just pattern matching in a SIEM and the advanced capability to look for one-time behaviors.
- Misuse of native, or other already installed, tools: Insider threat actors often use tools to help extract information from key systems to satisfy their nefarious missions. Detection of foreign tools can flag an indicator of compromise. However, if the insider is savvy, they may execute a living-off the land (LotL) attack. This entails leveraging native toolsets and other trusted enterprise tools to progress their attack. In that case, behavior becomes the key indicator of compromise. Behaviors to monitor for include access outside of normal business hours, access without proper change control, and network access from unusual or foreign locations. Advanced application control that also protects against fileless threats, such as misuse of trusted applications, is a an important tool for identifying and protecting against these insider threat activities.
How to prevent data leakage from insider attacks
Insider threats involve stealing information and conducting malicious activity. A sophisticated insider threat actor may use tools traditionally associated with an external threat. For instance, an insider engaging in malicious behavior could install data-capturing software, exploit a system missing security patches, and access resources using backdoors to conduct data-gathering activity.
Ultimately, we need to recognize insider threats are able to succeed due to at least one of the following:
A. Excessive/inadequately managed privileges (covered in steps 1 – 5 below)
B. Poor security hygiene (vulnerability, configuration management, and audit/log management, covered in steps 5 – 10 below)
With the above (A+ B) in mind, all organizations should implement these security best practices to mitigate insider threat risks:
1. Enforce least privilege and separation of privilege: No one should ever use an administrative account for day-to-day usage (i.e. email, web searches, etc.). This also applies to administrators as the potential risk is much higher should their account be compromised, such as by clicking on a malicious phishing link. All users should be restricted to standard user permissions and only have the ability gain momentary privileged access via controlled and monitored workflows. Privileged Access Management (PAM) solutions are specifically designed to manage this use case.
2. Restrict data access: Only administrators or role-specific employees (not executives) should have access to data en masse. This prevents an insider from dumping large quantities of information, or an executive’s account being hacked and leveraged against the organization to exfiltrate data.
3. Mature identity and access management (IAM) policies: All access to sensitive data should only be for valid employees. Former employees, contractors, and even auditors, should not have routine access. Accounts should be removed or deleted per your organization’s policy. Implement a just-in-time-access model to eliminate standing privileges and ensure all privileged access is finite.
4. Use Enterprise Password Managers: Employees come and go. If the passwords are the same as people leave and new hires are onboarded, the risk to sensitive data increases since former employees technically still have known passwords to the company’s sensitive information. Passwords should be random and unpredictable. Use password management solutions to automate password security best practices via a centralized vault.
5. Implement robust monitoring: Monitoring user behavior and network activity is critical to detecting anomalous, or otherwise dangerous, activity and acting early enough before it causes damage. Privileged activity is especially important to monitor as it poses the most risk for damage and can mean an attack is on its way to quickly escalating. Monitor logs, sessions, keystrokes, and applications and also implement screen recording. If an insider accesses a sensitive system to steal information, session monitoring can document their access and identify how and when they extracted the information. Data loss prevention (DLP) solutions may also help here, but only if the point of egress is considered a risk, or there are regulatory compliance ramifications.
6. Ensure anti-virus or endpoint protection solutions are installed, operating, and stay up-to-date to identify any malware being used by an insider threat.
7. Allow Windows and third-party applications to auto-update, or deploy a patch management solution to apply relevant security patches in a timely manner to remediate the risks of a vulnerability being exploited.
8. Utilize a vulnerability assessment or management solution to determine where risks exist in the environment and correct them in a timely manner so an insider cannot exploit a security weakness.
9. Implement an Application Control solution with Trusted Application Protection (TAP) to ensure only authorized applications execute with the proper privileges to mitigate the risk of rogue, surveillance, or data collection utilities. Ideally, the solution also has fileless threat protection capabilities that can apply context to activities and requests from trusted applications, including blocking child process.
10. Where possible, segment users from systems and resources to reduce “line-of-site” risks. That is, make sure your network is segmented–not flat—to avoid over-reaching access.
Most businesses fail at adequately implementing these basic security controls. However, following the above 10 practices can significantly help protect against insider threats as well as other attack vectors.
Implementing insider threat protection
Insider threats are not going away. The goal is to stop the data leakage and be aware an insider has multiple attack vectors to achieve their goals.
As security professionals, we need to mitigate the insider risks at the source. A briefcase of paper represents an insider threat, but is probably not as relevant as a USB stick with your entire database of client information.
In the end, an insider typically still needs privileges to steal all this information. Removing excessive privileges, such as by implementing privileged access management (PAM) controls and closing open security holes via vulnerability management will help minimize your attack surface from insider exploits, as well as many other types of attacks. In addition to security controls over access, organizations need to layer strong monitoring capabilities for insider threat detection. Finally, training security analysts and other IT staff on insider threat indicators, and how to respond to them, is important in nullifying any active risk.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.