Understanding Insider Threats
Insider threats are potential weaknesses in an organization of any size that may cause the organization harm through a human vulnerability. Insider threats are people. People who use privilege either maliciously or unintentionally to cause a cybersecurity incident.
Inside actors know the landscape of a company intimately and can wreak havoc on an organization’s infrastructure. Regardless of the motivations of the inside actor, the impact can be extreme.
Understanding and managing insider risk is an important security component.
Definition of an insider threat
CISA defines an insider threat as “the potential for an insider to use their authorized access or understanding of an organization to harm that organization.” This can be malicious and intentional, or this can be accidental.
For example, let's consider the CIA triad, which explains the ways data should be protected, and can be mishandled or misused. The CIA triad is an acronym: The C stands for Confidentiality, the I for integrity, and the A for availability. Within the triad, all three aspects of data must be retained and protected within an organization. Data must be available when it is needed. Data must be protected from those who don't, and confidential if necessary. Data must have integrity- it cannot be tampered with. In the case of an insider threat, all three aspects of the CIA triad are at risk.
Common characteristics of insider threats
Insider threats begin with the people in an organization and can be found in any position within an organization. Some have malicious intentions. Others simply make high-cost mistakes through carelessness, ignorance, or gullibility.
Insider threats – particularly malicious ones -- have some common characteristics. These are often high-conflict individuals, who express disinterest in tasks and assignments. They commonly violate compliance procedures or data protection rules. They may misuse allowed expenses such as air travel, hotel, home office, or meal expenses. Another common characteristic is that persons who threaten an organization tend to have continuously poor performance reviews and may be particularly interested in learning about activities that are not part of their job role.
There are things unintentional insider threats have in common as well: a lack of knowledge, education, and best practices. Many are simply gullible and easily manipulated. Some are lazy or like to “work the system” to their advantage. All carry an insider risk.
Impact of insider threats on organizations
Crowd Research Partners found that 90% of cybersecurity professionals believe their organizations are vulnerable to insider threats. IBM found that the median cost of a malicious cyber insider threat incident was $4.45 million and took 314 days on average to identify and contain. These are impressive numbers.
Types of Insider Threats
Malicious insiders vs. unintentional insiders
Malicious insiders are determined to harm an organization. They may do so for profit, on principle, or simply because they feel slighted by the organization. Some also become malicious simply by their determination to complete tasks with as little effort as possible and to ignore compliance rules and security requirements.
Unintentional insiders may even feel positive toward the organization and be very well-meaning. They simply lack awareness, education, and knowledge to prevent an incident.
Examples of different types of insider threats
A person wishing to end the use of animals for animal testing may find employment in a place where animals are used for testing, work his way up to a role where he has access to the cages the animals are kept in, and release them. A person who feels slighted by a manager may break the manager’s computer or hit the manager’s vehicle, rendering it unusable, on the way out.
In cybersecurity, this looks slightly different but has the same effect. Imagine a disgruntled employee who knows he will be fired soon. Now imagine this same person still having access to download company contacts or other data for personal use, or using unrevoked access in a capacity that helps him in his future role, causing harm to the company.
Imagine an employee going on parental leave knowing they intend not to return, and still having access to their employee dashboard, being able to use company funds for travel.
Now take this further and imagine a person who wants to steal company secrets to build their own tools, or funnel money from inside the organization to another individual for a debt they owe. Malicious insiders can be as impactful or as relatively harmless as they decide to be. And those with technical skills can do extreme damage.
Unintentional insider threats, however, usually create a security incident inadvertently, such as by copying sensitive data and losing it at a public coffee shop on the way home, or by granting access to a malicious actor or downloading malware without realizing they did so.
Motivations behind insider attacks
As with most crimes, malicious insiders are motivated by financial gain, emotional satisfaction, or politics.
Unintentional insider threats are not motivated this way but may cause issues by leaving devices unattended in vehicles or unlocked offices, by sacrificing security best practices for convenience, or by a simple lack of education surrounding security concepts. Unintentional insider threats fall into two categories: negligent or accidental, and both do damage.
How Does an Insider Threat Occur?
Exploring the methods and techniques used by insiders to carry out attacks
Insider threats can leak important and private data, sabotage equipment, and even steal company property or data. They can do this directly themselves or do so through a third party to whom they give access.
Analyzing common vulnerabilities that allow insider threats to occur
Backdoors via remote access are a common vulnerability allowing insider threats to occur. Another common vulnerability is a disabled security setting or removed or unused security tool. Sometimes insiders can tamper with hardware or manually disable settings or configurations. It's important to look at each component of a system and search for vulnerabilities.
Examining case studies of insider threat incidents
Edward Snowden is a classic example of an insider threat who disclosed millions of files he accessed through his role as a contractor working at the NSA in the early 2000s. Another case from the same period is Chelsea Manning, a former U.S. Soldier who similarly released inside information, more than 500,000 documents, to WikiLeaks. More recently, two former Tesla employees leaked private information including the social security numbers of over 75,000 employees. All of these were insider threats.
Identifying Insider Threat Indicators
Behavioral indicators of potential insider threats
People who commit workplace violence or often have conflicts with co-workers should be observed, if not removed. People who keep to themselves or are secretive should also be a concern. Other behavioral indicators might be lacking in knowledge about best practices for cybersecurity, negligent behaviors, not following guidelines, and having frequent problems with management, or values that conflict with an organization’s values.
Technical indicators to watch for
There are some simple indicators to help ease monitoring for insider threats.
