Recognizing Potential Insider Threat Personas and How to Stop Them

Who’s responsible for insider attacks? Of the possible threats to enterprise data and computing resources, none is more apparent than the insider threat, those who are already inside the network perimeter. There are a variety of insider threat personas because all employees already have some level of access. Let’s take a closer look at who these people are, and why they might breach the data or systems.

What are Insider Threats?

Insider threats refer to the risks and vulnerabilities posed by individuals within an organization who have authorized access to its systems, data, or premises, but misuse their privileges to cause harm intentionally or unintentionally. These threats can manifest in various forms, such as data theft, sabotage, espionage, fraud, or unauthorized disclosure, and may involve employees, contractors, or other trusted individuals with insider knowledge, potentially leading to financial, operational, or reputational damage.

The Scope of the Insider Threat Problem

According to Verizon’s 2023 Data Breach Investigations Report,19% of all data breaches last year were by internal actors. Clearly, it’s a prevalent problem. It’s also a costly problem. Research from the IBM Security 2023 Cost of a Data Breach Report reveals that the average cost of a data breach with a malicious insider initial attack vector is now a staggering $4.9 million. According to the report, “attacks initiated by malicious insiders were the costliest, at an average of USD 4.9 million, which is 9.6% higher than the global average cost of USD 4.45 million per data breach.”

Insiders are a particular problem in the realm of cybersecurity. External attackers must first breach an organization’s perimeter and then search the network for valuable data before being detected. But insiders already know where that proverbial gold resides – and how to access it.

Who Are These Insider Threats?

When most people think of the “insider threat” there are usually some common stereotypes that spring to mind. Often people conjure up an image of the nefarious insider threat being some malevolent super villain straight out of a 60s James Bond flick.

In reality, the insider threat is more complex. It could be the employee who received a poor performance review and is now itching to “get even” with the company he thinks mistreated him. Or perhaps it’s the rogue IT admin who uses his unmonitored elevated access to snoop out confidential data on the network. How about the former employee who still retains access to key systems, even long after leaving the company?

For just one example of this type of insider threat, consider the case of a fired employee who pilfered the data of 2.9 million members of the largest credit union in Canada.

Insider threat personas refer to different types of individuals within an organization who may pose a risk due to their access to sensitive information, knowledge of internal processes, or their potential to exploit vulnerabilities. While these personas can vary depending on the specific context and industry, here are some of the most common insider threat personas:

• Disgruntled Employees:
  Individuals motivated by feelings of anger, resentment, or dissatisfaction with the organization. They may engage in malicious activities to seek revenge or cause harm, such as leaking sensitive information or disrupting systems.
• Compromised Insiders:
  External attackers gain control over insider accounts through techniques like phishing or malware. Once compromised, attackers can misuse the insider’s access to carry out malicious activities.
• Rogue IT Admins or Privilege Access Abusers:
  These insiders abuse their legitimate access privileges to gain unauthorized access to sensitive data or systems. They may exploit their position to bypass security measures, steal data, or engage in unauthorized activities.
• Unintentional Insider Threats:
  These individuals are not malicious but are rather negligent or careless in their actions. They may inadvertently expose sensitive information, mishandle data, or fail to follow security protocols, creating vulnerabilities that could be exploited by malicious actors.
• Spies or Industrial Espionage Agents:
  These individuals may be employees or contractors who are motivated by financial gain, ideology, or national interest to steal sensitive information or trade secrets from the organization. Their goal is typically to provide this information to competitors, rival organizations, or foreign governments.
• Insider Collaborators:
  Individuals who work in collusion with external threat actors, such as hackers or competitors, to steal data, compromise systems, or perform other malicious activities. They may have financial or personal motivations for their actions.

While these insider threat personas exist, the totality of the problem is far greater. Certainly, some insiders truly are malicious. But, in reality, any employee in your organization with access to critical systems and sensitive data might be an up-and-coming insider threat.

Many data breaches originating from within an organization are simply due to the carelessness of employees. These unintentional insider threats (like users clicking on phishing email links) account for 25% of all data breaches. Saying that humans are the weakest link in security may sound like a cliché. But there’s truth to the adage. After all, humans operate most of the computers and devices in your organization – and humans make mistakes.

