Hello week four of National Insider Threat Awareness month! This week we’re talking about insider threat personas. Who’s responsible for insider attacks? Of the possible threats to enterprise data and computing resources, none is more apparent than the insider threat, those who are already inside the network perimeter. ITMG posts regular updates of Insider Threat Cases in the news and the personas behind them. ITMG Insider Threat Cases – September 15, 2021 showcases an insider fraud scheme where three operators from financial services firm Biscayne Capital were indicted for $155 Million in investment fraud.
There are a variety of insider threat personas because all employees already have some level of access. Let’s take a closer look at who these people are, and why they might breach the data or systems.
The top persona is that of privileged users, those who have administrative access or a higher level of privilege than the average user. It’s only natural to think of them as the highest risk, because they already have privileged access to networks and data. The systems administrator, database administrator, or network support analyst doesn’t have to use subterfuge to gain additional access.
While it’s certainly possible for privileged users such as these to obtain unauthorized data, or to attack systems or software for many possible purposes, the culture of most privileged users is that they understand and internalize their privileged positions, and are less likely to take advantage of them. While they can certainly do so for money, revenge, or ransom, among other reasons, it’s difficult mentally for them to deviate from the respect they have for computing resources. These users can cause the most damage, but they are often the least likely to do so.
Regular Users Have the Widest Possible Motivations
Possibly the most vexing of insider threat personas is regular users, because they constitute such a wide range of roles, attitudes, and potential motivations. And regular users may not even do so intentionally. As a security officer, I’ve had to deal with workers who left secure documents or screens open on their systems overnight, available to anyone who happened to walk by.
But in many cases, there is some level of intent to subvert security and access controls. It may be innocent in that they feel they need access to applications or data that they can’t get through regular channels. Or maybe regular channels simply take too long. On the other side of the same coin, they may be asked by colleagues to share some access privileges for similar reasons. This type of activity happens informally at many enterprises, especially those perceived as rigid and unyielding in access.
At the other end of the spectrum, regular users may want data, such as customer lists or source code, to take to another job. In many cases, simply plugging a USB drive into their computer can give them access to a wealth of data that would make them even more valuable to a new employer. Or perhaps needing money, they may be able to arrange the sale of proprietary data to a competitor in exchange for a cash infusion.
The reasons for regular users to compromise systems and data are many and varied, and impossible to predict. The best approach to potential breaches by regular users is a comprehensive education program that keeps workers aware of the potential for breaches, and how to best safeguard against them. Regular users also have to understand organizational policies and be aware that they always have to comply with those policies.
Regular users may also include contractors or even visitors who are simply given temporary access to one or more networks in the organization. Usually, breaches from these sources are intentional, so security professional have to make sure that any such access granted is completely walled off from mission-critical systems.
How Outsiders Become Insiders
An intriguing and often overlooked insider threat persona is that of insiders who are not actually a part of the organization – third parties. These include contractors, partners, and vendors. Often other companies are given a level of access to the organization’s systems and networks to manage aspects of their supply chain, or to work together on large and diverse projects. While such access is largely limited, these outsiders who have even a small level of access can use that to gain further, and unauthorized access to be able to breach the data and network.
One issue with this approach is that employees of the vendor or partner may gain unauthorized access through this relationship, or the vendors may have others who gain access to their network and use that connection to expand their reach to other enterprises. Any connection with these outside users needs to be walled off and monitored on an ongoing basis.
The Compromised Account
This insider threat persona is the account compromise, when a cybercriminal compromises a valid user’s regular or privileged account. It’s still a valid account, but now the user using that account is an external attacker. This is why so many credentials are offered on the dark web for purchase. Because gaining access to a company’s network with valid user’s credential is the first step in stealing or corrupting data and IP.
Management May Be Responsible for Breaches
The last insider threat persona is also one of the most difficult to safeguard against – it’s the problem with senior management and executive level employees compromising systems and data. Often, it’s for similar reasons as the regular users. Such breaches may be unintentional or intentional, out of carelessness or for profit. But the difference is that high level employees have greater access in general, and can also request priority access to other resources. The end result is that these employees often require special attention to make sure they are educated and complying with organizational policies.
Security professionals have to be cognizant of all of these use cases, the techniques used by each in breaching data, whether intentional or unintentional. Collecting and using analytics and machine learning data, coupled with the context of that data, can go a long way in assessing insider risk and enabling security to quickly identify and mitigate potential problems.
The Best Defense is a Good Offense
Regardless of the insider threat persona you are defending against, you need a good offense to predict, detect, and stop an insider attack. Gurucul offers an analytics-based approach with our Insider Threat Solution. It’s proven and it will work for your organization. This National Insider Threat Awareness month, contact us for a demo. It’s time to shore up your defenses.