Mention “insider threats,” and most people immediately think of disgruntled employees taking out their resentment by sabotaging systems or otherwise harming the company. And such malicious insiders are certainly a significant component of the insider threat problem. But from a security standpoint, it’s important to have a broader, more inclusive understanding of what constitutes an insider threat. Once we have a clear view of the various types of insider threats, we can more effectively plan and execute strategies to combat them.
First let’s look more closely at malicious insiders. This certainly includes people who hold a grudge against the company, for example because they feel they’ve been overlooked for promotion.
These resentful employees may deliberately take actions on their own that harm the company. But they may also be approached by outside threat actors to assist in a ransomware attack or some other form of threat. Indeed, according to data collected by Hitachi ID in 2021 and early 2022, 65% of the executives surveyed reported that they or their employees had been approached for assistance in planning ransomware attacks. This number has been rising steadily in successive surveys, especially since the start of the COVID-19 pandemic.
If an employee has expressed their disgruntlement on social media, it is safe to presume that they are especially likely to be approached by outside hackers — which means that an employee with a grudge need not have any particular technical skill or know-how to facilitate a highly technical cyberattack.
Another type of malicious insider may be a particularly ambitious and opportunistic employee who steals information or sabotages another employee’s project in order to advance their own career.
Finally, a malicious insider may be one who participates in industrial espionage, selling proprietary information to a competing company for purely monetary reasons. They may initiate the espionage on their own, or they may be responding to an offer made by a competitor.
Another category is the negligent insider. This may be an employee who violates security procedures or policies occasionally out of distraction; or one who simply has not been adequately trained in security protocols; or one who chooses to ignore IT security procedures, perhaps because they consider them unnecessary or excessively burdensome.
Last but definitely not least, we have compromised insiders. Most often, these are employees who have fallen victim to some type of phishing scam, either downloading malware to their computer or unknowingly surrendering their access credentials to an attacker. If they fail to realize that they’ve been fooled, their network account or their computer may become a foothold within the network for malicious outside hackers.
These hackers can then take their time and do as they please. They may add the device to a botnet and use it in DDoS attacks. They may put it to work mining cryptocurrency. But most commonly, they use it as a home base from which to explore your corporate networks. They may move laterally to other devices and accounts, harvesting credentials and increasing their access privileges until they can find valuable data to steal or hold for ransom, or until they can access and sabotage critical systems.
Now that we’ve considered the various kinds of insider threats and their motivations (or lack thereof), we can identify various different measures that can be implemented to reduce the number of insider threats and to detect and block the ones that remain.
Yes that’s a word, it’s one of my favorites, and it means the opposite of disgruntled. And all we’re saying here is that following best HR and management practices — transparency and fairness in promotion/raise decisions, clear and honest executive communications, etc. — can go a long way toward reducing the number of malicious insiders who may end up posing a threat to the company.
It can also be very helpful if HR and IT are in close communication regarding potential malicious insider threats, even to the point of having regular scheduled meetings to exchange information. HR can provide lists of employees who have recently been disciplined or who likely feel passed over for raises or promotions, allowing IT to more closely monitor their behavior online and potentially enforce special policies on their devices or accounts.
Similarly, IT should have in place ways to detect employees logging or badging in at unusual times, accessing data not relevant to their role, and other suspicious behavior, and share that list with HR in case further action may be warranted.
Modern security-awareness training solutions, such as Barracuda Security Awareness Training, have come a long way from the boring old watch-a-video-and-pass-an-exam-twice-a-year programs that old-timers like me used to deal with. Now it’s a simple matter to create ongoing campaigns that involve simulated phishing attempts to constantly measure vulnerability and identify employees in the most need of training; and to then provide those employees with highly focused and personalized training materials and programs.
Gamification — creating a friendly competition within the company with monthly or quarterly prizes for the most successful at identifying and reporting simulated phishing attempts — helps drive real engagement and buy-in from even the most cynical employees. A strong and well-executed training regimen is possibly the single best way to reduce both negligent and compromised insider threats.
Just as it was back in the Cold War days of nuclear arms control deals, “trust, but verify” is a diplomatic way of saying “don’t trust.” And when it comes to access controls, you definitely shouldn’t.
Single sign-on (SSO), role-based permissions, and multi-factor authentication (MFA) were long the gold standard for effective, secure access control. But in the end, these measures are all too trusting. Once you’ve presented the correct credentials, they leave you to do as you wish, trusting both that you are who you say you are and that you will behave as you should behave.
So if you’re a malicious insider, you’re free to do bad things, and if you’re a compromised insider — or if you become compromised while logged in — you are unwittingly letting a threat actor into the network along with you.
Today, Zero Trust Network Access (ZTNA) solutions such as Barracuda CloudGen Access are eliminating that need for trust. Rather than acting as a bouncer checking IDs at the door, ZTNA is more like a whole specialized surveillance team. It constantly monitors multiple factors, including IP address, geo-location, rates and amounts of data traffic, time of day, and many others. By monitoring and analyzing each user’s behavior, ZTNA helps you identify anomalous and risky behaviors before they can lead to a breach or other adverse event.
Insider threats are unlikely ever to stop being a source of concern, but by creating a culture and a set of management practices that increase satisfaction, carrying out continuous security awareness training that targets at-risk individuals, and implementing a modern ZTNA access control solution, you can very significantly reduce your risk from all the various kinds of insider threats.
By Tony Burgess
This article originally appeared on Journey Notes, the Barracuda blog.
Back