An insider threat is a threat to an organization that comes from negligent or malicious insiders, such as employees, former employees, contractors,third-party vendors, or business partners, who have inside information aboutcybersecurity practices,sensitive data, and computer systems. It is a type of cyber threat.
The threat may involve fraud, theft of confidential or commercially valuable information, theft of intellectual property and trade secrets, sabotage of security measures, or misconfiguration that leads todata leaks.
Why are Insider Threats Dangerous?
ASANS report on advanced threatsidentified major gaps in insider threat defense driven by a lack of baseline into normal user behavior as well as pooraccess controlmanagement of privileged user accounts, which are attractive targets forbrute force attacksandsocial engineering attackssuch asphishing.
Even the best security teams struggle to detect insider threats. Insiders, by definition, have legitimate access to the organization's information and assets. It's hard to distinguish between normal activity and malicious activity. Compounding this problem is the fact that insiders typically understand where sensitive data is stored and may have legitimate access needs, makingroles-based access managementan ineffective control.
As a result, a data breach caused by insiders is significantly more costly than one caused by external threatactors. Inthe Ponemon Institute's 2019 Cost of a Data Breach Report, researchers observed that the average cost per record for a malicious or criminal attack was $166, versus $132 for system glitches, and $133 for human errors. Read our full post on thecost of a data breachfor more information.
Pair this with the fact that insider threats account for 60 percent ofcyber attacks(IBM) and nearly a third ofdata breaches(Verizon) and you see why developing an insider threat program is a valuable investment.
It's important to note these numbers include increased reporting of internal errors as well as malicious intent. Either way, it shows the need for security teams to develop insider threat detection methods that preventsensitiveinformationfrom being exposed by threat actors and negligent insiders alike.
What are the Different Types of Insider Threats?
There are many different types of insider threat that are security risks:
- Non-responders:A small percentage of people are non-responders to security awareness training. While they may not intend to behave negligently, they're among the riskiest members since their behaviors fit consistent patterns. For example, individuals with a strong history of falling for phishing are likely to be phished again.
- Inadvertent insiders:Negligence is the most common and expensive form of insider threat. This group generally exhibits secure behavior and complies withinformation security policies, but cause security incidents due to isolated errors. For example, a common insider threat incident is the storage of intellectual property on insecure personal devices.
- Insider collusion:Insider collaboration with maliciousexternal threatactors is a rare, but significant threat due to the increasing frequency that cybercriminals attempt to recruit employees via thedark web. A study byCommunity Emergency Response Team (CERT)found that insider-outsider collusion accounted for 16.75% of insider-caused security incidents.
- Persistent malicious insiders:This type of insider threat most commonly attempts data exfiltration or other malicious acts like installingmalwarefor financial gain. AGartnerstudy on criminal insider threats found that 62 percent of insiders with malicious intent are people seeking a supplemental income.
- Disgruntled employees:Disgruntled employees may commit deliberate sabotage of security tools, data security controls, or commit intellectual property theft. These types of employees may be detectable with behavior analytics as they can follow specific behavioral patterns. For example, they may start looking at sensitive datasources when they give their notice or have been fired before having access removed.
- Moles:An imposter who is technically an outsider but has managed to gain insider access. This is someone from outside the organization who poses as an employee or partner.
How to Detect an Insider Threat
There are common behaviors that CISOs and their security teams should monitor and detect in order to stop active and potential insider threats.
A good rule of thumb is any anomalous activity could indicate an insider threat. Likewise, if an employee appears dissatisfied or resentful, or has started to take on more tasks that require privileged access with excessive enthusiasm, that could indicate foul play.
Common Indicators of Insider Threats
The common indicators of compromise of insider threats can be split into digital and behavioral warning signs:
Digital Warning Signs
- Downloading or accessing unnatural amounts of data
- Accessing sensitive data not associated with their job
- Accessing data that is outside of their usual behavior
- Making multiple requests for access to tools or resources not needed for their job
- Using unauthorized external storage devices like USBs
- Network crawling and searching for sensitive data
- Data hoarding and copying files from sensitive folders
- Emailing sensitive data to outside parties
- Scanning foropen portsandvulnerabilities
- Logging in outside of usual hours
Behavioral Warning Signs
- Attempting to bypassaccess control
- Turning offencryption
- Failing to apply software patches
- Frequently in the office during odd-hours
- Displaying negative or disgruntled behavior towards colleagues
- Violating corporate policies
- Discussing resigning or new opportunities
While human behavioral warnings can indicate potential issues security information and event management (SIEM) or userbehavior analytics tools are generally more efficient ways to detect insider threats as they can analyze and alert security teams when suspicious or anomalous activity has been detected.
