How to Protect Your Business Against Insider Threats : 10 Ways to Mitigate Risks
Securing their businesses against insider threats continues to be a top concern for organizations as part of their overall cybersecurity strategy.
Even as geopolitical tensions and foreign ransomware crews have been in the headlines, security teams understand that a malicious insider with their extensive knowledge of where all the valuable troves of data are stored away, and many of their insiders already have the keys to steal or put that data in harm’s way.
For clarity’s sake, we will use the insider threat definition where an individual who is authorized to have access within the organization uses that access in a way that compromises the organization by stealing, destroying, or exposing data.
Infamous insiders like Edward Snowden have highlighted the potential damage that a malicious insider can do to not just an individual agency like the CIA, but the embarrassment and operational damages to the US government on a higher scale.
While public sector insiders continue to be a concern, the private sector has its fair set of challenges from insider threats. Source code, intellectual property, customer or financial data, all of it can be harmed by a well-placed and properly motivated or unlucky insider, putting their organization at risk of damages and future losses to their business.
There are many different types of insider threats that we will cover, each with their own motivations and risks to the organization. Sometimes the insider is not even really an insider.
Not All Insider Threats Are Alike
While every case will have its particular details in a myriad of ways to cut it, we can break down three main types of insider threat attacks.
These are the insiders who intentionally do your organization harm.
They may be motivated by greed, resentment, ideology, or a combination of a million other motivations.
These insider threat individuals will take active steps to evade detection from insider threat security measures. They know what they want to steal and will likely already have all the access they need to compromise it. Or at least know how to get the additional help.
The amazing team over at the Verizon Data Breach Investigations Report (DBIR) refers to these folks as carrying out Miscellaneous Errors. They do not mean to cause harm, but they may accidentally:
- Send an email to the wrong person
- Misconfigure the settings on a server to make it vulnerable
- Or find some other way to expose data
Not exactly part of your organization, these are your vendors, partners, and others that you have relationships with and have granted access to your network and data.
The DBIR found that supply chains were involved in 62% of breaches where an attack worked its way downstream, impacting many more organizations.
If an attacker is able to compromise your third-party partners, then they may find ways to make their way into your network unnoticed.
Challenges to Insider Threats Prevention
Not only do insider threats come in all shapes and sizes, they present a different set of challenges for security professionals from those of an external threat actor.
This is because they:
- Already have legitimate credentials
- Know where the good stuff is and can go there directly without a lot of lateral movement or searching
- Can be harder to detect since they are expected to be accessing data
Detecting Opportunities for Insider Threats
Understanding and being able to identify the indicators of an insider threat are important for working to prevent them and mitigate the risk.
- Access to areas that a user would not normally have access to (strange behavior)
- Downloading large amounts of data
- In some cases, traveling out of the country to meet with foreign actors
- Asking others for help in accessing data/resources
- Removing assets to take home
Taken on their own, many of these behaviors may fall within the bounds of out of the ordinary but not malicious. However, it is critical that we continuously monitor for small red flags that provide us a full understanding of our threat picture when viewed together.
For organizations, the responsibility falls on them to do their utmost to harden themselves against insider threats. This means using the right tools to make it harder for them to be carried out in the first place, and then be able to limit damage and respond quickly when some number of them do succeed.
Adding to the challenge is that many insiders will not even know that they are being used to harm their organization.
Hackers are Targeting Your Insiders
Hackers are notoriously economical. They know that their time is valuable and while hacking the Gibson is good street cred, what matters most is making it to that pay day.
One of the best shortcuts to hit pay dirt is simply by finding someone on the inside that will leave the side door open for you.
This kind of bribery in hacking is super commonplace, though maybe not in the ways that one might imagine. One common tactic for an account takeover attack when targeting someone with multi-factor authentication is to have someone at the phone company assist in a SIM swap. This method of attack is when they basically steal their victim’s phone number by having the phone company activate a new SIM card. They then attempt to log in using the credentials and then receive the one time password from the account to their phone with the hijacked number and they are in.
