How to identify and thwart insider threats

Are you the type? Insider archetypes map and model personalities and behaviors that could be clues to the next attack on your business.

It is often cited that an enterprise’s employees are its biggest vulnerability. What are company’s doing about it? In a significant number of cases, companies are perhaps doing nothing.

According to the SANS Institute and SpectorSoft, 74 percent of the 772 IT security professionals they recently surveyed are “concerned about malicious employees.” The survey pool spans 10 industries including financial, government, and technology and IT services. The survey data also shows that 32 percent of respondents “have no technology or process in place to prevent an insider attack”.

Clearly there is an intersect between professionals who gave each response. With more than 25 percent of survey respondents employed at organizations with a workforce greater than 20,000 people, the large enterprise has representation in this data.

It’s time to drill down into the personalities and penchants of these living information security vulnerabilities. According to insider threat detection firm SpectorSoft, insiders whose behavior purposely or inadvertently threatens the enterprise and its data fit several archetypes, each with clear profiles, behaviors, intentions, and associated threats. CSO explores insights into insiders such as moles, imposters, disgruntled employees, hacktivists, ringleaders and those who feel entitled together with how companies can ‘pause’ and ‘delete’ them.

Not me!

The answer to the question of why some companies would have no special protection against insider threats is an easy one: leaders and managers who make those decisions are people too and given to naturally positive human assumptions and ignorance. “Some organizations maintain a ‘not in my backyard’ mindset, stemming partially from culture (‘we hire great, trustworthy people so we won’t have a problem’) and partially from the lack of a known incident (‘we’ve never had an insider attack so we must be doing OK’),” explains Mikey Tierney, COO, SpectorSoft. Ultimately the organization cannot foretell what any employee will do or become once they are part of the family, so-to-speak.

A closer look at archetypes of people who are threats as described by SpectorSoft will reveal what drives them. A mole is obviously someone who really works for someone else, perhaps another company but really any entity with a cause in opposition to the target company. According to SpectorSoft, a mole will often have science and engineering skills, holds a position creating intellectual property, and has access to critical data, which they will attempt to pilfer.

An imposter is actually an outsider with insider credentials, an attacker or former employee. They target those and other credentials and accounts to steal or breach data and intellectual property. The disgruntled employee is out for revenge, seeking justice for real or imagined wrongs of the company. According to SpectorSoft, this employee is easier to detect than other malicious actors and the enterprise should isolate them before they sabotage, steal, breach, or defraud the organization.

A hacktivist wrecks, subverts, and destroys systems and data belonging to high-profile organizations or governments in a publicly obvious fashion to make a social or political statement. Conversely, a ringleader seeks financial gain by accessing information outside his purview so he can leave with more than he invested in the company to form another business or work for a competitor. The ringleader enlists any help he can to achieve their goals. Similar to the ringleader, an entitled employee plans to walk out with their work product and compete with their former employer. He usually works alone, exploiting his work product and any knowledge of it.

Each of these archetypes is a trusted employee who is misusing the privileges or access that the company granted them.

Taking an axe to archetypes

Though least privilege, zero trust approaches can limit damage from insiders, these are not fool proof. There are cases where data requires additional protections. An entitled employee for example might have full and unrestrained access to his work product in order to do his job. Likewise, an imposter can retrieve data in a very stealthy manner, avoiding the use of readily detected system scans and brute force dictionary attacks on login screens.

Organizations should consider detection methods from the User Behavior Analytics space to deal with insiders, says Tierney. These methods apply behavioral baselines to identify attacks based on employee actions that deviate from normal, established behavior patterns. These tools can detect anomalous activity and alert the organization in a timely manner, prompting manual or automated remediation responses.

In one example where a user behavior analytics tool could have proved useful, Sutter Health, Sacramento discovered only this past August that in April 2013 a former employee emailed customer documents to a personal email address (not a normal, permissible behavior), according to California Department of Justice data breach reports.

But depending on the kinds of systems in the enterprise environment, the necessary log data and information may not be seamlessly accessible for the user behavior analytics product to draw upon to create a complete baseline in the first place, according to Rohit Gupta, CEO, Palerra, a cloud security automation firm. “Data on user behavior may not be available at all or may not be easily externalized for user behavior analytics systems to access and use it,” says Gupta.

Other measures

Beyond behavior analytics, enterprises should maintain insider incident response plans that define the response, which should include an extended response team due to the fact that an employee is involved, says Tierney. “Legal, HR, and departmental management all come in to play,” says Tierney.

[ ALSO ON CSO: Revamping your insider threat program ]

But remember, incident response plans are only as good as the processes set up to detect incidents for response. “If detection doesn’t take place, incident response plans are not useful,” says Gupta.

As everyone knows, experts often recommend that the actual response include dropping connections and closing holes. But taking mass actions such as dropping connections is severe because it adversely affects business activities at scale, according to Gupta. “These systems are not granular enough to drop only a single workload but rather they disrupt the business and many workloads,” says Gupta; “it’s better to use workflow detection techniques that allow for selective intervention.”

Finally, keeping detailed accounts of insiders actions in a format that C-levels, attorneys, and others who must become involved will find accessible is vital to remediation whether legal or administrative, according to Tierney.

Though insider threats continue to be a grievous issue, adopting a solution as though it was a catch-all balm without thoroughly vetting it is not the answer. The enterprise should know what it’s getting and whether it is enough when teamed with other security resources.

Join the CSO newsletter!

Error: Please check your email address.

More about CSODepartment of JusticeGoogleSANS Institutespectorsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place