Security professionals are awakening to the fact that they have been spending about 100 per cent of their effort on about 50 per cent of the problem. The $120B security industry has long focused on defending organisation’s assets from external threats ‒ hackers and state actors trying to slip past their defences. However, internal actors are to blame for an increasing number of data breaches. According to Verizon’s 2017 Data Breach Investigations Report, 25 per cent of breaches were attributed to people inside the compromised company. Insider threats are one of the fastest rising threats out there, and it’s evident that organisations cannot and should not underestimate them.
Types of insider threats
We’re all likely familiar with two primary types of insider threats. The first is the innocent employee who unknowingly exposes data by mistake. The second is the malicious insider who steals data for profit or other insidious reasons. But insiders extend to third party vendors and partners that have access to a company’s critical systems and assets.
Take Anthem, for example. Just last month, the company experienced a data breach that exposed information on more than 18,000 enrolees possibly caused by an insider; allegedly one of the insurer’s healthcare consulting firms. The Anthem data breach serves as a reminder that a thief can work along the entire “insider threat kill chain” (defined below) while working for an outside business partner.
Since insiders tend to blend in making it hard to find and prevent attacks, how can you get ahead to detect, investigate and even prevent them? It starts by learning the six steps an insider takes, and then using that knowledge to break the kill chain.
Insider threat kill chain
The bad actors involved in insider threats typically work along the “insider threat kill chain”, which is a six-stage process ‒ involving conversion, reconnaissance, collection, obfuscation, exfiltration and cleanup. The process begins with conversion: an employee who becomes disgruntled, or is lured by external recruitment efforts (i.e., coercion by outside actors) and becomes a malicious insider.
The second step is reconnaissance ‒ an insider determines where valuable data “lives”. It may already exist on the insider’s endpoint, an accessible network share, or in a company’s cloud share locations. What types of data are put at risk by insiders? Pretty much everything a company cares about: personally identifiable information (PII), protected health information (PHI), intellectual property (IP), confidential business information (e.g. M&A plans), HR information, not to mention brand reputation.
During the collection stage, the insider focuses on accumulating this valuable data for future exfiltration. Sophisticated insiders try to stay under the radar by copying smaller sets of data at a time, giving their folders innocent-sounding names, working outside of normal hours, or some combination of both.
Prior to exfiltration, sophisticated insiders typically hide the data to be exfiltrated by converting it into less obvious or more difficult to inspect formats, like renaming files, ZIP’ing them or using encryption, hence this stage is called obfuscation. Most basic DLP rules would prevent a user from copying 15,000 files to a USB drive or uploading plain text PII or PHI to a personal cloud share. However, DLP rules fail when company secrets are packaged in an encrypted archive.
The exfiltration stage is straightforward: whether using a removable media, email, cloud storage or an FTP, whether fast or slow, whether obfuscated or not - data is leaving the organisation. Finally, the cleanup stage. Most insiders spend at least some time covering their tracks by, at a minimum, deleting the cache of sensitive information they have accumulated in the collection stage.
Controlling insider threat risk
Security teams need to be able to detect, investigate and manage insider threats to quickly contain the business impact to their organisation. That’s why a basic understanding of the insider threat kill chain and knowledge of the steps is the best first defence. By modelling behaviour and putting seemingly disconnected moments together, it’s possible to predict an insider’s next step and even its timing. For example, if stages 2, 3 and 4 already happened, then the likelihood of exfiltration happening is extremely high. This should alert the security ops team to immediately take an action to prevent further damage and loss of data.
Second, to defend against attacks before they happen, it’s essential to focus on the data. Even the most capable security system cannot prevent every attack. That’s why your security framework needs to include some combination of technologies that provide you with a real-time visibility into your data and its usage.
Finally, when it comes to insider threats, time is money. The longer an insider has without discovery, the more they can work the kill chain and cause a larger amount of loss or damage. Just recognising the problem isn’t enough: organisations need to take action. Consider having a purpose-built solution that enables you to focus on detecting insiders throughout every step of the insider kill chain, when DLP, endpoint security and other solutions are unable to.
Healthcare, finance, technology and public sector organisations are reaching an inflection point with insiders becoming the major threat actor in most data breaches, motivated by financial and espionage reasons. Insider threat mitigation needs to be a high priority in enterprise security programs across all organisations in every sector, implementing technologies that will further strengthen the security posture, while not interrupting users as they try to get their work done every day.
Tony Gauda, CEO, ThinAir
Image Credit: Wright Studio / Shutterstock