What are insider threats?

Why are insider threats particularly dangerous?

Cyber attacks through access abuse can harm a company, its employees and its customers. According to the “2020 IBM X-Force® Threat Intelligence Index”, inadvertent insider threats are the primary reason for the greater than 200% rise in the number of records breached in 2019 from 2018. Insiders typically know where an organization's sensitive data lives and often have elevated levels of access, regardless of whether they have malicious intentions or not.

Insider attacks are costly for organizations, too. In the Ponemon Institute's 2020 Cost of Insider Threats study, researchers found that the internal data breach's average annual cost was USD 11.45 millions, with 63% of the incidents attributed to negligence.

Whether accidentally or deliberately, insiders can expose—or help expose—confidential customer information, intellectual property and money.

Types of insider threats

Current employees, former employees, contractors, business partners or business associates are all insiders that could pose a threat. However, any person with the right level of access to a company's computer systems and data can harm an organization, too, including suppliers or vendors.

Insiders vary in motivation, awareness, access level and intent. Ponemon Institute identifies insiders as negligent, criminal or credential. And Gartner groups insider threats into four categories: pawns, goofs, collaborators and lone wolves. Note: Ponemon Institute and Gartner generate and provide independent research, advisory and educational reports to enterprise and government organizations.

The Pawn

Pawns are employees who, unaware, are manipulated into performing malicious activities. Whether downloading malware or disclosing credentials to fraudsters through spear phishing or social engineering, pawns harm an organization.

The Goof

Goofs are ignorant or arrogant users who believe they are exempt from security policies. Out of convenience or incompetence, they actively try to bypass security controls. And against security policies, goofs leave vulnerable data and resources unsecured, giving attackers easy access. "90% of insider incidents are caused by goofs," according to Gartner's report, "Go-to-Market for Advanced Insider Threat Detection."

The Collaborator

Collaborators cooperate with outsiders, like a company's competitors or nation-states, to commit a crime. They use their access to steal intellectual property and customer information or cause business operations disruptions, often for financial or personal gain.

The Lone Wolf

Also, often for financial gain, lone wolves act independently and maliciously without external influence or manipulation. Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or database admins.

How fraudsters use vulnerable insiders

If a fraudster's target lies inside a protected system, they focus on attaining an employee's access privileges. Fraudsters prey on pawns and goofs for their cybercrimes. They use many tactics and techniques to get credentials: phishing emails, watering holes and weaponized malware, to name a few. With those credentials, fraudsters can move laterally within a system, escalate their privileges, make changes and access sensitive data or money. Fraudsters can access data or information from unsecured locations during outbound communication, using a command-and-control (C2) server. They can make outbound attempt changes or perform volume outbound transfers.

How fraudsters attack:

Seek vulnerability

Deploy phishing email or malware
Identify a rogue user
Attain compromised credentials

Exploit access

Move laterally to the desired target
Escalate privilege as needed
Access assets

Abuse access

Obfuscate network activity
Alter data
Exfiltrate data

How to mitigate insider threats

There are different technical and non-technical controls that organizations can adopt to improve detection and prevention with each insider threat type.

Each type of insider threat presents different symptoms for security teams to diagnose. But by understanding the motivations of attackers, security teams can approach insider threat defense proactively. To mitigate insider threats, successful organizations use comprehensive approaches. They might use security software that:

Maps accessible data
Establishes trust mechanisms—granting access, revoking access and implementing multifactor authentication (MFA)
Defines policies around devices and data storage
Monitors potential threats and risky behavior
Takes action when needed

In a 2019 SANS report on advanced threats, security practitioners identified significant gaps in insider threat defense. The report found that the gaps are driven by a lack of visibility in two areas: a baseline of normal user behavior and privileged user accounts management. These gaps become attractive targets for phishing tactics and credential compromise.

Know your users

Who has access to sensitive data?
Who should have access?
What are end-users doing with data?
What are administrators doing with data?

Know your data

What data is sensitive?
Is sensitive information being exposed?
What risk is associated with sensitive data?
Can admins control privileged user access to sensitive data?

Detection and remediation

After establishing a threat model, organizations focus on detecting and remediating insider threats and security breaches.

