Images of an elite hacker commandeering an organization’s network from halfway across the globe might play out well in Hollywood, but for many CISOs, an insider threat ranks high on the list of things keeping them up at night.
What is an insider threat? Put simply it’s the risk that someone’s privileged level of access inside an organization will wind up causing that organization harm.
Discover the Top 5 Remote Security Threats to your workforce with our free whitepaper
The individual doesn’t need to be an employee, and the harm may not even be deliberate, but insider threats are still a significant risk that many businesses don’t take seriously enough. In this post, we’ll dive deeper into insider threats, look at some infamous examples and discover how organizations of all sizes can mitigate risks associated with insider threats.
- What is an insider threat?
- Types of insider threats
- How to detect an insider threat
- How to protect against insider threats
- Insider threat FAQ
What is an insider threat?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a succinct yet complete insider threat definition: An “insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization.” That harm could come in many different forms, and what best describes an insider threat at your particular company could look quite different than the definition above, but CISA’s generic guidance is useful in gaining a general understanding of the risk.
It’s important to note that not all insider threats are intentionally malicious. By most estimates, simply negligent or careless insiders actually cause a greater number of incidents than those with ill intent. A perfect example is an employee who downloads pirated software onto a company computer. The employee may not have intended to damage the organization, but as pirated software often contains malware and backdoors, this reckless action created a threat that external actors may not have been able to do on their own.
While insider threats are not a new problem, the COVID-19 pandemic, growing geopolitical tensions and the realities the modern labor force face can exacerbate the issue. Remote work and increased employee churn both create significant challenges in identifying and mitigating insider threats, and a divisive political climate only brings additional challenges. To make matters worse, ransomware gangs have increasingly tempted insiders with promises of massive payouts in exchange for a foothold into a victim organization.
Characteristics of an insider threat
- Involves someone with a degree of privileged access to or knowledge of an organization: Employees are common sources of insider threats, but contractors, vendors, interns, board members or anyone else with non-public levels of access are also insiders.
- Difficult to prevent: As the threat, by definition, comes from inside the organization, security controls focused on external actors will not apply. A firewall, for example, can’t stop an insider threat from accessing the company network, because he or she is already on the company network.
- Difficult to detect: Insiders require some level of privileged access to do their job, but it's often difficult for technology to discern exactly how an insider is using said access. A worker might download a document to review during a transatlantic flight, or they might download it to share with a competitor. Basic access control won’t be able to tell the difference between the two motives.
- Often has a strong motivation. In the case of a malicious insider threat, there is often a very strong motive. An employee who feels he or she was wrongly terminated, for example, may hold a grudge against the former organization. In the most extreme cases, those with an ideological motive may have nefarious intent in mind even when applying for a position at a company in the first place.
Who is at risk of insider threats?
While any organization is susceptible to an insider threat, certain industries tend to experience either more serious or more frequent incidents:
- Healthcare:Verizon’s 2019 Insider Threat Report found that healthcare organizations were responsible for more reported insider attacks than any other industry. While some of this could be explained by the sector’s unique mandatory reporting requirements, other Verizon research revealed that healthcare was the only industry in which insiders were responsible for a larger share of breaches than external threat actors.
- Financial services: Research from the Ponemon Institute shows that the financial industry spends more than any other on containing, investigating and responding to insider threat risks. Interestingly, anecdotal evidence suggests many insider attacks in the finance industry are actually motivated by grudges.
- Manufacturing:The manufacturing sector has shown up as a particularly noteworthy victim in multiple studies and surveys of malicious insider threats. The proprietary knowledge that’s involved in a variety of critical manufacturing processes has proven particularly alluring to malicious insiders.
- Aerospace and defense: Critical sectors such as aerospace and defense account for some of the most damaging insider threat incidents. Economic espionage, advanced campaigns by nation-state actors, and politically motivated insiders have all played a role in past incidents.
- Government and academia: Organizations such as CISA, the National Institute of Standards and Technology, and the FBI have been particularly active in boosting insider threat awareness within the federal government during the last several years. Public entities of all sizes, however, still remain vulnerable to different types of insider threats.
The Ponemon Institute’s Research also shows that the frequency of insider threat incidents is directly related to an organization’s headcount and that organizations in North America appear to be the most frequently attacked victims.
Types of insider threats
There’s seemingly no end to the variety of ways a privileged insider could do damage — that’s what makes insider threat prevention so difficult. However, most insider threats can be categorized based on their intent:
Turncloaks
Malicious insiders known as turncloaks knowingly take action to harm an organization. The insider could be an employee, a contractor or even a trusted business partner. Turncloaks could be motivated by financial gain, revenge or political ideology. Some perform covert actions such as stealing sensitive documents or proprietary information. Others prefer a path of destruction, wiping databases and leaving a trail of total chaos on their way out the door.
