Managing insider threats – context is critical

(Image credit: Image source: Shutterstock/Andrea Danti)

The topic of insider threat is fast rising up on the corporate agenda. While you might think a company’s own employees would be less likely to pose security risks than external attackers, analysis by Computing has found that insider threat was a factor in half of reported breaches.

When breaches caused by insider threat are disclosed, they can be particularly damaging to a company’s reputation, implying poor company culture, negligence, and thereby eroding trust in the organisation. Even if a breach doesn’t become public knowledge, if it involves the theft of intellectual property or other critical assets it can harm the company’s competitive position.

Whether arising from disgruntled employees, acts of carelessness, or systematically malicious actors, insider threat is a particularly complex risk to manage. And, just like external threats, the tools, techniques and procedures (TTPs) used by insiders are evolving all the time. 

Identifying the risk within the walls

Insider threat is more nuanced than its external equivalent, making it difficult to manage with conventional security tools alone. An external attack typically requires an initial exploit or breach to gain access to the target network. In most cases these will trigger alerts from automated intrusion detection systems and prompt incident response teams to investigate.

Insiders, on the other hand, already have network access and privileges, so they typically won’t trigger perimeter monitoring systems. Identifying suspicious or negligent actions relies on correlating intelligence from multiple sources. These might include user and entity behaviour analytics (UEBA), data loss prevention (DLP) tools, network logs and endpoint device activity. However, while these tools might tell you that an employee is acting out of character—logging in on the weekend without a previous history of doing so, or using keywords in emails that suggest they’re not happy with the company—these tools can’t offer insight into what’s going on with users outside the walls that might be contributing to an organisation’s risk of insider threat.

Say, for example, that an unhappy employee is also active in illicit online communities on the deep & dark web (DDW). Or maybe they have financial troubles and have been recruited and bribed by an external threat actor to steal valuable data; these types of situations are where human oversight and analysis are needed. Business Risk Intelligence derived from monitoring illicit online communities can put valuable context around the activities of an individual, flagging them up for investigation. So, what sorts of incidents might be picked up?

High risk moments – leavers and joiners

Most companies are aware that when an employee is leaving on unfavourable terms, or is poached by a competitor, there’s a risk that they may use their network access for revenge or to exfiltrate data that might be useful to their new employer. Revoking the employee’s credentials should be a priority to minimise that risk.

However, a less obvious but equally vulnerable moment is when a new employee joins the company. While the HR department will likely have done due diligence over employee references, they might not be aware of all the employee’s connections or motivations. Business Risk Intelligence can offer that insight and prevent malicious actors getting inside organisations. A case in point occurred for a Fortune 500 enterprise several years ago when a prospective employee was found to be connected to a threat actor known for recruiting insiders to steal corporate data for extortion. Once aware of the threat, the enterprise was able to deny employment to the person in question and act to strengthen security against the kind of attack pattern used by that actor.

The launch of a new product is another high-risk period for businesses. Intellectual property represents up to 80 per cent of the value of a company, so its theft can have devastating consequences. Naturally, company employees have access to trade secrets and product information and to a minority it can prove a temptation. Once stolen, however, the thief needs to find a way to profit and this often involves the DDW or other illicit online communities where compromised assets are bought and sold.

In a recent example, Flashpoint analysts saw source code from a multinational technology company’s unreleased software offered for sale on an elite cybercrime forum. Analysis determined that the source of the breach was a company employee and once informed, the company was able to terminate the rogue employee’s contract and take remedial action to protect the product. The key here is that, until they advertised their ill-gotten wares on the DDW, the employee had successfully evaded internal detection. With the context provided by Business Risk Intelligence many of the employee’s activities—which may have seemed innocuous at the time—could no doubt be seen in a very different light.  

Insider TTPs become more sophisticated

While classic insider threat actions involve emailing files to personal email accounts or third party destinations, downloading data to removable drives and physically stealing printed documents, we are also seeing malicious insiders becoming more sophisticated at avoiding detection. Realising that companies are getting wise to insider threat, some actors are growing more proficient at using secure communication methods such as encrypted chat services and DDW forums, which are almost impossible for companies to monitor without help from experienced analysts with access to these communities.

This increasing use of secure communication channels and DDW is itself fuelling insider threat risk, as it means actors are exposed to advanced TTPs and resources that can be used to attack systems and exfiltrate data from a privileged insider position. Further, company employees who engage in malicious communities the DDW put themselves at risk of recruitment by external actors, who increasingly include nation state-sponsored agents seeking to bribe or blackmail insiders into stealing data.

Focusing resources where they’re needed

The key is that the majority of employees don’t pose a malicious insider threat risk. Sure, some may make mistakes or occasionally act out of character. And in fact, the network activities of new joiners are frequently flagged as suspicious by automated tools simply because of the number of errors these employees tend to make when navigating the network. Knowing which to pursue requires a level of context that flags the external factors that are influencing insiders. Business Risk Intelligence offers this context, making insider threat management more effective in protecting the kingdom from those who already have the keys.

Josh Lefkowitz, CEO, Flashpoint
Image source: Shutterstock/Andrea Danti