BeyondTrust. Insider Threat Indicators: How to Identify Insider Attacks (Part 1)

What is an insider threat?

An insider threat is an internal persona acting as a trusted asset (employee, contractor, vendor, partner, etc.) behaving as a threat actor. Typically, the insider exhibits malicious behavior with intent, but sometimes, they are unaware of their actions are directed by an external threat actor. Regardless, the insider misuses their access and privileges for illicit purposes intentionally, or as directed by an external force.

Today, we need to be realistic about what an insider threat is and acknowledge that they have occurred, in various forms, for ages. Years of threat data shows us that insider threats are typically the hardest to detect, while also posing the most potential for damage. By recognizing insider threat indicators, organizations can detect insider attacks faster and prevent, or mitigate, the damage.

The risks of insider threats

By now, most security professionals are well-versed regarding the risks from insider threats. Years ago, these attacks regularly captured news headlines, but today they are the silent threat few organizations want to disclose or publicly admit.

Regardless of the malicious techniques an insider threat actor employs, they are not behaving in the best interest of the company. The insider is potentially breaking the law, and likely exfiltrating information they do not have permission to possess, or performing other damaging actions.

A longstanding example of an insider threat is the stealing of clients lists by a salesperson, executive, etc., who is planning to leave the organization. Perhaps they have photocopied or printed the client lists and purchase orders so they have a competitive edge when starting at their next role with a new employer.

Today, with electronic media, and the Internet, an insider can egresse substantive volumes of data without anyone noticing. And, as a reminder, that file cabinet of sensitive information can fit on a USB thumb drive in a person’s pocket or be posted to a personal cloud-based file share, making the contents even more susceptible to additional threats.

While insider threats are perpetrated with ever-more ease thanks to modern modern technology, it’s a subject most organizations find difficult to discuss.

Human beings will do unusual things in the most dire of situations, but if they are not permitted to, many insider threat risks can be mitigated.

A shortlist representing some of the more interesting and well-documented insider threats include:

How to assess your vulnerability to insider threats

As we evaluate how to identify and mitigate the risks associated with insider threats, consider these facts regarding your organization:

  • How many people have access to sensitive information en masse?
  • Who can export large quantities of information from a query or third-party system?
  • Are all the active accounts valid?
  • Are all accounts related to people that are still employed at the organization or via third parties?
  • How do you identify rogue or shadow IT accounts?
  • How often do you change the passwords for sensitive accounts?
  • Do you monitor privileged access to sensitive systems and data?

In fairness, honestly answering those questions could be opening Pandora’s box. You may not like the answers, or not even know where to begin to get the answers. Nonetheless, you should answer them all if you care about addressing insider threat risk. First, you need to understand your baseline risk and where you should prioritize your next mitigation actions.

Common insider threat indicators & how to detect them

The best way to detect insider threats is to look for indicators of compromise (IoCs) that can be attributed to inappropriate behavior. Sometimes, these can be difficult to detect compared to normal operations, but there is almost always a symptom that will allude to malicious intent.

To that end, consider the following insider threat indicators along with the detection methods:

  • Unusual copying, downloading, or movement of sensitive information: This becomes especially concerning when the data or information is moved to an atypical or unauthorized destination. Simply interacting with sensitive data can be an indicator of compromise for unauthorized individuals. This is relatively easy to detect based on identities and access logs. However, if the insider normally and frequently interacts with the data, then it’s the unusual destination that may indicate illicit activity. Destinations can include unauthorized, removable media such as USB drives, cloud-based file storage solutions, and even email.
  • Anomalous network search activity: A common assumption is that an insider threat actor knows what data they are looking for and where to find it. That is not always true. Insider threats can be as opportunistic as the next attacker. Malicious Insiders may actively search networks, intranets, ports, applications, etc. for sensitive information that they can extract and leverage. Therefore, monitor for applications and identities performing broad searches and network scans to locate files, buckets, and applications that can give up information as a part of the attack chain.
  • Unusual access and login anomalies: If the insider lacks access to data or systems as a part of the business role, but suddenly starts making attempts at access, it could indicate an insider attack is underway. Monitoring authentication and authorization activity is critical to detect for indicators of compromise. If you consider all enterprise assets, consolidation of logs to a SIEM is crucial to gain this perspective. One-off activity will help identify potential anomalies, especially when such access is new. This requires more than just pattern matching in a SIEM and the advanced capability to look for one-time behaviors.
  • Misuse of native, or other already installed, tools: Insider threat actors often use tools to help extract information from key systems to satisfy their nefarious missions. Detection of foreign tools can flag an indicator of compromise. However, if the insider is savvy, they may execute a living-off the land (LotL) attack. This entails leveraging native toolsets and other trusted enterprise tools to progress their attack. In that case, behavior becomes the key indicator of compromise. Behaviors to monitor for include access outside of normal business hours, access without proper change control, and network access from unusual or foreign locations. Advanced application control that also protects against fileless threats, such as misuse of trusted applications, is a an important tool for identifying and protecting against these insider threat activities.

Source: BeyondTrust