BeyondTrust. Insider Threat Indicators: How to Mitigate Insider Attacks (Part 2)

How to prevent data leakage from insider attacks

Insider threats involve stealing information and conducting malicious activity. A sophisticated insider threat actor may use tools traditionally associated with an external threat. For instance, an insider engaging in malicious behavior could install data-capturing software, exploit a system missing security patches, and access resources using backdoors to conduct data-gathering activity.

Ultimately, we need to recognize insider threats are able to succeed due to at least one of the following:

A. Excessive/inadequately managed privileges (covered in steps 1 – 5 below)

B. Poor security hygiene (vulnerability, configuration management, and audit/log management, covered in steps 5 – 10 below)

With the above (A+ B) in mind, all organizations should implement these security best practices to mitigate insider threat risks:

1. Enforce least privilege and separation of privilege: No one should ever use an administrative account for day-to-day usage (i.e. email, web searches, etc.). This also applies to administrators as the potential risk is much higher should their account be compromised, such as by clicking on a malicious phishing link. All users should be restricted to standard user permissions and only have the ability gain momentary privileged access via controlled and monitored workflows. Privileged Access Management (PAM) solutions are specifically designed to manage this use case.

2. Restrict data access: Only administrators or role-specific employees (not executives) should have access to data en masse. This prevents an insider from dumping large quantities of information, or an executive’s account being hacked and leveraged against the organization to exfiltrate data.

3. Mature identity and access management (IAM) policies: All access to sensitive data should only be for valid employees. Former employees, contractors, and even auditors, should not have routine access. Accounts should be removed or deleted per your organization’s policy. Implement a just-in-time-access model to eliminate standing privileges and ensure all privileged access is finite.

4. Use Enterprise Password Managers: Employees come and go. If the passwords are the same as people leave and new hires are onboarded, the risk to sensitive data increases since former employees technically still have known passwords to the company’s sensitive information. Passwords should be random and unpredictable. Use password management solutions to automate password security best practices via a centralized vault.

5. Implement robust monitoring: Monitoring user behavior and network activity is critical to detecting anomalous, or otherwise dangerous, activity and acting early enough before it causes damage. Privileged activity is especially important to monitor as it poses the most risk for damage and can mean an attack is on its way to quickly escalating. Monitor logs, sessions, keystrokes, and applications and also implement screen recording. If an insider accesses a sensitive system to steal information, session monitoring can document their access and identify how and when they extracted the information. Data loss prevention (DLP) solutions may also help here, but only if the point of egress is considered a risk, or there are regulatory compliance ramifications.

6. Ensure anti-virus or endpoint protection solutions are installed, operating, and stay up-to-date to identify any malware being used by an insider threat.

7. Allow Windows and third-party applications to auto-update, or deploy a patch management solution to apply relevant security patches in a timely manner to remediate the risks of a vulnerability being exploited.

8. Utilize a vulnerability assessment or management solution to determine where risks exist in the environment and correct them in a timely manner so an insider cannot exploit a security weakness.

9. Implement an Application Control solution with Trusted Application Protection (TAP) to ensure only authorized applications execute with the proper privileges to mitigate the risk of rogue, surveillance, or data collection utilities. Ideally, the solution also has fileless threat protection capabilities that can apply context to activities and requests from trusted applications, including blocking child process.

10. Where possible, segment users from systems and resources to reduce “line-of-site” risks. That is, make sure your network is segmented–not flat—to avoid over-reaching access.

Most businesses fail at adequately implementing these basic security controls. However, following the above 10 practices can significantly help protect against insider threats as well as other attack vectors.

Implementing insider threat protection

Insider threats are not going away. The goal is to stop the data leakage and be aware an insider has multiple attack vectors to achieve their goals.

As security professionals, we need to mitigate the insider risks at the source. A briefcase of paper represents an insider threat, but is probably not as relevant as a USB stick with your entire database of client information.

In the end, an insider typically still needs privileges to steal all this information. Removing excessive privileges, such as by implementing privileged access management (PAM) controls and closing open security holes via vulnerability management will help minimize your attack surface from insider exploits, as well as many other types of attacks. In addition to security controls over access, organizations need to layer strong monitoring capabilities for insider threat detection. Finally, training security analysts and other IT staff on insider threat indicators, and how to respond to them, is important in nullifying any active risk.

Source: BeyondTrust