First, be on alert for unusual traffic patterns, late logins or logins at strange hours, and patterns of access to sensitive data outside the norm. Another common technical indicator is a pattern of utilizing personal devices over IT-approved company devices. Look for possible insider threats when backdoors are found, as well as when security settings are found disabled or tools unused. Always keeping to the concept of least privilege and a focused eye on access management is helpful, as an insider threat may be requesting access to applications or drives outside the scope of their own work.
Role of employee monitoring in detecting insider threats
Employee monitoring is an essential part of identifying and detecting potential insider risk and insider threats. Creating a company culture of cybersecurity awareness, a safe place to report, and a sense of teamwork where people who don’t share the same values can easily stand out and be encouraged to speak with someone when they have a grievance is a great way to meet this objective and filter out potential threats. A clear understanding of psycho-social dynamics that contribute to malicious behavior is useful for those in management.
Preventing Insider Threats
Implementing access controls and least privilege
Access controls are a process of managing and protecting access to data and resources. IT managers should carefully implement access controls. The principle of least privilege (PoLP) should be observed: giving permissions only within the realm of a person’s job description. It is important to be proactive against insider threats by following these principles.
Importance of employee training and awareness
Cybersecurity training and employee awareness training via human resource channels about appropriate behaviors is another way to be proactive. Whether an organization develops training itself or outsources to a training company, one of the simplest solutions to prevent threats is to invest in training and raise employee awareness.
Role of technology solutions in mitigating insider threats
There are technological solutions to mitigate insider threat risk. A password manager is a great step in ensuring that security best practices are followed. In today’s world, there are tools and options for virtually any budget to improve security, gather intelligence, detect and hunt threats, and quickly respond.
Responding to Insider Threats
Developing an incident response plan
An incident response plan is critical for every organization. This involves determining which aspects of a network are critical infrastructure and noting which points can fail. Regularly backing up data should be part of the plan. Monitor all devices and systems regularly, and review the plan after each incident, to see what was learned and what can be adapted or changed.
Steps to take when an insider threat is identified
If an insider threat is identified, obtain as much information as possible about the insider’s access and privileges. Determining the impact and addressing this comes first. As quickly as possible, contain the threat, and make efforts to mitigate it. Once the incident is over, review and analyze what was learned, and adjust the incident response plan for a faster, stronger response next time.
Collaborating with law enforcement and legal authorities
It is useful to consult with law enforcement and national security organizations to learn best practices that can assist business owners and IT managers in creating and implementing a game plan for preventing insider risk and insider threats. When law enforcement must be brought in, it is useful to have thorough documentation and to ensure the documentation is organized, readable, and easy to understand.
Check in with these organizations regularly to ask questions, and to follow their recommended best practices. Ensure that an incident response plan fully meets their standards of evidence and the scope of documentation they will need to prosecute.
Best Practices for Insider Threat Management
Creating a culture of security within the organization
Security is a culture. Creating an environment that insists on and regularly promotes security best practices, a safe reporting environment, and knowledge of behavioral standards and expectations is the best way to develop a culture that keeps insider threats at bay.
Excellent team building and a sense of connectedness with management, along with a culture that rewards and celebrates achievements, is another way to reduce insider threat risk and ensure that insider risk is immediately noticed and handled.
Establishing clear policies and procedures
Once a plan is in place, standards of operation are needed so that everyone in the organization is on the same page. It is also helpful to check in with providers of tools or systems the organization uses, to see if they have established best practices for security, so these can be applied. Lastly, clear procedures for identifying, reporting, monitoring, and recovering from insider threats are needed and should be followed by all persons within the organization, again, utilizing the principle of least privilege.
Continuous monitoring and auditing of privileged accounts
All accounts should be monitored and regularly audited. PAM (privileged access management) and PIM (privileged identity management) are similar security solutions to assist with improving insider threat security.
In addition, an organization using a password manager like LastPass will benefit from the zero-knowledge model (in which even the security company does not have access to credentials) as well as implementing MFA (multi-factor authentication.)
Monitoring tools, military-grade encryption, and regular third-party auditing and certification can significantly add to the security of an organization. LastPass provides this along with monitoring tools to help update weak or re-used passwords, assess and improve overall security, fill forms securely, and even check for information that may be involved in a breach.
With careful planning and the right tools, it is possible to manage and detect insider threats. Start your LastPass trial.
FAQ
Who could be an insider threat?
Employees in any role can be an insider threat. Those who inadvertently compromise their organization’s security may share proprietary data without permission, misplace sensitive resources in public spaces, or download malware without realizing it.
Meanwhile, those with malicious intent are often high-conflict individuals who purposely misuse expense benefits, evade security protocols, and demonstrate poor job performance.
What motivates an insider attack?
Insiders who pose a threat fall into two categories: unintentional or malicious.
The first habitually bypasses security controls for convenience. They may feel positive about the organization but view its security policies as overly restrictive and unreasonable.
Meanwhile, malicious insiders actively work to harm the organization. They’re often motivated by profit, greed, ideological differences, or revenge.
How can organizations detect and prevent insider threats?
To detect insider threats, organizations should watch for:
· Behavioral indicators such as negligent habits, views that conflict with the organization’s values, overly reserved natures, and ill will towards managerial staff
· Technical indicators such as unusual traffic patterns, logins outside of work hours, use of non-IT approved devices, disabled security settings, requests for resources outside the scope of job roles
To prevent insider threats, organizations should:
· Implement access controls based on the least privilege principle
· Invest in awareness training for employees
· Encourage vigilance by promoting a safe reporting environment
· Use a password manager to monitor both regular and privileged accounts
