While often neglected, an organization’s own personnel pose one of the biggest threats to its security. Human error or negligence is usually the leading cause of data breaches in an organization. According to the research, almost 60% of data breaches are related to human error. However, malicious insider poses a much more serious threat to the organization as they have access and intent to do harm to it, usually responsible for providing initial access or means to exfiltrate data. Compared to external threats, like hackers, internal threats can have much more catastrophic repercussions with annualized average cost to recover from an insider attack estimated at $15.4 million USD.
In this article, we will introduce you to the terminology of insider threat, what types of insider threats exist and how can you address them to minimize the risk of a serious data breach.
What is an insider threat?
To understand what an insider threat is, we first need to know who or what is an “insider”. We borrowed the definition from CISA:
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.
An insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. However, it is important to understand that not all insider threats are of malicious intent. Although all pose same capabilities to do harm, one does so with an intent, while others through human error or negligence (we will explain more on types of insider threats in the following chapters). Even though the latter is not malicious by intent, they do statistically cause most data breaches.
Note that different organizations may define term insider threat differently. The way we describe it here is how we define them in Conscia Cyberdefense.
Types of Insider Threats
We classify Insider Threats based on their intent. As stated before, Insider Threats can either have intent or they are unintentional. These are the two major differences between the types of Insider Threats. We could also refer to the intentional insider threats as malicious insiders.
Turncloaks – a malicious insider who acts with the aim of bringing harm to an organization for personal, financial gain or as revenge on the company.
Collaborators – a malicious insider who works with third parties (such as company competitors) or external threats to steal sensitive data. These types of insiders are the hardest to identify.
Unintentional insider threats
Negligence – This type of unintentional insider threat is usually familiar with security and/or IT policies but chooses to ignore them (for example, allowing someone to piggyback through a secure entrance point).
Accidental – Or more commonly we refer to them as human error. These are possible to minimize, but we cannot completely prevent them. One such example would be opening an e-mail attachment that contains a virus.
How to detect
There are two distinct ways to detect Insider Threats: one leverages people, and the other relies on technology.
People as sensors
Since Insider Threats consists of personnel who have some access to the organization’s assets, we can use other personnel to detect any suspicious behaviour. This type of detection is more common in identifying malicious insiders. People can hear or see someone plotting an idea that could lead to malicious intent and report it to supervisors.
Technology can prove helpful in detecting potential insider threats. There are different technologies that can be used:
UEBA (User and Entity Behaviour Analytics): UEBA or technologies that have similar capabilities, collect user-related network events over time and uses them to establish a baseline or normal user behaviour for a certain persona. UEBAs are particularly good in catching malicious insiders as they are still unfolding their plan. Any anomalous event for that persona will trigger an alarm for investigation. These anomalies may be:
Downloading and copying files containing sensitive information
Accessing data that this user does not require for their duties
Traversing large number of files in a short period of time
SIEM or SIEM-like log management tools: Such tools are also effective in identifying suspicious user behavior. They can also detect unintentional insider threats. These rely more on indicators rather than anomalous behavior. Some examples of indicators would be:
Multiple login attempts to systems the user should not have access to
Attaching USB drives with suspicious content
Interacting with phishing e-mails
PAM (Privileged Access Management): Privileged Access Management refers to the set of security policies and procedures that protect and monitor the use of privileged accounts within an organization. This gives the security administrators a platform to monitor and control the user activities related to these privileged accounts. This will enable the detection of any privilege escalation attempts or efforts to compromise credentials.
How to prevent
While it is not possible to completely prevent Insider Threats, if you combine them with detective controls, your organization will be able to minimize the risk of them occurring.
There are several ways to prevent Insider Threats:
As stated, these are not comprehensive but will significantly help in reducing the risk of insider data breach.
Insider Threats will be the most prevalent threat to any organization. This is because part of the insider threats is also unintentional threats (such as human error, when people fall for a phishing attempt). And exactly this is the most common initial access for threat actors. Nowadays, it is much more costly for threat actors to breach the environment from the ‘outside’ by brute forcing or exploiting vulnerabilities of internet-facing appliances. Moreover, these attempts (with adequate security monitoring) are very noisy and easily detectable. Unfortunately, the cheapest and most effective way is to try and exploit human vulnerabilities.
However, malicious insiders also do exist, and collaborating with external threats makes them quite stealthy and does not expose them very obvious, while the damage is as significant.
Combining detective and preventive capabilities is the right way to mitigate these risks. That is why at Conscia Cyberdefense we also employ these with our customers too. We leverage mostly the detective part and provide recommendations on certain improvements customers can make on the preventive part. We also offer services to harden customers’ environments after assessing them. Our principle is not to just ‘plug the tech and start monitoring, but rather cooperate with our customers to learn about them (processes, architecture, …) and implement appropriate procedures that are tailored to that specific customer through our MDR (Managed Detection and Response) service.
If you think you are not addressing the risks of insider threats enough, feel free to reach out to us and we will help you.