By having that inside person, the hackers save themselves the time of having to do open source intelligence collection on their target and tricking the phone company into porting the number.
The hacking group Lapsus$ is known to buy credentials off of insiders, and have racked up a number of sizable trophies on their wall of companies successfully hacked as a result.
In recent years we have seen a number of bigger scale attempts to use insiders for attacks. In 2020, an employee at Elon Musk’s Gigafactory was targeted by an old acquaintance working for a Russian ransomware group. This employee was told that he would receive a payout of $1 million if he would help the gang get their malware onto the Gigafactory’s servers.
Maybe this employee was a stand up kinda guy. Maybe his managers really made him feel appreciated. Whatever the reason was, he turned down the cool million and turned his would-be briber over to the authorities.
This act of good-guy rectitude saved Tesla what would likely have been a major payout or shut down. It was a reminder that any company can be targeted by malicious hackers in search of a turncoat, and that taking care of their people should be a top priority.
The Damage from an Insider Attack
The number of compromised records in an insider attack exceeds that of an external one significantly. According to the DBIR for 2022, the median number of records compromised in an external attack stood at 80k. While this is already pretty disturbing, the average insider attack led to an astronomical theft of over a million records.
In some cases, organizations have to report when they have had an insider threat incident. This is usually dependent on the regulations governing their industry. Oftentimes if the data stolen was customer personal identifiable information (PII), then they will have a reporting duty so that customers/users will know that their data has been compromised.
However there are still plenty of cases that are not publicized because, frankly, it makes for bad press and is embarrassing.
- An Insider Attack can Harm an Organization’s Reputation
It is bad enough when an external hacker causes a breach that harms your data.
But an insider incident can erode public/customer trust that your organization can be trusted to hold and protect data.
- There can be Financial Consequences
Take the Capital One breach as a prime example of the costs that an organization can incur when a breach occurs.
In 2019, a former AWS employee used their knowledge of the weaknesses of AWS security to steal the PII of over 100 million people.
As a result, Capital One was fined $80 million and settled with customers for another $190 million in a class action lawsuit.
These cases highlight the need to prevent insider threat actors from carrying out their dastardly dos, and doing so requires you to take steps to stop them before they can be successful.
10 Tips for Securing Your Organization from Insider Threats
Preparing your organization to prevent insider threats is a marathon, not a sprint. Getting it right requires a mix of following best practices, adopting the right technologies to help you handle the scale of the challenge, and nurturing a culture of security within your organization that will perpetuate over time.
- Establish Your Users’ and Networks’ Secure Baselines
In order to detect when someone’s behavior is acting outside of their norm, we need to have a starting point from which to judge it.
- Define what normal behavior is
- Set a baseline for what normal traffic should look like
Armed with the right data points, you can monitor for behavioral anomalies moving forward with insider threat solutions. All while hopefully reducing your false positives and detecting opportunities for insider threats before they can impact your organization.
- Adhere to the Principle of Least Privilege
Access is a necessity for employees to do their jobs effectively. However, too much access can leave the holes in your security that can be exploited by a malicious actor, insider or external.
The Principle of Least Privilege calls for provisioning exactly the amount of privileges that will allow the employee to access the resources to do their job, but not an iota more. Review your
- Monitor User Behavior and Manage Accounts
Insider threat prevention management depends on knowing what to look for and having the right tools in place to catch them.
We have already reviewed some of the inside threat indicators that are commonly seen in these cases, but actually keeping up on top of them requires continuous activity monitoring and analysis of their behavior.
Insider threat detection software can collect all the necessary data points from your network, endpoints, and basically anywhere else that you need to point it at where your employees are active. The software can then look for potential signs of insider threat behavior, and raise red flags for your attention, giving you the insights you need to take decisive action in time.
- Run Periodic Risk Assessments Across Your Entire Organization
Your organization will grow and evolve over time, and with it, the risks facing your team.
