How to Monitor, Detect, and Respond to Malicious Insiders
Insider threats have long been a source of security risk for businesses and organizations. Dating back to ancient times, militaries and nations routinely have used spies and espionage to gather intelligence on rivals. In today’s information age, malicious insiders regularly steal valuable data for sale or cause destruction of important records due to malice or greed.
These malicious insiders, termed insider threats, are current or former employees or contractors who have or once had authorized access to an organization’s network, systems, or data. They intentionally misuse this access to conduct sabotage, theft, espionage, or fraud by abusing their access or stealing materials or physical devices. Insiders pose a serious threat to businesses because they have the knowledge and access to proprietary systems and can thus bypass traditional security measures. The nature of these insider threats is unique from other security challenges, requiring a different strategy for preventing and addressing them. It is critical for organizations to understand normal employee behavior so that they can recognize when a trusted insider is acting unusually in a way that may be harmful to the organization.
Insider Threats Examples
- The Thief
Many insider threats are financially motivated insiders who seek to sell sensitive data to the highest bidder. Health and payment card records are a top target, as is intellectual property or sensitive PII of employees and customers and the organization’s financial data. In one example reported to the CERT Insider Threat Center, a malicious insider was able to steal the crown jewels of the hedge fund he worked for – their trading algorithms. He bypasses the tight IT controls surrounding the system using two virtual machines (to bypass host-based detection systems) and sending the information to his personal email account – but was detected by an IT team alerted by the unusually large number of files on his system. In another example, a database administrator at Fidelity National Information Services stole 3.2 million customer records that included credit card, bank account information, and PII from the firm’s clients. He was caught and sentenced to almost 5 years in prison.
- The Vigilante
Many insiders are those who see a need for change and decide to take action. Oftentimes, these whistleblowers and vigilantes take sensitive data to the press to publicize a wrongdoing. The most well-known is Edward Snowden. As contractor with the National Security Agency, he stole and released records on government surveillance before fleeing the country. In another example, the network administrator for the City of San Francisco refused to surrender passwords to key city systems because he felt his supervisors were incompetent.
- The Disgruntled Employee
Often, employees who are disgruntled, know they will be terminated, or are otherwise leaving the company decide to take action to get revenge on their way out. In 2002, Timothy Lloyd went to prison for over 3 years for planting a software time bomb at his employer Omega that cost millions of dollars and 80 jobs. In 2012, a network engineer at an oil and gas company EnerVest found out he was going to be fired and conducted a factory reset on the company’s servers.
All three of these behavior patterns for insider threats can be mitigated through some traditional cybersecurity controls tailored to be focused on managing insider threats.
Top 3 Insider Threat Techniques
Insiders falling into the three grouping above can be combatted through a variety of cybersecurity countermeasures. One consistent theme in combatting the malicious insider is through detection of their unusual behavior. Several other methods include techniques designed to limit the access any single individual has, and thus the amount of damage that person could cause the company.
Logging, Monitoring and Auditing
Throughout an organization, IT assets and systems are a detective capability that can assist cybersecurity teams in finding malicious insiders: audit and transaction logs. These logs contain information that can detect serious security violations before they impact the organization. Logs may provide the data that lead to insights that a malicious insider is downloading a suspiciously large number of customer records, or sending large email attachments to an external address. The challenge organizations face is to collect these logs from disparate systems and make sense of them.
Log formats can vary, and normalizing and correlating logs events across systems requires an advanced analytic capability. Security information and event management tools (SIEM) can be used to automate the collection, correlation, and storage of events and facilitate an analysis and alerting of security events.
Related post: Security Operations Center – In-house vs. Outsourced
Many tools and solutions are available that can establish a baseline of expected behavior for each employee, and then monitor for and alert on abnormal or unusual behaviors using a heuristics-based analysis (for example, detecting employees logging-on at odd hours of the night or downloading unusually large numbers of files).
Effective Privilege Management
Another strategy to mitigate the risk of insider threat is to implement a protective control to limit the damage a malicious insider can cause by limiting the privileges of employees. Implementing separation of duties and least privilege makes sure that employees are only authorized for the privileges and resources that they need to do their jobs. This ensures that sensitive tasks are performed by multiple people, and the same individuals don’t have responsibility for both performing tasks and auditing how they’re performed.
Extra Vigilance During Termination Process
According to one study by Carnegie Mellon, most insider threat attacks happen during the 10 days before an employee’s last day. Preparing for and implementing secure processes for employee departures is one way to secure against malicious insiders seeking revenge. This includes timely removal of network access, backups of important files, and timely collection of physical laptops and removable media.
Trusted insiders have the network access and insider knowledge necessary to cause major cybersecurity incidents should they turn malicious. Many insiders seek revenge, financial benefit, or perhaps to right a perceived wrong when they turn against their current or former employer. Log monitoring, correlation, and analysis is a primary detective technique to identify and alert on insiders taking abnormal actions that may indicate a cybersecurity threat. Controls around privileges and HR processes are two other ways to minimize the damage posed by this threat.