What is an insider threat?
An insider threat describes an event where an insider intentionally or unintentionally misuses their access, which results in a data breach, data loss, or loss of integrity of critical systems. While security holes can open in your network as a result of software and applications, most insider threats involve people.
As many as one out of three security incidents involve insiders according to the Verizon Data Breach Report, making insider threats a large enough issue to warrant enhanced vigilance. With traditional IT security putting all its ammunition at the perimeter, internal networks are at risk from insider attacks.
Why is it important to identify potential insider threats?
The capability to detect an insider threat quickly is essential to limiting the damage of any potential data breach. Valuable information resides on your internal networks, such as employee records with personally identifiable information, accounting department codes, employee ID data, customer records, and more.
By identifying suspicious activity early, the risk and damage of data breaches can be minimized. They are not difficult to protect against, as long as you are able to spot certain insider threat indicators.
How an insider threat appears
Insider threats appear in four primary ways: through violence, espionage, sabotage, or theft, with the latter three the most common digitally.
- Espionage: Espionage is done with the goal of getting secrets to tell for either political, military, or economic purposes. For example, a competitor might enlist the help of an employee with insider knowledge to steal trade secrets and other valuable data.
- Sabotage: One way to sabotage an organization's infrastructure is not following maintenance or IT procedures or physically damaging facilities and equipment. Another way is deleting code so that the regular operations of your organization are disrupted.
- Theft: This threat is when a person removes or copies data from your internal network for their own personal or financial gain.
The malicious insider threats that you encounter will most typically fall under these types, or a combination of the three.
Malicious insiders vs. human error
An insider threat is either intentional or unintentional, with the latter most often resulting from human error.
Intentional threats are when someone is trying to hurt the organization for their benefit. Sometimes, they want to get revenge because they are not happy with how they were treated. For example, if someone was not promoted or fired and wanted to get even, that person could pose a threat. They'll often leak sensitive company information for personal or financial gain or attempt to sabotage the network, opening it to attack.
However, unintentional threats happen through two primary avenues: accident or negligence. Accidents do happen, like an employee might accidentally send sensitive data to the wrong contractor, forget to log out at the end of the workday, or fall for a cleverly designed phishing scam.
Other types of threats
Other more specific types of insider threats are less common, but important to be aware of to protect an organization. A collusive threat is a particular type of insider threat where one or a group of insiders with authorized access to proprietary data collude with an external actor to compromise a targeted organization. These insiders are acting purely for personal gain and most likely receiving financial compensation for their activity.
Another type of insider threat comes from third parties, such as contractors or vendors who have access to the company network. All of these types of threats fall into either one of two categories, direct or indirect.
- Direct threats: Individuals acting in a way that compromises network security.
- Indirect threats: Typically software flaws that unintentionally compromise network security.
Examples of insider threats
Insider threats are unfortunately becoming more common across industries and companies. Here are some real-word examples of these attacks:
- During the pandemic lockdowns, many companies furloughed or laid off large segments of their workforce, upsetting some employees. One individual let go from a medical packaging company in March 2020 hacked into the company's network and deleted over 120,000 files -- slowing shipments of critical PPE gear to the company's customers.
- In 2019, a security researcher discovered that Microsoft had forgotten to secure their customer databases, effectively disclosing over 250 million customer records to the Internet. This would be a real-world example of "negligent insiders."
- Former employees are often overlooked when thinking about insider threat vectors. Networking giant Cisco learned this the hard way after failing to properly audit who had access to the company resources. The disgruntled former employee used his access to deploy malware across the network, which deleted 16,000 user accounts and did $2.5 million in damage.
- Electric vehicle maker Tesla has been the victim of at least two attempted insider attacks within the past five years alone, one of which was successful. The first occurred sometime in mid-2018, when a current employee did 'extensive and damaging sabotage' to the company's systems, including tweaking code on internal products and disclosing company data without authorization. The second occurred just two years later, involving a Russian national who attempted to recruit employees at Tesla's Gigafactory to deliver malware to spy on the company by offering a $1 million reward.
Insider risk indicators
An organization that is well equipped to detect insider threats early will limit any potential damage. An insider threat can be the most damaging since the threat is already inside the network, where access to sensitive data may be much easier. For corporate networks, there are indicators that may be early warning signs of potential insider threats.
- Unusual login patterns: IT departments already have data on the normal login patterns of their users: when they log in, where they log in from, and so forth. If a user login occurs that doesn't follow this pattern, you should treat it with suspicion.
- Unusual application access: Is the user attempting to access applications they don't have the privileges for? Are these attempts happening repeatedly? If so, it might be a sign of a compromised account.
- Excessive downloading: Malicious insiders are likely after resources like intellectual property and other proprietary data stored in huge files and databases. If an insider uses excessive bandwidth on the network, administrators should verify the activity is legitimate.
- A high number of users with escalated privileges: Just because an administrator can grant others access to sensitive information does not mean that they will be smart about which users are granted access. Escalated privileges should be restricted to as small of a group as possible, as anyone with a higher level of access to your company network could be a potential insider threat.
- Changes in behavior: Watch for differences in behavior, such as hostility towards coworkers, skittish behavior, unexplained increases in wealth, or sudden resignation. Often a malicious insider will quickly resign without explanation. While it might be that they found a new job quickly, it may still be worth it to review your server logs to be safe.
These five indicators are likely the most obvious to spot but are by no means an exhaustive list. The biggest thing to watch for is odd behavior or activity on the network.
How to prevent insider threats
What are some best practices for preventing insider threats? We've come up with a list of recommendations you can use to limit your insider risk quickly and effectively.
- Verify code commits: Only let verified corporate identities commit source code. Learn how you can keep your organization safe by verifying every code commit, from every device with Beyond Identity’s Secure DevOps.
- Set up strong security policies: Enable risk-based authentication policies and set up a strong access control policy to protect internal resources.
- Audit your users: Who has authorized access to sensitive infrastructure? Do they still need the access they have? Remove inactive and dormant accounts now and it will save you headaches later.
- Be vigilant: While you'll never have to worry about most employees, that doesn't mean you should monitor the behaviors of your privileged users any less than you would an outside threat. Your capability to detect insider threats will be much higher if you trust no one.
- Implement zero trust: By nature, a zero trust network considers any connection a potential threat no matter its source and provides access to sensitive data on an as-needed basis. Transitioning from the "castle and moat" mentality of traditional IT security to one where no user or device is automatically trusted will significantly decrease insider risk.
- Use watch lists effectively: There will be users who require more monitoring from time to time, but if you're not careful, these lists can bog down your IT department with needless work. Investigate and remove them from the list as soon as possible. Develop methods and best practices now to ensure watch lists are used effectively.
- Enlist the help of your users: Be sure to give your users an easy method to report suspicious activity. Employees are around each other every day and will notice changes in the behavior of a potential insider threat far faster than you will. Educate them on what to look for and what to report.