Security teams must distinguish between a user's regular activity and potentially malicious activity to detect insider threats. To differentiate between activities, organizations must first close visibility gaps. They should then aggregate security data into a centralized monitoring solution, whether part of a security information and event management (SIEM) platform or standalone user and entity behavior analytics (UEBA) solution. Many teams begin with access, authentication and account changelogs. Then, they broaden the scope to additional data sources, such as a virtual private network (VPN) and endpoint logs, as insider threat use cases mature.

Organizations must adopt a privileged-access-management (PAM) solution and feed data about access to privileged accounts from that solution into their SIEM. Once organizations centralize the information, they can model user behavior and assign risk scores. Risk scores are tied to specific risky events, such as user geography changes or downloading to removable media. Assigning risk scores also gives security operations center (SOC) teams the ability to monitor risk across the enterprise, whether creating watch lists or highlighting the top risky users in their organization.

With enough historical data, security models can create a baseline of normal behavior for each user. This baseline indicates the normal operating state of a user or machine so that the system can flag deviations. Deviations should be tracked for individual users and compared to other users in the same location, with the same job title or job function.

By adopting a user-focused view, security teams can quickly spot insider threat activity and manage user risk from a centralized location. For example, user behavioral analytics can detect abnormal login attempts at an unusual time of day or from an unusual location or multiple failed password attempts and generate an alert as appropriate for an analyst's validation. In other words, any behavioral anomalies will help identify when a user has become a malicious insider or if an external attacker has compromised their credentials.

Once validated, a security orchestration, automation and response (SOAR) system can create an insider threat remediation workflow. Then, the playbook can specify what remediation is needed. Potential remediation could include challenging the insider with MFA or revoking access, either of which can be done automatically in the identity access management (IAM) solution.

How to protect against insider remote workforce threats

Security threats have increased and become more complex as work-from-home and remote-work practices have expanded. As a result, remote work has fundamentally shifted security priorities and changed security measures. This security shift has introduced new challenges for security teams:

Increased overall security incidents due to behavior changes and increased attack surface
Increased phishing attacks
Lack of visibility of endpoints and servers not connected to VPN
Changes in employee behaviors due to irregular work hours, different locations and web browsing behavior changes
Increased SaaS application use and lack of visibility

Chief information security officers (CISOs) must cope with the rapid shift in IT security as it moves outside of the corporate network. A CISO's team must better understand their remote employees' distinct behaviors and remote-work implications to insider threat detection to effectively secure a company's assets. To address remote workforce challenges, CISOs must be able to answer the following questions:

How can we verify the person logging into the corporate virtual private network (VPN) is the employee, not an attacker using stolen credentials?
How can we verify an employee's anomalous behavior isn't a result of working remotely?
How can we help secure employees connecting to open and unsecured internet locations, such as coffee shops?

By understanding remote workers' behaviors, security teams can detect abnormal behavior that could signal credential compromise or malicious intent. They can often detect these behaviors at the VPN boundary before employees cause potential damage. On the perimeter, CISOs should determine if their current insider threat capabilities enable them to:

Get the appropriate visibility into access, authentication and VPN logs.
Determine if employee credentials are being used in two places simultaneously or from an unusual geographic location.
Identify if the employee uses credentials outside of regular working hours for the city of the primary employee location or if the connection duration is longer than usual.
Terminate the connection, block the device and revoke credentials through IAM.

Insider threat indicators

Suppose an attacker manages to evade detection at the perimeter and is inside the organization's network. In that case, security teams should validate the threat by looking for several compromised credentials or abuse indicators.

Security teams can derive insider threat indicators through many methods, often assisted by machine learning. These methods can help determine if the access is from a legitimate employee or a credential thief. Within the organization's network, CISOs should evaluate whether their current insider threat capabilities enable them to:

Model distinct standard activity patterns and frequency to detect baseline deviation. A deviation can indicate abuse, whether intentional or accidental.
Monitor data exfiltration attempts by the number of outbound communication attempts or connections on a given day. If an employee's number of outbound communications spikes, it could suggest monitoring that user's credentials closely.
Identify large, abnormal data volume transfers for a given employee. Monitoring the aggregate data transfer can offer a simplistic yet powerful, early compromise indication.
Inspect endpoint integrity for suspicious applications, which might indicate malware activity. By identifying new processes or application executions, you can contain the malware and reduce the organization's security risk.

By proactively adjusting their programs to compensate for the shift in employee behavior and maximize existing tool investments, security teams can better secure an enterprise network.