Pawns
In contrast to the turncoat, pawns don’t intend for their actions to have an adverse impact. Some pawns are simply careless, reusing passwords between work and personal accounts or leaving flash drives full of sensitive information at a coffee shop. Others may perform negligent or reckless actions such as circumventing security measures for their own personal convenience. Still, others are completely unwitting participants, falling for phishing scams or other forms of social engineering. Pawns can sometimes skirt the line with a turncoat by knowingly cooperating with an external party, but failing to realize the true implications of their actions.
Moles
Moles operate much like turncloaks, but moles join a company intending to cause harm to the organization. They are very often driven by a strong political motive, whether to a nation-state or fringe cause. Moles are among the most difficult insider threats to detect and are potentially the most damaging.
How to detect an insider threat
Insider threat detection poses unique challenges for security teams because traditional defenses such as firewalls and access controls are often ineffective. Technologies similar to User Behavior Analytics (UBA) and Privileged Access Management (PAM) can help fill the gap where other controls can not. Be on the lookout for several warning signs which may be indicative of an insider threat or attack:
Digital warning signs
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with their job function
- Accessing data that is outside of their unique behavioral profile
- Multiple requests for access to resources not associated with their job function
- Using unauthorized storage devices (e.g., USB drives or floppy disks)
- Network crawling and searches for sensitive data
- Data hoarding or copying files from sensitive folders
- Emailing sensitive data outside the organization
Behavioral warning signs
- Changes in behavior
- High amounts of stress or job dissatisfaction
- Attempts to bypass security
- Frequently in the office during off-hours
- Displays disgruntled behavior toward coworkers
- Violation of corporate policies
- Discussions of resigning or about new opportunities
- Sudden changes in lifestyle; bragging about wealth
How to protect against insider threats
Complete insider threat prevention is nearly impossible for any size organization, but there are a few things all organizations can do to help protect themselves:
- Remember this is a human problem: Insider threat awareness begins with the realization that insiders are human beings, and are driven by human motives. During the Cold War and today, foreign intelligence services were able to recruit high-placed assets by focusing on psychology. To defend against the myriad of insider risks, defenders will need to do the same.
- Keep your mitigations up-to-date: An insider threat prevention program built before the pandemic is not going to be effective without significant updates, because the threats and risks have changed dramatically. Your response to those threats and risks will need to change as well.
- Know what you’re trying to protect, and who has access to it: Insider attacks are often possible because organizations lack sufficient access controls, and often don’t even know who can access what data. A platform like Varonis DatAdvantage can provide this crucial visibility, and even automate the process of correcting overly permissive controls.
Insider Threat FAQs
Q: What are insider threat indicators?
A: Insider threat indicators are clues that could help you stop an insider attack before it becomes a data breach. Technical controls can be ineffective at spotting or preventing insider threats, but human behavior is often a dead giveaway. Train your team to recognize different abnormal behaviors, and use Varonis to mitigate the damage of a potential insider threat before it becomes a frightening reality.
Q: What motivates an insider attack?
A: The motivations behind malicious insider threats vary, but a financial incentive is very often present. Research has consistently shown that both internal and external threat actors are very often motivated by financial gain. Other common motives include revenge, strong political affiliations or even interpersonal conflicts in the workplace.
Q: How do you detect insiders who are accessing sensitive data as part of their job function?
A: Given that insiders may naturally access sensitive data as part of their day-to-day responsibilities, accessing a single data point is often not sufficient when it comes to insider threat detection. Is the user accessing “SecretCocaColaFormula.doc” to perform a legitimate update, or to steal the data and give it to a competitor? Solutions like the Varonis DatAlert platform can provide additional context that is useful in answering these types of questions. Perhaps the user regularly needs to access the cola formula as part of his or her job function, but then one day begins to transfer out the complete list of ingredients, suppliers and manufacturing processes to a large number of previously unseen external contacts. This type of behavior shift might warrant further investigation from the security team.
Q: Are threshold-based alerts prone to false positives? (like simply re-structuring folders)
A: Threshold-based alerts are bad at determining intent, and can lead security pros on a wild goose chase. Here is a simple scenario: a user moves one folder of sensitive data to a new location. If you have a threshold-based alert for “500 file operations on sensitive data in one minute,” that user just tripped it. Your security team’s time is more precious than efforts spent chasing down every folder change. Use security analytics to create more intelligent alerting.
Q: How useful are watch lists?
A: Watch lists — lists of users you need to keep an eye on — can be helpful, but they have a downside as well. Watch lists can become overused and put your security team in a difficult position with the rest of your users. On the flip side, you do want your users to be “security aware” and have a safe method to report suspicious activity. You need to develop and keep best practices for your watch list; investigate and drop users off the watch list quickly and lean on your security analytics to keep tabs on the abnormal behavior for you.
Conclusion
With the average employee able to access tens of millions of files, the risks from insider threats are unlikely to go away anytime soon. It’s important to take these kinds of threats seriously. Check out some of the resources below to learn more about insider threats and see how Varonis can help you manage them:
- “The Enemy Within: Understanding Insider Threats” by Troy Hunt
- Insider Threat Mitigation - from the Cybersecurity and Infrastructure Security Agency (CISA)
- How Varonis Helped a Life Sciences Company in Scotland Stop an Insider from Selling Trade Secrets