How to Prevent Insider Attacks
There are a number of things you can do to reduce the risk of insider threats:
- Start with data protection:Sensitive data is often the primary target for insider threats, including those created by negligence and criminal intent. Consider developing adata classification policyor investing indata loss prevention (DLP)tools to help prevent sensitive data from being exposed. It also includes data stored with vendors, so remember to develop avendor risk management policyand invest inthird-party risk management software.
- Protect critical assets:Insiders threats can also damage critical assets, whether they be physical or logical. This includes systems, technology, facilities, and people. Think through what is critical for you to provide your product or services, things like proprietary software, internal processes, and schematics can all be critical assets.
- Enforce information security policies:Clearly document your information security controls and how you enforce them to prevent misunderstanding. Every employee should understand their role in security and understand their rights in relation to intellectual property, as well as the damages that can be caused by theft ofpersonally identifiable information (PII)andprotected health information (PHI).
- Adopt behavioral analytics:While everyone behaves in an individual way, changes in individual patterns can predict risk. Artificial intelligence and behavioral analytics can help detect risks in subtle patterns that humans can't. User and entity behavior analytics (UEBA) can provide context that can be lost with manual review.
- Increase visibility:Deploy solutions that can track employee actions and correlate activity across multiple sources. For example, you could deploy a counterintelligence tool that exposes fake malicious data to lures malicious insiders out.
- Reduce your attack surface:Attack surface management (ASM)is the continuous discovery, inventory, classification, prioritization, and security monitoring of external digital assets that contain, transmit, or processsensitive data.Attack surface management softwarecan help discover and assess your organization's externalattack surface, which could have gaps as a result of insider threats.
- Patch vulnerabilities:One of the greatest safeguards against internal and external threats is strong security hygiene that addresses knownvulnerabilities. Maintaining consistentvulnerability managementandvulnerability assessmentprocesses can reveal compromised systems from the moment they occur, not months after the incident.
- Use cybersecurity awareness training:Whileransomware,spyware, andmalwareare among the most widely-discussed enterprise security risks, negligent insiders are at the heart of many data breaches. Teaching staff about common patterns inspear phishing,whaling campaigns,social engineering attacks, and otherattack vectorscan reduce errors and protect your organization.
- Follow email security best practices:Phishing emails are one of the most common ways that insiders can be compromised. Ensure that your organization has SPF, DKIM, andDMARCcorrectly configured to preventemail spoofing. If you're not sure how to do this, follow ouremail security best practices guide.
- Invest in multiple security controls:Adefense-in-depthapproach to security that followsthe principle of least privilegeis an excellent way to reduce thecybersecurity riskof insider threats.
Learn about how to detect, mitigate, and prevent insider threats here >
Insider Threat Examples
There are a number of high profile insider threat examples:
- Boeing:Greg Chung is a Chinese born, American citizen who was charged with stealing $2 billion worth of intellectual property for the Chinese government over decades. (The New Yorker)
- Tesla:In 2018, it was revealed that an insider had conducted "quite extensive and damaging sabotage" to the company's operations, including changing code to an internal product and exporting data to outsiders. (CNBC)
- Facebook:Facebook had to fire a security engineer who took advantage of his position to access information about women to stalk them online. (NBC)
- Coca-Cola:8,000 individuals were exposed by a former engineer who took computer files with him when he left the company. (Bleeping Computer)
- Suntrust Bank:A malicious insider stolePIIand account information for 1.5 million customers for a criminal organization. (Dark Reading)
- Amazon Web Services (AWS):a repository hosted on GitHub with data containing personal identity documents and system credentials including passwords, AWS key pairs, and private keys were accidentally exposed by an AWS engineer. (UpGuard)
How UpGuard Can Help Detect Leaked Data and Exposed Credentials
For the assessment of your information securitycontrols,UpGuard BreachSightcan monitor your organization for 70+ security controls providing a simple, easy-to-understandcybersecurity ratingand automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected.
