Detecting Insider Threats

Introduction

In the world of cybersecurity, there is no shortage of threats and attack types that bad actors can leverage to compromise devices or trick users into giving up access to sensitive, confidential or even mission-critical data.

Despite the methods threat actors use to obtain unauthorized data or access to a device, network or an organization’s infrastructure, arguably the single threat type that seems to sting most when used against you is the insider threat.

Why is that, you ask?

It's simple really. Because insider threats are attacks that are carried out by the very individuals trusted with maintaining company secrets and keeping other sensitive data away from prying eyes.

These are fellow employees, colleagues, friends, business partners, and associates – and sometimes, yes – even family members or loved ones that are the source of the threat or attack.

Due to the nature of insider threats being, well, possibly anyone really, the importance of detecting these types of attacks – regardless of whether they are intentional or accidental in nature – cannot be understated. When it comes to the health of your endpoints, users and organizational data and resources, analysis of actions, behaviors, processes, workflows, permissions and access rights must be carefully weighed against solutions that monitor these types of situations using behavioral analytics to effectively stop any actions that could potentially expose data or allow it to be exfiltrated outright.

Types of Insider Threats

As previously mentioned, insider threats can come from just about anywhere; all it takes is anyone with ties inside the organization. That said, the types of insider threats usually fall into three buckets – though they are not mutually exclusive – with threat actors possibly belonging to one or more of the categories below:

Malicious

Arguably the most common type. These individuals often know exactly what they’re after and where to find it. Many times, malicious insiders have an agenda behind why they’re performing harmful actions against the organization. Examples include a current or former disgruntled employee or a worker that is colluding with a competitor for the purposes of espionage, and/or theft of company documents.

Accidental

Individuals that fall into this category seldom have an axe to grind due to a perceived slight. In fact, often these users may not even be aware that an action they’ve performed has inadvertently leaked sensitive data in the first place, like misplacing an unencrypted USB drive with confidential data on it. Other times, the negligent user causes a security incident by bypassing security protections, such as when a user piggybacks another user through a secure entrance.

Third-Party

This grouping is largely made up of individuals that may be contracted or part of a team of vendor-employed users that are not formal employees of the organization but may provide services that require special privileges or access to organizational resources. Consider engineering teams that may provide advanced support for hardware/software to be an example of this threat – either directly (targeting specific data or systems) or indirectly(leveraging multiple systems on a path to the main target).

Common Insider Threat Indicators

As with nearly all attacks, there are indicators unique to insider threats that provide administrators clues into the threat types as the attacks are being performed. These indicators also provide administrators with the telemetry data necessary to shore up existing protections (or implement new security controls) to better detect and minimize the risk from these threats, but more on detection methods in the next section.

For now, we’ll dive into the indicator types and provide some examples of each:

Behavioral

As indicators go, behavior is among the most prevalent for managers and really anyone that works at the organization to key in on. Changes in mood, attitude or mannerisms aren’t tell-tale signs by any means since we, as human beings, have personal lives that can sometimes impact our professional life, of course. But a keen observer can certainly denote a change in behavior and take steps to identify the cause of the change, such as extenuating personal circumstances affecting employee performance versus disagreements with a colleague or supervisor that sometimes precipitate an attack against the organization or its resources.

Examples:

• Unexplained poor performance
• Arguments with coworkers/supervisors
• Disagreement with company policies
• Employees that leave suddenly
• Unexpected financial gain or distress
• Change in habits or work hours
• Requesting access to unauthorized resources

Technical

Unlike the behavior above, technical indicators are often difficult to spot by the average person unless they are an administrator that can audit a user’s actions or has been provided a report of user actions taken. Technical indicators are those that stem from the actions a user takes, such as requesting access to a file, copying data from a network resource to an external USB drive or sending emails with sensitive attachments. On their own, none of these actions appear to indicate an insider threat per se, but when coupled with other indicator types, the picture begins to become clearer.

Examples:

• Change in logins occurring remotely or off-peak
• Unusual login attempts that are out of the ordinary
• Use or attempted use of unauthorized resources
• Infrequent or excessive downloading of data
• Copying of data to unsecured locations
• Shadow IT, or use of unsanctioned software

Information

The third and easiest method to detect insider threats is also the one that provides administrators the least flexibility to prevent attacks from occurring. Sadly, this is because this indicator comes in the form of information like logs, that are generated after an action has been performed or an attempt has been made. Administrators can review logging data to determine what threats were attempted, at what time, by whom, what they were after and if the attack was successful or not. In cases of the latter, administrators can determine if endpoint security is working to mitigate risk; in cases of the former, administrators will know what data was compromised, allowing them to make the necessary changes to their security posture to minimize the recurrence of future threats succeeding.

