If you were asked what every company or organization has in common; what would you say? Well, there are many potential answers, but one thing is for certain — all companies/organizations are at risk for insider threats in cyber security. There is a lot of attention in the media about companies being hacked by external parties (e.g. individuals, criminal organizations, or nation-states), but the greater risk to organizations comes from those already within the “walls of the castle.

What is Insider Threat?

On the surface, defining insider threat seems self-explanatory–a source of potential danger or harm to an organization stemming from someone that is within or part of an organization. There are, however, varied sources and motivations of insider threat.

Insider Threat Report: Ponemon Institute

In an April 2018 report, the Ponemon Institute issued an insider threat report and provided interesting insider threat statistics regarding the costs of insider threats to organizations around the globe across 13 different industries. For the purposes of the report, insider threats were comprised of the following:

• ✔ Careless or negligent employees or contractors
• ✔ Criminal or malicious insider threat
• ✔ A credential thief

There are, of course, more fine-grained categorizations of insider threats, but the Ponemon report kept it simple.

Insider Threat Statistics

As part of the Ponemon report, 717 security practitioners working in 159 organizations across the world were interviewed regarding the impact of insider threats on their organization. Each of the 159 organizations had at least one material event caused by an insider, but there was a total of 3,269 insider incidents evaluated as part of the report. Of the 3,269 insider incidents evaluated, 64% were related to negligence; 23% resulted from a criminal or malicious insider, and 13% resulted from credential theft.

Examples of Insider Threats & Attacks

Examples of insider threats are wide and varied, but some of the more prevalent examples are outlined below:

• ✔ Theft of sensitive data. For many organizations, their trade secrets are their crown jewels that potentially represent decades of development and financial investment. This data is a target for the criminal or malicious insider who will attempt to exfiltrate and sell the data to competitors (potentially as a part of a new employment offer) or foreign governments.
• ✔ Induce Downtime. You’ve heard the phrase “time is money.” This saying is especially true in today’s age of digital commerce. For companies that make millions by the minute, any downtime can be quite expensive, but downtime can also be detrimental to companies that have Service Level Agreements (SLA) with their clients. Violating an SLA due to downtime caused by an insider may put the company in jeopardy of losing a significant client or paying fees related to violation of the SLA.
• ✔ Destruction of property. While the destruction of physical property is less common than other insider attacks such as exfiltration of sensitive data, depending on the extent of the destruction, this specific risk may result in significant downtime and financial expenditures to replace damaged assets.
• ✔ Damage to Reputation. Companies expend significant resources (i.e., time and money) to build and protect their brand. Within minutes (or less) a malicious insider attack can cause investors and clients to lose confidence in an organization’s ability to protect personal information, trade secrets, or other critical data. A loss of confidence often results in a loss of market share which results in a loss of revenue.

How Can Insider Threats Be Mitigated?

A good place to start when determining how to mitigate the risks of insider threats is to do an insider threat risk assessment. As part of the risk assessment, focus on the behaviors that indicate an insider attack. Once these behaviors are identified, then develop controls to support insider threat detection and prevention. Below are several suggestions regarding controls for detection and prevention:

Insider Threat Detection

• 1. Implement a Data Loss Prevention solution.DLP solutions detect potential cases of unauthorized access to data or attempts to exfiltrate or destroy sensitive data and alert staff to address attacks against sensitive corporate data.
• 2. Configure auditing across the entire environment. Auditing is a critical capability that is often overlooked entirely or marginally implemented thus inhibiting an organization’s efforts to detect malicious or negligent insider activity. Once auditing is configured though, there must be mechanisms in place (e.g. a SIEM) to assist with the analysis, correlation, and alerting on events of interest. The data must also be secured from tampering or deletion. Just having volumes of audit data without a means of analysis and alerting minimizes the value of the audit data as breaches or insider incidents may occur and be recorded, but an organization is blind to the malicious activity.
• 3. Implement a privileged access management (PAM) solution. While there are a lot of prevention capabilities within PAM solutions, they also offer detection capabilities such as session recording and auditing. This capability will record all activities (e.g. issued commands) performed by privileged users.

Insider Threat Prevention

• 1. Segregate duties. This is especially difficult in smaller organizations where individuals wear many hats. That said, there must be controls in place to safeguard the organization from insider threats. Where possible, split administrative duties between competent staff members (remember negligence is a big factor in insider threats). We’ve seen small organizations rotate privileged access to production to individuals for a week at a time while they rotate into DevOps roles for the week and then back their primary responsibilities in development.
• 2. Limit privileged access.If at all possible, limit giving all privileged access across your organization to a single individual. Insider incidents from privileged users are especially nasty, so separate privileged responsibilities across multiple privileged users. Implement technical controls to limit privileges to only that which is necessary for the individual’s privileged role. For example, strictly limit who has access to the root user’s password and implement capabilities like “sudo” (in Linux) to define specific privileged commands that can be executed and limit who can modify the sudoers file. Another option is as mentioned previously is to implement PAM which enabled very fine-grained administrative privileges.
• 3. Block access to cloud storage sites. Sites such as Dropbox, Box, iCloud, OneDrive, and Sync and other cloud storage sites are a potential vector to easily exfiltrate corporate data. If these sites aren’t used by your organization, then block access to them.
• 4. Implement Multi-factor Authentication (MFA).Implement MFA to mitigate the risk of credential theft. From my perspective, MFA should be implemented everywhere possible within an organization, but especially for privileged users.
• 5. Limit access to sensitive data. All data within an organization should be categorized and protected in accordance with the associated categorization. It is important to know where sensitive data resides, who accesses it, and how it is accessed. Restrict access to corporate data to only those that require it to perform their job functions. In addition to limiting the access to data, use a DLP solution to tag and track data to determine who is accessing or downloading sensitive corporate data.
• 6. Encrypt sensitive data. Encrypting sensitive data will provide protections if the data is successfully exfiltrated. Ensure that access to keys to decrypt the data are protected appropriately.
• 7. Backup your data. Ensure that critical data is frequently backed up to multiple locations and can be retrieved and restored. Having backups of critical data will come in handy when a malicious insider attempts to delete it in retaliation for being terminated or because they are angry. Access to backups should also be controlled to prevent deletion in addition to the critical data. In addition, develop procedures that outline how to restore data from backup.