Cyber attacks through access abuse can harm a company, its employees and its customers. According to the “2020 IBM X-Force® Threat Intelligence Index”, inadvertent insider threats are the primary reason for the greater than 200% rise in the number of records breached in 2019 from 2018. Insiders typically know where an organization's sensitive data lives and often have elevated levels of access, regardless of whether they have malicious intentions or not.
Insider attacks are costly for organizations, too. In the Ponemon Institute's 2020 Cost of Insider Threats study, researchers found that the internal data breach's average annual cost was USD 11.45 millions, with 63% of the incidents attributed to negligence.
Whether accidentally or deliberately, insiders can expose—or help expose—confidential customer information, intellectual property and money.
Current employees, former employees, contractors, business partners or business associates are all insiders that could pose a threat. However, any person with the right level of access to a company's computer systems and data can harm an organization, too, including suppliers or vendors.
Insiders vary in motivation, awareness, access level and intent. Ponemon Institute identifies insiders as negligent, criminal or credential. And Gartner groups insider threats into four categories: pawns, goofs, collaborators and lone wolves. Note: Ponemon Institute and Gartner generate and provide independent research, advisory and educational reports to enterprise and government organizations.
Pawns are employees who, unaware, are manipulated into performing malicious activities. Whether downloading malware or disclosing credentials to fraudsters through spear phishing or social engineering, pawns harm an organization.
Goofs are ignorant or arrogant users who believe they are exempt from security policies. Out of convenience or incompetence, they actively try to bypass security controls. And against security policies, goofs leave vulnerable data and resources unsecured, giving attackers easy access. "90% of insider incidents are caused by goofs," according to Gartner's report, "Go-to-Market for Advanced Insider Threat Detection."
Collaborators cooperate with outsiders, like a company's competitors or nation-states, to commit a crime. They use their access to steal intellectual property and customer information or cause business operations disruptions, often for financial or personal gain.
Also, often for financial gain, lone wolves act independently and maliciously without external influence or manipulation. Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or database admins.
If a fraudster's target lies inside a protected system, they focus on attaining an employee's access privileges. Fraudsters prey on pawns and goofs for their cybercrimes. They use many tactics and techniques to get credentials: phishing emails, watering holes and weaponized malware, to name a few. With those credentials, fraudsters can move laterally within a system, escalate their privileges, make changes and access sensitive data or money. Fraudsters can access data or information from unsecured locations during outbound communication, using a command-and-control (C2) server. They can make outbound attempt changes or perform volume outbound transfers.
How fraudsters attack:
There are different technical and non-technical controls that organizations can adopt to improve detection and prevention with each insider threat type.
Each type of insider threat presents different symptoms for security teams to diagnose. But by understanding the motivations of attackers, security teams can approach insider threat defense proactively. To mitigate insider threats, successful organizations use comprehensive approaches. They might use security software that:
In a 2019 SANS report on advanced threats, security practitioners identified significant gaps in insider threat defense. The report found that the gaps are driven by a lack of visibility in two areas: a baseline of normal user behavior and privileged user accounts management. These gaps become attractive targets for phishing tactics and credential compromise.
After establishing a threat model, organizations focus on detecting and remediating insider threats and security breaches.
Security teams must distinguish between a user's regular activity and potentially malicious activity to detect insider threats. To differentiate between activities, organizations must first close visibility gaps. They should then aggregate security data into a centralized monitoring solution, whether part of a security information and event management (SIEM) platform or standalone user and entity behavior analytics (UEBA) solution. Many teams begin with access, authentication and account changelogs. Then, they broaden the scope to additional data sources, such as a virtual private network (VPN) and endpoint logs, as insider threat use cases mature.
Organizations must adopt a privileged-access-management (PAM) solution and feed data about access to privileged accounts from that solution into their SIEM. Once organizations centralize the information, they can model user behavior and assign risk scores. Risk scores are tied to specific risky events, such as user geography changes or downloading to removable media. Assigning risk scores also gives security operations center (SOC) teams the ability to monitor risk across the enterprise, whether creating watch lists or highlighting the top risky users in their organization.
With enough historical data, security models can create a baseline of normal behavior for each user. This baseline indicates the normal operating state of a user or machine so that the system can flag deviations. Deviations should be tracked for individual users and compared to other users in the same location, with the same job title or job function.
By adopting a user-focused view, security teams can quickly spot insider threat activity and manage user risk from a centralized location. For example, user behavioral analytics can detect abnormal login attempts at an unusual time of day or from an unusual location or multiple failed password attempts and generate an alert as appropriate for an analyst's validation. In other words, any behavioral anomalies will help identify when a user has become a malicious insider or if an external attacker has compromised their credentials.
Once validated, a security orchestration, automation and response (SOAR) system can create an insider threat remediation workflow. Then, the playbook can specify what remediation is needed. Potential remediation could include challenging the insider with MFA or revoking access, either of which can be done automatically in the identity access management (IAM) solution.
Security threats have increased and become more complex as work-from-home and remote-work practices have expanded. As a result, remote work has fundamentally shifted security priorities and changed security measures. This security shift has introduced new challenges for security teams:
Chief information security officers (CISOs) must cope with the rapid shift in IT security as it moves outside of the corporate network. A CISO's team must better understand their remote employees' distinct behaviors and remote-work implications to insider threat detection to effectively secure a company's assets. To address remote workforce challenges, CISOs must be able to answer the following questions:
By understanding remote workers' behaviors, security teams can detect abnormal behavior that could signal credential compromise or malicious intent. They can often detect these behaviors at the VPN boundary before employees cause potential damage. On the perimeter, CISOs should determine if their current insider threat capabilities enable them to:
Suppose an attacker manages to evade detection at the perimeter and is inside the organization's network. In that case, security teams should validate the threat by looking for several compromised credentials or abuse indicators.
Security teams can derive insider threat indicators through many methods, often assisted by machine learning. These methods can help determine if the access is from a legitimate employee or a credential thief. Within the organization's network, CISOs should evaluate whether their current insider threat capabilities enable them to:
By proactively adjusting their programs to compensate for the shift in employee behavior and maximize existing tool investments, security teams can better secure an enterprise network.
Get your workforce and consumer IAM program on the road to success.
IBM® QRadar® User Behavior Analytics (UBA) analyzes user activity to detect malicious insiders and determine if a user’s credentials have been compromised. Security analysts can easily see risky users, view their anomalous activities and drill down into the underlying log and flow data contributing to a user’s risk score.
Smart identity and access management solutions for the hybrid, multicloud enterprise. Powered by AI. Backed by IBM Security®.
Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.
Understand your cyberattack risks with a global view of the threat landscape
Threat management is a process used by cybersecurity professionals to prevent cyberattacks, detect cyber threats and respond to security incidents
Insiders such as employees, partners, and customers are routinely at the center of costly data breaches. Download and explore findings from our report to understand the direct and indirect costs of insider threats.
Learn why the IBM Office of the CIO turned to IBM Security® Verify for next-generation digital authentication across its workforce and clients.