Managing Insider Threats: Why Context is Critical

The subject of ‘The Insider Threat’ is fast rising up on the corporate agenda. While you might think a company’s own employees would be less likely to pose security risks than external attackers, a recent analysis by Computing has found that this type of threat was a factor in half of reported breaches, explains Josh Lefkowitz.

When breaches caused by an insider threat are disclosed, they can be particularly damaging to a company’s reputation, implying poor company culture and negligence and thereby have the potential to erode trust in the organisation. Even if a breach doesn’t become public knowledge, if it involves the theft of Intellectual Property or other critical assets then it can harm the company’s competitive position.

Whether arising from disgruntled employees, acts of carelessness or systematically malicious actors, an insider threat is a particularly complex risk to manage. Just like external threats, the tools, techniques and procedures used by insiders are evolving all the time.

Identifying the risk within the walls

Insider threats are more nuanced than their external equivalent, making them difficult to manage with conventional security tools alone. An external attack typically requires an initial exploit or breach to gain access to the target network. In most cases, these will trigger alerts from automated intrusion detection systems and prompt incident response teams to investigate.

Insiders, on the other hand, already have network access and privileges, so they typically will not trigger perimeter monitoring systems. Identifying suspicious or negligent actions relies on correlating intelligence from multiple sources. These might include user and entity behaviour analytics, data loss prevention tools, network logs and endpoint device activity.

However, while these tools might tell you that an employee is acting out of character (ie logging in on the weekend without a previous history of doing so, or using keywords in e-mails that suggest they’re not happy with the company), they cannot offer insight into what’s going on with users outside the walls that might be contributing towards an organisation’s risk from an insider threat.

Say, for example, that an unhappy employee is also active in illicit online communities on the Deep and Dark Web. Or maybe they have financial troubles and have been recruited and bribed by an external threat actor to steal valuable data. These types of situations are where human oversight and analysis are needed. Business risk intelligence derived from monitoring illicit online communities can put valuable context around the activities of an individual, flagging them up for investigation.

What sorts of incidents might be picked up, then?

High risk moments: leavers and joiners

Most companies are aware that, when an employee’s leaving on unfavourable terms or is poached by a competitor, there’s a risk that they may use their network access for revenge or to exfiltrate data that might be useful to their new employer. Revoking the employee’s credentials should be a priority to minimise that type of risk.

However, a less obvious, but equally vulnerable moment is when a new employee joins the company. While the Human Resources Department will likely have done due diligence over employee references, they might not be aware of all the employee’s connections or motivations. Business risk intelligence can offer that insight and prevent malicious actors from entering the organisations.

A case in point occurred for a Fortune 500 enterprise several years ago when a prospective employee was found to be connected to a threat actor known for recruiting insiders to steal corporate data for extortion. Once aware of the threat, the enterprise concerned was able to deny employment to the person in question and act to strengthen security against the kind of attack pattern used by that actor.

The launch of a new product is another high-risk period for businesses. Intellectual Property represents up to 80% of the value of a company so its theft can have devastating consequences. Naturally, company employees have access to trade secrets and product information. For a minority this can prove to be a temptation. Once stolen, however, the thief needs to find a way in which to profit and this often involves the Deep and Dark Web or other illicit online communities where compromised assets are bought and sold.

In a recent example, Flashpoint analysts saw source code from a multinational technology company’s unreleased software offered for sale on an elite cyber crime forum. Analysis determined that the source of the breach was a company employee and, once informed, the company was able to terminate the rogue employee’s contract and take remedial action to protect the product.

The key here is that, until they advertised their ill-gotten wares on the Deep and Dark Web, the employee had successfully evaded internal detection. With the context provided by business risk intelligence, many of the employee’s activities which may have seemed innocuous at the time could no doubt be seen in a very different light.

Insider tools, techniques and procedures become more sophisticated

While classic insider threat actions involve e-mailing files to personal e-mail accounts or third party destinations, downloading data to removable drives and physically stealing printed documents, we’re also seeing malicious insiders becoming more sophisticated at avoiding detection.

Realising that companies are becoming wise to insider threats, some actors are growing more proficient at using secure communication methods such as encrypted chat services and Deep and Dark Web forums, which are almost impossible for companies to monitor without any help from experienced analysts with access to these communities.

Josh Lefkowitz

Josh Lefkowitz

This increasing use of secure communication channels and the Deep and Dark Web is itself fuelling the insider threat risk, as it means actors are exposed to advanced tools, techniques, procedures and resources that can be used to attack systems and exfiltrate data from a privileged insider position. Further, company employees who engage in malicious communities within the Deep and Dark Web put themselves at risk of recruitment by external actors who increasingly include nation state-sponsored agents seeking to bribe or blackmail insiders into stealing data.

The key is that the majority of employees don’t pose a malicious insider threat risk. Sure, some may make mistakes or occasionally act out of character. In fact, the network activities of new joiners are frequently flagged as suspicious by automated tools simply because of the number of errors these employees tend to make when navigating the network.

Knowing which to pursue requires a level of context that flags the external factors influencing insiders. Business risk intelligence offers this context, making insider threat management more effective in protecting the kingdom from those who already have the keys.

Josh Lefkowitz is CEO at Flashpoint

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts