Using Access Controls to Thwart Insider Threats

Almost half of our Top 10 list for Insider Threats have some reference to access control, whether it is implementing multi-factor authentication (MFA) or making sure old accounts are purged. Access control is a big part of mitigating the Insider Threat. With outside attackers frequently leveraging compromised credentials, or malicious insiders abusing their own access, losing control of who can log in and where they can go lies at the heart of the problem.

One Potato, Two Potato

The access control problem falls into two main categories. The first problem is keeping external attackers from compromising credentials or using them when, not if, they do. The second problem is keeping internal users from abusing their existing access to malicious ends. There can be overlap, of course, when an insider steals a colleague’s credentials, for example. But the “first line of defense” lies in a different place depending on where the attack originates.

The first layer of defense against external attackers trying to steal credentials is user education. That shouldn’t be a surprise, considering how many users fall for phishing attacks, social engineering lures, or lose their credentials to malware. That’s not even counting people who reuse ID and password combinations or choose weak passwords in the first place that can be easily brute forced. Educating your user base on good password hygiene is critical. Users should be creating strong passwords and not reusing them, rotating them periodically, but not so often they get forgotten, etc. Giving them the tools and support they need can reduce the risk from credential compromise.

Can I Get a Second Factor Please?

After user education comes multi-factor authentication. For organizations that already teach good hygiene, MFA is the next step. In fact, back in 2018 Krebs on Security reported that Google hadn’t had a single case of password phishing among its 85,000+ employees since implementing hardware security keys for MFA. Multi-factor raises the security bar several steps. Even if an attacker manages to skim a user ID and password combination, a good second factor will be enough to keep them from using the stolen credentials. MFA is also useful against an insider using stolen credentials, assuming they’re not stealing their colleague’s car keys at the same time.

Physical keys, like the Titan or YubiKey, are a solid solution. But there are others, which gives an organization more options when they’re implementing MFA.

The Problem with Permissions…

When it comes to access control, something a lot of organizations overlook is account and permission maintenance. When was the last time your administrators went through the user directory and cleared out dormant accounts? Sure, no one has used them in years, but an attacker could still leverage them and gain access to whatever resources those accounts can still reach. Such accounts would be a boon for a malicious insider who could use them to cover his or her tracks. Even if someone notices the access, it would be attributed to that long-gone user.

Permission inheritance is another closely related problem. How many times have admins just copy/pasted permissions from an existing user to a new hire in the same group? How many times have they forgotten to remove permissions that were granted for some special project? How often has that combination led to users inheriting permissions from two or three generations back, that have absolutely nothing to do with their actual position? The answer is “far more often than it should.”

These techniques are all good for mitigating an external threat, or someone who’s trying to leverage a colleague’s stolen credentials. Gurucul offers Identity and Access Analytics to help you quickly identify and remove dormant and orphan accounts in addition to removing unnecessary account entitlements. But what about cases where a user is abusing their privilege to access restricted resources or any of the other potential privilege abuses?

Your Behavior Is Showing

This is where advanced behavior analytics comes into play. By focusing on behavior, an AI-based system can spot anomalies that indicate a malicious user abusing their access.  It is one of the few reliable ways to identify nefarious users. Since these users have legitimate access to restricted resources by definition, or can change permissions as they see fit, most defensive techniques won’t flag their activities as unusual. In contrast, behavior analytics can identify the outliers.  It spots the aberrant behaviors that indicate something is going on and can automatically react, alerting security operations while restricting access or isolating the offending user.

Behavior analytics is a valuable tool across the access control spectrum. By analyzing user’s normal behaviors, it’s easy to detect when an outsider is trying to log in using a compromised account or an insider is trying to leverage stolen credentials within the organization. No matter what kind of insider threat you’re facing, there are telltale behaviors that will give them away to the AI. Gurucul can help. Contact us for details.