Motivators of Insider Threats

Possibly the most vexing of insider threat personas is regular users, because they constitute such a wide range of roles, attitudes, and potential motivations. In many cases, there is some level of intent to subvert security and access controls. It may be innocent in that they feel they need access to applications or data that they can’t get through regular channels. Or maybe regular channels simply take too long. On the other side of the same coin, they may be asked by colleagues to share some access privileges for similar reasons. This type of activity happens informally at many enterprises, especially those perceived as rigid and unyielding in access.

At the other end of the spectrum, regular users may want data, such as customer lists or source code, to take to another job. In many cases, simply plugging a USB drive into their computer can give them access to a wealth of data that would make them even more valuable to a new employer. Or perhaps needing money, they may be able to arrange the sale of proprietary data to a competitor in exchange for a cash infusion.

The reasons for regular users to compromise systems and data are many and varied, and impossible to predict. The best approach to potential breaches by regular users is a comprehensive education program that keeps workers aware of the potential for breaches, and how to best safeguard against them.

How Third Parties Can Become Insider Threats

An intriguing and often overlooked insider threat persona is that of insiders who are not actually a part of the organization – third parties. These include contractors, partners, and vendors. Often other companies are given a level of access to the organization’s systems and networks to manage aspects of their supply chain, or to work together on large and diverse projects. While such access is largely limited, these outsiders who have even a small level of access can use that to gain further, and unauthorized access to be able to breach the data and network.

One issue with this approach is that employees of the vendor or partner may gain unauthorized access through this relationship, or the vendors may have others who gain access to their network and use that connection to expand their reach to other enterprises. Any connection with these outside users needs to be walled off and monitored on an ongoing basis.

Compromised Accounts Become Insider Threats

This insider threat persona is the account compromise when a cybercriminal compromises a valid user’s regular or privileged account. It’s still a valid account, but now the user using that account is an external attacker. This is why so many credentials are offered on the dark web for purchase. Because gaining access to a company’s network with valid user’s credential is the first step in stealing or corrupting data and IP.

How Management Can Compromise Systems and Data

The last insider threat persona is also one of the most difficult to safeguard against – it’s the problem with senior management and executive level employees compromising systems and data. Often, it’s for similar reasons as the regular users. Such breaches may be unintentional threats or intentional, out of carelessness or for profit. But the difference is that high level employees have greater access in general and can also request priority access to other resources. The end result is that these employees often require special attention to make sure they are educated and comply with organizational policies.

Security professionals have to be cognizant of all of these use cases, the techniques used by each in breaching data, whether intentional or unintentional. Collecting and using analytics and machine learning data, coupled with the context of that data, can go a long way in assessing insider risk and enabling security to quickly identify and mitigate potential problems.

Defending Against the Insider Threat

Conventional cybersecurity tools offer little when it comes to defending against insider threats. In each of the different types of insider threat personas above, there’s a common factor of having access to “the goods” on the network. Of course, employees and contractors need access to certain systems and applications to do their jobs. The price paid for such access is intentional or accidental misuse of these privileges.

Overworked and undermanned cybersecurity teams simply cannot manually monitor every action taken by every employee in their organizations. However, modern machine learning algorithms can automatically track and analyze employee behavior to identify anomalous and suspicious activities. These activities could range from an accountant who downloads a confidential file he never looked at before, to a salesman who suddenly starts emailing large volumes of customer data to his personal account.

Machine learning allows organizations to compare current user behavior to baselined “normal” behavior. From there, they can identify suspicious trends and spot outliers to remediate threats. The behavior is the “tell”. And, in the two potential insider threat cases stated above, the user’s suspicious behavior would be flagged as risky and anomalous.

Uncover Insider Threats with Gurucul

Our customers are predicting, detecting, and stopping insider threats with the Gurucul Insider Threat Solution. Gurucul creates a contextual linked view and behavior baseline from various systems – HR records, accounts, activity, events, access repositories, security alerts and more. It identifies out-of-norm behaviors, provides risk prioritized alerts and helps organizations spot high-risk profiles in real-time.

As new activities are consumed, those activities are compared to the baseline behaviors. Behavior that deviates from the norm is classified as an outlier to be dealt with.

Detecting high-risk users with abnormal behaviors through machine learning and statistical analysis is a force multiplier. It exposes anomalies among enormous volumes of data that humans or traditional security tools could never identify.

.