Managing Insider Threats: Context is Critical

The topic of insider threat is fast rising up on the corporate agenda. While you might think a company’s own employees would be less likely to pose security risks than external attackers, analysis by Computing has found that insider threat was a factor in half of reported breaches.

When breaches caused by insider threat are disclosed, they can be particularly damaging to a company’s reputation, implying poor company culture, negligence, and thereby eroding trust in the organization. Even if a breach doesn’t become public knowledge, if it involves the theft of intellectual property or other critical assets it can harm the company’s competitive position.

Identifying the Risk Within the Walls

Insider threat is more nuanced than its external equivalent, making it difficult to manage with conventional security tools alone. An external attack typically requires an initial exploit or breach to gain access to the target network. Insiders, on the other hand, already have network access and privileges, so they typically won’t trigger perimeter monitoring systems. Identifying suspicious or negligent actions relies on correlating intelligence from multiple sources. These might include user and entity behavior analytics, data loss prevention tools and endpoint device activity. However, while these tools might tell you that an employee is acting out of character—these tools can’t offer insight into what’s going on with users outside the walls that might be contributing to an organization’s risk of insider threat.

Business Risk Intelligence derived from monitoring illicit online communities can put valuable context around the activities of an individual, flagging them up for investigation.

High Risk Moments – Leavers and Joiners

Most companies are aware that when an employee is leaving on unfavorable terms, or is poached by a competitor, there’s a risk that they may use their network access for revenge or to exfiltrate data that might be useful to their new employer. Revoking the employee’s credentials should be a priority to minimize that risk.

However, a less obvious but equally vulnerable moment is when a new employee joins the company. While the HR department will likely have done due diligence over employee references, they might not be aware of all the employee’s connections or motivations. Business Risk Intelligence can offer that insight and prevent malicious actors getting inside organizations. A case in point occurred for a Fortune 500 enterprise several years ago when a prospective employee was found to be connected to a threat actor known for recruiting insiders to steal corporate data for extortion. Once aware of the threat, the enterprise was able to deny employment to the person in question and act to strengthen security against the kind of attack pattern used by that actor.

Insider TTPs Become More Sophisticated

While classic insider threat actions involve emailing files to personal email accounts or third party destinations, downloading data to removable drives and physically stealing printed documents, we are also seeing malicious insiders becoming more sophisticated at avoiding detection. Realizing that companies are getting wise to insider threat, some actors are growing more proficient at using secure communication methods such as encrypted chat services and DDW forums, which are almost impossible for companies to monitor without help from experienced analysts with access to these communities.

This increasing use of secure communication channels and DDW is itself fueling insider threat risk, as it means actors are exposed to advanced TTPs and resources that can be used to attack systems and exfiltrate data from a privileged insider position.

Focusing Resources Where They’re Needed

The key is that the majority of employees don’t pose a malicious insider threat risk. Sure, some may make mistakes or occasionally act out of character. Knowing which to pursue requires a level of context that flags the external factors that are influencing insiders. Business Risk Intelligence offers this context, making insider threat management more effective in protecting the kingdom from those who already have the keys.

What’s Hot on Infosecurity Magazine?