Insider threat is a multifaceted challenge representing a significant cybersecurity risk to organizations today. This article, an extract from the recently published 'Ultimate Guide to Insider Threats', explores what organizations can do to help detect industrial espionage as a result of an insider threat as well as what methods could be used to prevent it from occurring in the first place.
How to Detect Industrial Espionage from Insider Threats
Identifying industrial espionage due to malicious activity by potential or current insider threat actors is often challenging before damage is discovered. However, it is possible to identify characteristics typical of individuals indicating personal stress, which might render them susceptible to acting emotionally and rashly. While such traits are not definitive evidence of wrongdoing, they are warning signs. It is crucial to understand and recognize that malicious insider threat actors often exhibit indicators that, if identified early, can be mitigated before harm to the organization occurs.
Psychological approaches could be used to detect and assess the probability and quality of insider threats. The unethical behaviors of insiders could be influenced by personality characteristics (e.g., financial problems, having unmet goals, field experience, lack of loyalty, ideology, compromise, etc.); organizational and societal factors (e.g., culture, leadership, codes of conduct and norms, and reward systems); the interaction between individual characteristics and situational factors within organizations (e.g., obedience to authority, reinforcement, role taking, responsibility for actions, etc.); and the social interactions within the organization (e.g., unethical actors will behave unethically).
Malicious insiders frequently employ charm and charisma to mask their true intentions, capitalizing on human susceptibility to being swayed; thus, catching them in the act isn't always easy. Reliance on scientific methodologies and procedures like insider threat hunting methodologies grounded in concrete detections and patterns is significant in detecting industrial espionage. Proactive detection via threat hunting involves hunting for anomalous insider behavior that may not be detected by security controls alone. The threat-hunting approach involves techniques such as user behavior analytics (UEBA) tools that analyze user behavior patterns to identify anomalies. For instance, UEBA tools can detect if an employee is suddenly accessing unusual files or systems. Other patterns of behavior that organizations should look out for include failed login attempts, unusual access to sensitive data, significant transfers of data to external devices, changes to system permissions, attempts to disable security controls, and more.
Machine learning (ML) models can be trained to identify insider threats. For instance, ML models can be trained to identify behavior patterns associated with insider attacks. Human intelligence can also detect industrial espionage, where security analysts proactively hunt for insider threats by reviewing system logs and other data sources for suspicious activity. Other data sources include Security information and event management (SIEM) logs, Access control logs, Network traffic logs, Application logs, File logs, Identity and access management (IAM) logs, Email logs, and more. Upon gathering all relevant data and considering all possible hunting queries to search data sources for anomalous behavior, analyze/investigate the findings and review the results to identify potential/legitimate insider threats while looking for patterns of behavior that are inconsistent with normal user activity. Investigating the findings might involve interviewing employees, reviewing further data sources, and conducting forensic analysis.
Overall, it is essential to note that no single detection measure is perfect, as insiders are often sophisticated and could evade detection. Organizations should, therefore, implement a layered security approach that includes multiple detection measures that are regularly reviewed and tested using red team exercises or penetration testing tools to ensure that they are effective.
Malicious insiders frequently employ charm and charisma to mask their true intentions, capitalizing on human susceptibility to being swayed; thus, catching them in the act isn't always easy. Reliance on scientific methodologies and procedures like insider threat hunting methodologies grounded in concrete detections and patterns is significant in detecting industrial espionage. Proactive detection via threat hunting involves hunting for anomalous insider behavior that may not be detected by security controls alone. The threat-hunting approach involves techniques such as user behavior analytics (UEBA) tools that analyze user behavior patterns to identify anomalies. For instance, UEBA tools can detect if an employee is suddenly accessing unusual files or systems. Other patterns of behavior that organizations should look out for include failed login attempts, unusual access to sensitive data, significant transfers of data to external devices, changes to system permissions, attempts to disable security controls, and more.
Methods to Prevent Industrial Espionage from Insider Threats
There is no walking back the harm done due to industrial espionage - once intellectual property – sensitive data, and more has been compromised. Combating insider threats requires incorporating different aspects involving individuals, technologies, and their related environments. Creating an effective and coherent cyber ecosystem to detect, monitor, and mitigate insider risks is not easy.
The complexity of insider threat research requires a series of theories and approaches, including security awareness, enterprise security policy and architecture, threat modeling, human governance strategies, insider vulnerability assessment, and more. Behavioral analytics and technological measures are active areas in insider threat research, which include personality traits, data-centric threat detection combined with continuous monitoring of an intellectual property repository with advanced behavioral analytics, and human governance mechanisms, such as information security culture and organizational ethical climate.
Industry executives can develop pre-emptive strategies to mitigate and effectively prevent industrial espionage and its detrimental effects through a deeper understanding of why trusted insiders choose to steal economic and commercial information. Improving employees’ training and awareness of security threats and best practices can prevent lax behavior that increases risk, thus significantly preventing industrial espionage activities.
It is vital to educate corporate leaders about the information and technologies that adversaries want to steal with the objective and goal of not discouraging or hindering scientifically and commercially valuable collaboration but instead learning to balance cooperation with security. Therefore, organizations must intensify their efforts to instill a culture of security and security awareness, evaluate their security postures, and establish comprehensive insider threat programs.
Because indicators of potential insider threats often go unrecognized or are ignored by people who are hesitant to report their concerns, corporate leaders must encourage and empower their workforce to come forward when a colleague demonstrates concerning behavior.
Organizations should develop and disseminate clear security policies and build awareness of guidelines and best practices through periodic training classes, posters, and email campaigns. Employees must know that they can share their concerns with human resources, security staff, and any key stakeholder in the organization’s insider threat program, including the insider threat hotline if one exists. Organizations should employ basic security measures, including monitoring all network traffic and using security software. Building an effective response will require understanding industrial espionage as a multi-vector threat to the integrity of the US economy and global trade.
As a result, government agencies should take a more active role in helping organizations that partner with them on R&D re-evaluate their security postures and establish comprehensive insider threat programs that are responsive and crafted uniquely to meet industry needs. The assistance from agencies could include developing security policies and governance structures, undertaking capability assessments, establishing insider threat awareness programs, and designing and delivering security training. Organizations unable to receive support from the agencies should draw on the wide range of insider threat expertise, valuable tools, techniques, and processes outside of government.
For more information about the topic, such as using the most effective data loss prevention controls, download the recently published 'Ultimate Guide to Insider Threats'.