You should be assessing:
- Risk from new apps and services
- Changes in personnel
- Threat actors targeting your organization
Assess and figure out how you can best mitigate these risks, being sure that your policies match your current threat picture.
Check out this Cyber Resilience Review resource from the Cybersecurity and Infrastructure Security Agency (CISA) for additional information and ideas to add to your assessment.
- Implement Effective Password and Account Management Policies
Starting with a base of secure management for your passwords and accounts can help to make it far harder for attackers to be successful — or at the very least give them a difficult time that convinces them that your organization is not worth the effort.
A couple of basic best practices here include disallowing password reuse and validating that passwords are strong.
- Deprovision Orphaned Accounts
Inactive accounts can pose a significant security risk since they are likely unmonitored. A hacker can find the creds to take over an inactive account and then use its access to get themselves past your defenses unnoticed.
The Colonial Pipeline story is a prime example with the credentials to an orphaned account with access to a legacy VPN being compromised, giving the attacker access to the company’s network. The result was a fuel crisis that nearly paralyzed the East Coast of the United States.
Make sure to get rid of accounts when employees leave the organization and reduce your risk.
- Enforce Security Policies
Make sure that everyone is in fact following the rules that you set out to keep the organization’s data safe.
Utilize monitoring tools to detect risks and violations, and then actually follow up with enforcement mechanisms that remediate the risks.
There should be good communication between the security team and the lines of business to ensure that access is being provisioned according to the policies. This includes not allowing employees to share access with others.
- Provide Security Awareness Training
The more we drill our team on how to spot risks, the better prepared we will all be for defending the organization against them.
Just like we run training on how to spot phishing emails and other risks from external actors, we need to train our people to spot risks and help in our insider threat prevention efforts.
- Require Multi-factor Authentication (MFA)
The odds are uncomfortably high that some number of credentials in your organization will eventually end up getting compromised. Add an extra barrier for the hackers so that your account does not become the unwitting insider threat.
MFA makes it so that the hacker has to not only have something that you know (your login credentials) but something that you have (access to your mobile device in most modern cases.)
Best practices these days call for avoiding use of codes sent via SMS in favor of push notifications in your device.
However, do not let the perfect be the enemy of the good. If the choice is between SMS and nothing, go for the text.
- Develop an Insider Threat Program
There are lots of great resources from CISA, the National Insider Threat Task Force, and others on how to run an effective insider threat prevention program.
These agencies are working hard to strengthen not only other government agencies, but the private sector as well to become harder targets.
Use the linked resources but also feel free to reach out to them for assistance on how to develop a program that works well for your organization.
Best Practices for Insider Threat Detection Through Monitoring
Even as you work to make your organization more secure and resilient, you can go too heavy on the security side of the scales and actually harm your ability to prevent insider threats. Be sure that you remember that you are dealing with people who need to do their jobs and we do not want to cause them so much frustration that they up and leave the organization.
Tolerance for tightened security measures depends on the industry, but even those handling top secret materials have a ceiling for how much friction they are willing to take.
Try these tips for striking the right balance between security and maintaining a workplace that your people will want to keep showing up to:
- Communicate clearly with your organization about what your expectations are for how they should play a role in keeping your data secure, both in terms of dos and definitely do nots.
- Let them know that they are being monitored, but within the bounds of not only what is legal, but also within the limits of reasonable behavior. By now everyone should know that employers are monitoring what we access, download, web traffic, and network activity.
- At the same time, employees should feel that their employer is not going to cross the line into their personal devices. There are specific cases where that expectation has been set forth up front due to an unusually high security risk posture.
- Even in those cases, surveillance should still be carried out in a way that is effective without being overly intensive.
Remember, if you hired these people, then you hopefully feel that they are the right people for the job.
Verify their actions, but trust them to do their jobs or else they may decide that the juice is not worth the squeeze and may choose to move on.