An insider threat is a threat to an organization that comes from negligent or malicious insiders, such as employees, former employees, contractors, third-party vendors, or business partners, who have inside information about cybersecurity practices, sensitive data, and computer systems. It is a type of cyber threat.
The threat may involve fraud, theft of confidential or commercially valuable information, theft of intellectual property and trade secrets, sabotage of security measures, or misconfiguration that leads to data leaks.
Why are Insider Threats Dangerous?
A SANS report on advanced threats identified major gaps in insider threat defense driven by a lack of baseline into normal user behavior as well as poor access control management of privileged user accounts, which are attractive targets for brute force attacks and social engineering attacks such as phishing.
Even the best security teams struggle to detect insider threats. Insiders, by definition, have legitimate access to the organization's information and assets. It's hard to distinguish between normal activity and malicious activity. Compounding this problem is the fact that insiders typically understand where sensitive data is stored and may have legitimate access needs, making roles-based access management an ineffective control.
As a result, a data breach caused by insiders is significantly more costly than one caused by external threat actors. In the Ponemon Institute's 2019 Cost of a Data Breach Report, researchers observed that the average cost per record for a malicious or criminal attack was $166, versus $132 for system glitches, and $133 for human errors. Read our full post on the cost of a data breach for more information.
Pair this with the fact that insider threats account for 60 percent of cyber attacks (IBM) and nearly a third of data breaches (Verizon) and you see why developing an insider threat program is a valuable investment.
It's important to note these numbers include increased reporting of internal errors as well as malicious intent. Either way, it shows the need for security teams to develop insider threat detection methods that prevent sensitive information from being exposed by threat actors and negligent insiders alike.
What are the Different Types of Insider Threats?
There are many different types of insider threat that are security risks:
- Non-responders: A small percentage of people are non-responders to security awareness training. While they may not intend to behave negligently, they're among the riskiest members since their behaviors fit consistent patterns. For example, individuals with a strong history of falling for phishing are likely to be phished again.
- Inadvertent insiders: Negligence is the most common and expensive form of insider threat. This group generally exhibits secure behavior and complies with information security policies, but cause security incidents due to isolated errors. For example, a common insider threat incident is the storage of intellectual property on insecure personal devices.
- Insider collusion: Insider collaboration with maliciousexternal threat actors is a rare, but significant threat due to the increasing frequency that cybercriminals attempt to recruit employees via the dark web. A study by Community Emergency Response Team (CERT) found that insider-outsider collusion accounted for 16.75% of insider-caused security incidents.
- Persistent malicious insiders: This type of insider threat most commonly attempts data exfiltration or other malicious acts like installing malware for financial gain. A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are people seeking a supplemental income.
- Disgruntled employees: Disgruntled employees may commit deliberate sabotage of security tools, data security controls, or commit intellectual property theft. These types of employees may be detectable with behavior analytics as they can follow specific behavioral patterns. For example, they may start looking at sensitive data sources when they give their notice or have been fired before having access removed.
- Moles: An imposter who is technically an outsider but has managed to gain insider access. This is someone from outside the organization who poses as an employee or partner.
How to Detect an Insider Threat
There are common behaviors that CISOs and their security teams should monitor and detect in order to stop active and potential insider threats.
A good rule of thumb is any anomalous activity could indicate an insider threat. Likewise, if an employee appears dissatisfied or resentful, or has started to take on more tasks that require privileged access with excessive enthusiasm, that could indicate foul play.
Common Indicators of Insider Threats
The common indicators of compromise of insider threats can be split into digital and behavioral warning signs:
Digital Warning Signs
- Downloading or accessing unnatural amounts of data
- Accessing sensitive data not associated with their job
- Accessing data that is outside of their usual behavior
- Making multiple requests for access to tools or resources not needed for their job
- Using unauthorized external storage devices like USBs
- Network crawling and searching for sensitive data
- Data hoarding and copying files from sensitive folders
- Emailing sensitive data to outside parties
- Scanning for open ports and vulnerabilities
- Logging in outside of usual hours
Behavioral Warning Signs
- Attempting to bypass access control
- Turning off encryption
- Failing to apply software patches
- Frequently in the office during odd-hours
- Displaying negative or disgruntled behavior towards colleagues
- Violating corporate policies
- Discussing resigning or new opportunities
While human behavioral warnings can indicate potential issues security information and event management (SIEM) or user behavior analytics tools are generally more efficient ways to detect insider threats as they can analyze and alert security teams when suspicious or anomalous activity has been detected.