Examples:

• Review system logs for threats
• Permissions changes, like escalated privileges
• Spikes in network traffic
• Security posture is not within a standard baseline
• Renaming of files, extensions and directories
• Use of non-company hardware to access resources
• Identify access attempts outside user roles, like with security cameras

Insider Threat Detection Methods

Falling in cadence with the previous sections, detection methods for identifying possible insider threat types goes well beyond just monitoring for changes in a user’s behavior. In fact, the methods we’ll go into in this section take a page from the defense-in-depth strategy by relying on numerous methods in various categories to weave a security net by which organizations can leverage it as a holistic solution to thwart multiple insider threat types before they can lead to a data breach.

User Activity Monitoring

First up are methods that monitor for suspect user activities – on-device and in-network. Both methods, while appearing to operate very similarly, are actually two separate technologies, each with its own benefits and drawbacks.

Endpoint Monitoring: Usually installed as an app on the device itself, the agent operates by monitoring the device for actions involving organizational resources that have been previously identified as sensitive, ensuring that only preauthorized actions can occur using these protected data types. The agent often communicates with a cloud-based service that IT and Security admins manage. From this console, all configurations are made centrally to ensure that protected data remains safe, by effectively blocking any actions that are out of scope.

Network Monitoring: Again, similar to endpoint monitoring and its actions, except that instead of installing an agent on the device, the monitoring occurs on the network itself (and may or may not include an agent as part of the monitoring package). This type of method is typically contained within a network appliance that sits connected in the path of the network, monitoring for all access requests and actions taken upon protected resources. Like endpoint monitoring, when any untoward action is attempted against protected data types, the actions are logged and often disallowed.

Anomaly Detection

Anomalous detection methods boast a number of features that aid organizations in not only detecting insider threats on the target itself but also helping administrators to identify, track and stop threats that may flow from alternate paths that may jump through multiple hoops in order to otherwise evade detection. Anomaly detection is typically found as part of the feature set of endpoint and network monitoring, operating in-device, on-network – or both.

User Behavior Analytics: Analytics is a core part of modern endpoint security. Like the signature-based definitions used in antivirus software, analytics have evolved to include metadata to enrich the capabilities of what endpoint security can do, going beyond just detecting a match for a malware-based threat. This includes behavior analysis to detect potential threats by making determinations about the intention behind the actions taken by a user. If it is suspicious, the security software may block access to a particular file or prevent an app from utilizing the data and alert an admin to make the judgment call.

Machine Learning: ML for short, is a subset of Artificial Intelligence (AI) that has made inroads in cybersecurity for its ability to not only process threat intelligence data quickly but also its capability of learning from past, current and future incidents, using this new-found understanding to tweak security settings to respond to attacks dynamically while hunting for unknown threats that may lay dormant within endpoints or on organizational networks just waiting for the right time to strike.

Data Loss Prevention

Also referred to as DLP, for short, this technology works exclusively to prevent the exfiltration of data identified as sensitive, critical or confidential by the organization. DLP exists as both an on-device or in-network component and works by communicating with a cloud-based console to receive analytics that determines which data types are protected and what level of restrictions are placed on protected data types, then enforcing these policies to ensure that data can only be moved within scope.

Content Analysis: This form of DLP works by analyzing the content, be it as attachments within outgoing emails, documents opened for modification and printing or even files and directories being saved to external storage, like a USB Flash Drive. Depending on the methods available, your DLP solution may offer analysis types to filter out rule-based expressions (like telephone or government IDs), exact file matching (which compares hash values of pre-determined file types) or file classification categories (which rely on files being classified by the organization, such as financial reports being labeled as “classified”).

Network Analysis: This network-based version of DLP often works similarly to the content analysis type but offers additional protection by placing this appliance-based solution near the egress points of an organization’s network. In doing so, all traffic marked to leave the network goes through a gateway that analyzes the content with the filters above, as well as includes a host of others to prevent any restricted data to remain within the confines of the network (or endpoint). Other filters that may be in use to keep data safe from exfiltration are: database fingerprinting (which looks at DB dumps of live DBs or the structured data contained within them), conceptual or lexicon (which combine multiple policies, like dictionaries, rule sets and categorization to form a customized filter) and statistical analysis (also referred to as machine learning, enabled by scanning large swaths of data to dynamically learn which data types contain secure content).

Insider Threat Detection Best Practices

• Conduct an inventory and assess the risk value of organizational resources, including data and compliance requirements that may apply
• Determine a classification system that clearly determines the sensitivity and criticality levels of your data
• Develop data handling and remediation policies
• Align organizational needs and policies with endpoint security solutions to develop a defense-in-depth approach to mitigate insider threats
• As part of your security plan, implement a centralized DLP solution with clearly documented consistent practices, processes and workflows
• Execute your security plan alongside feedback from industry leaders, best practices, organizational needs and the evolving threat landscape
• Document all incidents, true and false positives, and be prepared to update your security plan with iterative feedback from lessons learned
• Institute an ongoing training program to educate employees, contractors and management on how to protect against and spot insider threats
• Align security strategies with administrative organizational policies, such as acceptable use policy (AUP) to ensure that all stakeholders understand their role in data protection
• Phased implementation is often an effective, long-term approach to DLP. One that prioritizes data types and communication channels in compliance with organizational needs