Welcome to week 2 of National Insider Threat Awareness Month! One of the things that keeps enterprise security professionals up at night is the prospect of the insider threat. With outside threats, security can enable well-defined and established protections, such as firewalls. An attacker actually has to break into the computing environment to be able to do harm.
Insider threats are under no such restriction. In many cases, they already have a legitimate account on the network. The biggest concern of insider attacks is exfiltration – removing IP or other valuable information – but it’s by no means the only concern.
Sabotage is another possibility. One or more employees could bear a grudge against the company, and attempt to steal, delete, or otherwise sabotage data or applications in an attempt to “get even.”
Perhaps the biggest problem is that insider threats can come from anywhere. It can be a staff employee, a contractor, an IT worker, an authorized visitor, or even an officer of the company.
The Enemy Within
Many organizations fail to consider the threat posed by insiders with ulterior motives, and don’t adequately plan for such insider attacks. The result can be theft of intellectual property, damage to the computing environment, threats of ransom, or other debilitating results.
Insiders typically have free reign of the network, even though they may not have privileges to certain applications or information. Exfiltrating data, or causing damage to files, is not nearly as difficult as breaking in in the first place.
In some cases, insiders already have access to the data they want to exfiltrate. In others, getting to such data may involve a seemingly innocuous request for access for a false reason, or convincing a coworker to provide it. And taking data out of the building is often simply a matter of copying it onto a USB thumb drive.
What Are Insider Motivations?
Just because someone works within an organization doesn’t mean they don’t have their own goals and motivations that may not be aligned with the organization. There are a number of reasons why an employee may feel compelled to create such damage. These include:
Disgruntled employee or employees. Perhaps someone was passed over for an expected promotion, didn’t get a raise, or was dissatisfied with the direction of the company. These are all potential insider threat candidates. In cases like these, destruction of data may be more likely than outright theft.
Profit motivation. For corporate intellectual property, there may be a market where it can be sold. This is especially true in government agencies that deals with secret data, or companies that have valuable IP like manufacturers.
Revenge. Employees who feel slighted or abused by management may look to take out their frustrations on the organization as a whole. This is another case where the destruction of data or systems is more likely than theft.
Blackmail/ransom. This is similar to ransomware, except that the internal actor may actually keep a copy of deleted data to sell back to the organization. It could be especially true if the data were embarrassing to the organization in some way.
Gaming. Some may steal data or cause damage simply for the fun of it, or because it’s a technical challenge. While it might be considered an act of immaturity, organizations also have to consider that some may look at insider attacks as harmless fun.
How to Get a Handle on Insider Threats
Many organizations who consider the possibility of insider attacks have difficulty envisioning how they might occur. They may have the attitude that “insider attacks can’t happen here,” or have a belief that their employees are all loyal to the company.
While it may be true, an organization should have a program in place to identify and mitigate insider threats. In one sense, insider attacks can be considered the most concerning, as you don’t know where they are coming from and what they are intended to accomplish.
The most fundamental action an enterprise can take is to educate its employees on the possibility of data theft, ransom, or sabotage, and have ongoing training in protecting data and systems. The education should focus less on being suspicious of coworkers, and more on ways to safeguard individual access and data. If individual employees are vigilant of their own data, that should also protect against most insider threats.
The second action an organization should take is to continuously monitor its users, systems, and networks with an analytics-based security platform. Any activity or sequence of activities by users that doesn’t conform to their usual operating norms can be flagged for investigation. If an inside user shows anomalous activity, that may be an indication that they are exfiltrating data or attempting to cause damage.
However an organization handles insider threats, they need a plan that doesn’t create mistrust, yet is still effective at recognizing and dealing with potential threats. That’s a tough needle to thread, but it’s necessary as a part of a comprehensive plan for cybersecurity.