What Is an Insider Threat?
Will any of your employees sell you out?
Will they become an insider threat and use your corporate information for their own profit? If they do, can you detect it?
Because so much of the world is now working remotely, insider threat risk is growing. So let’s take a fresh look at this threat and a new approach to detecting it.
We will discuss malicious insider threat cases at Netflix, AT&T Wireless, and Google. And we will also examine a group of insiders who never intend to hurt the company, even though they do.
How should we define the insider threat?
Insider threat attacks can impact the confidentiality, availability, and integrity of data and operations. But how should we define an insider?
CISA offers one of the simplest definitions we’ve seen. “An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.”
Here are a few examples of insiders at an organization:
- Full time or part-time employees
- Temporary workers
- Contractors and business partners
- Former employees, especially if they still have access to the network
Anyone with access is an insider. And they can become a threat to the organization.
What are the different types of insider threats?
There are multiple types of insider threats. Let’s start with the type that makes headlines and damages targeted organizations.
Malicious Insider Threats
Malicious insiders are making a conscious decision to go rogue. Some are seeking revenge against their employer. CISA illustrates how this type of threat escalates:
Other malicious insider threats want to make money or help their family do so. And sometimes the malicious insider wants the data from your company to go with them to a new company.
Google’s Executive Insider Threat
When a Google executive was on his way out the door to a new opportunity, he downloaded more than 14,000 files from a database he had access to during his employment. He also downloaded files from a Google corporate repository. He then transferred these from a work laptop to a personal laptop. CBS5 in San Francisco covered his case.
Netflix Engineer Insider Threat Case
At Netflix, a software engineer accessed proprietary subscriber data. He and his family made more than a million dollars on stock trades with this information. The U.S. Department of Justice (DOJ) says he admitted to the scheme: “All told, the insider trading attributable…in Netflix securities resulted in an illicit gain of $1,170,905.”
AT&T Wireless Call Center Insider Threats
And then there was the case of employees taking bribes at an AT&T call center. SecureWorld covered the story: In this case, a criminal mastermind located overseas, “… bribed insiders to plant malware on AT&T’s internal protected computers for the purpose of gathering confidential and proprietary information on how AT&T’s computer network and software applications functioned.”
The DOJ says call center employees took more than a million dollars in bribes during their time as insider threats.
“During the course of the conspiracy, the conspirators caused more than 2,000,000 cellular telephones fraudulently to be unlocked by AT&T through the AT&T insiders’ submission of fraudulent unlocking requests and through the conspirators’ use of malware and hardware installed on AT&T’s systems by the AT&T insiders to conduct unauthorized unlocks.”
Can you imagine the lost revenue in this case of a collusive insider threat? In all of these examples, organizations stood to lose, and individual employees stood to gain.
Now, let’s look at the unintentional insider threat types.
Some insiders are not malicious, instead, they are what security professionals call the unintentional or accidental insider threat. Maybe they accidentally click on a malicious link that arrived in an email or open an Excel file that downloads malware onto the network.
Accidental insiders can put privacy compliance at risk, too. Perhaps they send protected information in an unencrypted email or send this type of data to someone who should not receive it.
Negligent insiders are often familiar with cybersecurity policies and procedures but do not follow them. For example, a negligent insider in a sales role may think to themselves, “Do they want me worrying about cybersecurity or closing sales?”
Third-party contractors and vendors are often granted some level of access to an organization’s network and systems. And this can be abused or misused.
How can we detect insider threats?
The rise of the remote workforce means in-person warning signs of a malicious employee are likely missed. This makes specific tools and strategies extremely important.
Organizations should find an NDR platform that can detect advanced threats, regardless of encryption
Are you able to detect an active insider threat on your network?
- Up to 90% of network traffic is now encrypted to maintain privacy compliance
- Malicious insiders often hide their data movement within encrypted traffic
- Your network detection and response (NDR) platform must be able to detect insider threats regardless of encryption
An example of advanced insider threat detection
We asked Joe Hladik, of the LiveAction ThreatEye team, to explain how the company’s NDR platform can detect an insider threat. Especially since many legacy tools fail to do so.
Hladik says ThreatEye analyzes more than150 traits of network traffic with machine learning.
Because it looks at network traffic behavior, it creates baselines for network traffic, even if it’s encrypted.
The platform will automatically detect and correlate things that are out of place, like an insider stealing corporate data. Here is one example of how this type of threat can be detected:
“Let’s use your laptop as the epicenter of this analysis. And we know you are primarily a data ‘consumer’ because you are primarily consuming content. You’re browsing to SharePoint, you’re looking on the internet, you’re downloading data and files.
But if you start pushing out content, then you become what we call a ‘producer.’ If you’re doing this at certain times of the night, for example, that might be suspicious, right?
With ThreatEye, an organization can analyze how your laptop has been behaving for the last week, the last month, even the last six months. You can look at flow data to see where that laptop has been connecting to and the volume of that traffic.”
Even small deviations from a behaviorial baseline can be detected.
The platform considers multiple factors to create enriched alerts for cybersecurity teams. It then automatically delivers these alerts with risk scores and Mitre ATT&CK labeling, so the team can prioritize response.
Utilize Least Privilege:
Access management is another key line of defense to mitigate insider threat risk.
- Only give individuals access they must have to do their job
- Elevate access only on a time-based or situational basis
- Regularly audit privileges and establish employee exit protocols
Implementing these two strategies can greatly reduce the risk of a successful insider threat attack.
Detecting advanced threats with Encrypted Traffic Analysis
CISA’s Insider Threat Overview