How to Prevent Insider Attacks
There are a number of things you can do to reduce the risk of insider threats:
- Start with data protection: Sensitive data is often the primary target for insider threats, including those created by negligence and criminal intent. Consider developing a data classification policy or investing in data loss prevention (DLP) tools to help prevent sensitive data from being exposed. It also includes data stored with vendors, so remember to develop a vendor risk management policy and invest in third-party risk management software.
- Protect critical assets: Insiders threats can also damage critical assets, whether they be physical or logical. This includes systems, technology, facilities, and people. Think through what is critical for you to provide your product or services, things like proprietary software, internal processes, and schematics can all be critical assets.
- Enforce information security policies: Clearly document your information security controls and how you enforce them to prevent misunderstanding. Every employee should understand their role in security and understand their rights in relation to intellectual property, as well as the damages that can be caused by theft of personally identifiable information (PII) and protected health information (PHI).
- Adopt behavioral analytics: While everyone behaves in an individual way, changes in individual patterns can predict risk. Artificial intelligence and behavioral analytics can help detect risks in subtle patterns that humans can't. User and entity behavior analytics (UEBA) can provide context that can be lost with manual review.
- Increase visibility: Deploy solutions that can track employee actions and correlate activity across multiple sources. For example, you could deploy a counterintelligence tool that exposes fake malicious data to lures malicious insiders out.
- Reduce your attack surface: Attack surface management (ASM) is the continuous discovery, inventory, classification, prioritization, and security monitoring of external digital assets that contain, transmit, or process sensitive data. Attack surface management software can help discover and assess your organization's external attack surface, which could have gaps as a result of insider threats.
- Patch vulnerabilities: One of the greatest safeguards against internal and external threats is strong security hygiene that addresses known vulnerabilities. Maintaining consistent vulnerability management and vulnerability assessment processes can reveal compromised systems from the moment they occur, not months after the incident.
- Use cybersecurity awareness training: While ransomware, spyware, and malware are among the most widely-discussed enterprise security risks, negligent insiders are at the heart of many data breaches. Teaching staff about common patterns in spear phishing, whaling campaigns, social engineering attacks, and other attack vectors can reduce errors and protect your organization.
- Follow email security best practices: Phishing emails are one of the most common ways that insiders can be compromised. Ensure that your organization has SPF, DKIM, and DMARC correctly configured to prevent email spoofing. If you're not sure how to do this, follow our email security best practices guide.
- Invest in multiple security controls: A defense-in-depth approach to security that follows the principle of least privilege is an excellent way to reduce the cybersecurity risk of insider threats.
Insider Threat Examples
There are a number of high profile insider threat examples:
- Boeing: Greg Chung is a Chinese born, American citizen who was charged with stealing $2 billion worth of intellectual property for the Chinese government over decades. (The New Yorker)
- Tesla: In 2018, it was revealed that an insider had conducted "quite extensive and damaging sabotage" to the company's operations, including changing code to an internal product and exporting data to outsiders. (CNBC)
- Facebook: Facebook had to fire a security engineer who took advantage of his position to access information about women to stalk them online. (NBC)
- Coca-Cola: 8,000 individuals were exposed by a former engineer who took computer files with him when he left the company. (Bleeping Computer)
- Suntrust Bank: A malicious insider stole PII and account information for 1.5 million customers for a criminal organization. (Dark Reading)
- Amazon Web Services (AWS): a repository hosted on GitHub with data containing personal identity documents and system credentials including passwords, AWS key pairs, and private keys were accidentally exposed by an AWS engineer. (UpGuard)
How UpGuard Can Help Detect Leaked Data and Exposed Credentials
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected.