Comprehensive Guide To Insider Threats

The 2022 global report of the cost of insider threats by a recent Ponemon study revealed that insider threat incidents have escalated by 44% over the past two years, with the costs per incident up by $15.38 million. To put this into perspective, the cost of credential theft to organizations increased 65% from $2.79 million in 2020 to $4.6 million at present. The time to contain an insider threat incident increased from 77 days to 85 days, leading organizations to spend the most on containment. Incidents that took more than 90 days to contain cost organizations an average of $17.19 million on an annualized basis. A survey from Cybersecurity Insiders found that 60% of organizations had more than 30 insider-related incidents per year and each of the insider-related incident cost organizations an average of $755,760. 14% of insider-related incidents were attributed to user credential theft. 23% of insider-related incidents were attributed to criminal insiders. 62 percent of malicious insiders who are actively seeking to harm or cause damage were linked to security teams.  

Alarmingly, many security teams in organizations might not even recognize the true financial impact insider attacks can have on their organization. Besides direct monetary loss, organizations would incur unexpected expenses while handling forensic issues to discover how the incident occurred. This activity requires significant time to remediate the incident - taking time away from more strategic activities. Outside consultants or additional staff training might be needed, as well as the cost to replace new equipment to close any loopholes. There is also the cost of critical data loss as an insider threat can result in the removal, copying, transfer, or extraction of private, confidential, and sensitive data from digital sources and servers. Malicious insiders may delete or destroy certain assets entirely or tamper or alter existing data such that they are rendered unusable. This act will cause significant operational disruptions or downtime to organizations as the teams must identify, diagnose the threat, and even upgrade entire systems to ensure full restoration. Depending on the severity of the insider threat and attack, the organization may suffer reputational damage resulting in a loss of credibility among its stakeholders, including customers, industry partners, suppliers, employees, and the public.

There are various means by which an insider can become compromised. The common techniques and significant methods include: 

Credential theft is a cybercrime aimed at stealing the credentials – username, and password - of a targeted individual typically via social engineering, phishing, and malware infection.  

Pass-the-hash is a more advanced form of credential theft where the hashed – digested or encrypted – authentication credential is intercepted from one computer and used to gain access to another computer on the network. A pass-the-hash attack, although similar tolike a password theft attack relies on stealing and reusing password hash values rather than the actual plain text password. 

Social engineering is the use of deception to manipulate individuals into divulging their credentials. For instance, via a bogus call from the IT support or helpdesk, where the attacker asks the individual to confirm their username and password. 

Phishing is a cybercrime that targets a phish-prone individual via email or text message by someone posing as a legitimate institution to lure the individual into clicking on a link that triggers a malware download, providing sensitive data, such as personally identifiable information (PII), credit card or banking details, and passwords. 

Malware infection is a cybercrime that occurs when malicious software – malware – infiltrates a computer by a compromised insider clicking on an illicit link, downloading a file, or plugging in an infected USB with the objective of the attacker stealing sensitive information or user credential. 

Because the insider threat actor has “legitimate credentials” and access to the organization’s systems and data, and is thus privy to sensitive information, many security professionals and products tag the “behavior as normal” and do not trigger any alerts; making insider threats harder and more complicated to detect. However, organizations can effectively leverage behavioral indicators for potential insider threats to identify at-risk employees; analyze, assess, and understand their mindset, behavior, motivation, and intent, before they commit the insider attack, and then mitigate the threat, and resolve the perceived conflict, creating an atmosphere that may strengthen organizational health and resilience. 

Signs of an insider threat: Detecting insider threats: Tell-tale signs of an insider threat 

Organizations can predict or spot insider threats or potentially malicious insiders or even acts disguised as unintentional by proactively observing user behavior in the workplace and online before they disrupt operations or exfiltrate proprietary information. Anything or behavior that strikes an organization as out of the ordinary warrants investigation. These behavioral traits and organizational events should be heeded to reduce or thwart the risk of insider threats. There are specific indicators that would suggest an insider threat and they include but are not limited to the below:  

• Efforts to sidestep security. 
• Consistently being in the office after work hours. 
• Working unusual hours unnecessarily without authorization. 
• Logging in from an unusual location or unusual times or odd hours.
• An increase in escalated privileges.
• Accessing systems/applications for the first time without authorization or repeated attempted use of unauthorized systems/applications.
• Accessing sensitive data not associated with their job.
• Wandering unencumbered or frequently roaming around servers or areas that have nothing to do with the individual’s job.
• Unexplained occurrences of “admin” or “test” username attempt that fails to pass muster.
• Badging into work physically at unusual times.
• Displaying disgruntled behavior toward colleagues.
• Sudden and unusual change in behavior or mental state. For instance, a normally high performer who gets along well with others suddenly starts to act differently.
• Unexpected resignation or termination.
• Excessive negative commentary about the organization.
• Excessive negative comments about not receiving merited annual promotions or raises.
• Unexplained poor performance or disagreements with coworkers or superiors over policies.
• Intentional violation of corporate security policies.
• Excessive downloading or copying of significant amounts of data or information from the onsite network or cloud infrastructure and copied onto external drives or personal computers.
• Use of unauthorized storage devices, e.g., flash drives, and personal cloud storage apps.
• Data hoarding and duplicating files from sensitive folders.
• Improper use of any corporate assets.
• Building interest outside the scope of their duties.  
• Drug or alcohol abuse.  
• Financial difficulties.  
• Gambling debt.

1. Define the threat

The first step in mitigating insider risks in organizations is to have a full understanding of what constitutes an insider threat, how they occur, and the types of people or roles typically involved. Cybercriminals often look for a point of entry into an organization's data by lateral movement, whether through a disgruntled employee or contractor, credential theft via a compromised insider, social engineering, phishing campaigns, or some other way. Once access is gained, the cybercriminal gathers more organizational data, while looking for additional accounts and systems to exploit.  

2. Detect and identify the threat

It is critical to mitigate insider threats by having strategies to detect and prevent threats before they even arise. Detection means actively monitoring what users are doing and ensuring visibility into network threat-related activities with network traffic analysis solutions. Organizations must be proactively vigilant of the specific behavioral traits listed above and initiate a covert or discrete investigation whenever possible. Behavior monitoring and analysis can help organizations identify and stop insider threats. However, organizations must make sure they understand the monitoring laws that apply to them. Dormant or orphaned accounts once held by a former employee before their departure pose a significant risk to the organization – they must be closed or deleted. It is crucial to have a robust password policy for everyone, particularly for highly privileged systems, and limit the number of employees who know the passwords while rotating them periodically.  

3. Assess the threat level

It is vital to respond promptly and appropriately to potential threats and unusual activity based on the severity of their threat levels because of the costly and time-consuming nature of security resource deployments. Security professionals must comprehensively assess the risk to uncover potential and realistic threats and vulnerabilities in entitlements, accounts, metadata, and groups to drive workflow and initiate remediation.  

4. Manage the threat

It is critical for security professionals to proactively manage insider threats to neutralize the threats before they even materialize. Organizations can manage insider threats by generating strong passwords for their users and storing them in an enterprise safe; removing the need for users to memorize or know their passwords, making it challenging for cybercriminals to social engineer information from negligent insiders. Effectively managing insider threats requires a multifaceted approach that emphasizes defense-in-depth and covers both the digital and physical landscapes or a combination of strategies involving technology, training, and organizational alignment to help deter and discourage insider threats and insider threat actors. Organizations should follow these strategies to mitigate insider threats: 

a) Maintain Vigilance!

There’s no substitute for ongoing attention to your surroundings or what’s happening across your network. Malicious insider threats are an unfortunate reality, hence the express need to track unusual behavior, check in on employers or contractors consistently, and take negative complaints and comments made by an employee or contractor seriously as well as comments and complaints about an employee’s unusual behavior. Ultimately, intuition can be used as a guide to sniffing out potential insiders based on their behavioral traits. Encourage your employees to participate in the organization’s insider threat detection efforts actively because employees know each other best. Encourage them to notify the relevant stakeholders when they notice suspicious behavior.

b) Employ User Behavioral Analytics

User Behavior Analytics (UBA), also known as User and Entity Behavior Analytics (UEBA), is the tracking, collecting, and analyzing of user and machine data to detect threats and anomalous behavior within an organization and automatically alert the relevant administrator. Using various analytical techniques, UEBA determines anomalous from normal behaviors related to potential data theft, potential sabotage, or misuse. Organizations can conduct UEBA by collecting data over a period to understand what normal user behavior looks like for a specific employee or contractor, then flagging behavior that does not fit that pattern. UEBA can often spot unusual in-person or online behaviors – unusual access patterns, credential abuse, large data uploads, and more which are telltale signs of insider threats. Most importantly, UEBA can often spot these unusual behaviors outlined above among compromised insiders long before cybercriminals or an insider threat actor can gain access to critical systems.  

c) Manual audit

Besides using modern technology particularly, artificial intelligence (AI) and machine learning to help accurately and quickly detect deviations from standard user behavior, a manual auditing process can help identify what actions a user performed and connect these actions with the relevant roles, transactions, and other associated outcomes. Any detected anomalous or suspicious activity can then be investigated further. 

d) Limit user access with a robust privileged access management (PAM) solution

A thorough approach to user privileges and access rights development and implementation is necessary. Ensure that employees or contractors only have access to key applications and network locations curated by their role as job-specific requirements change. In other words, grant users access to only precisely what’s needed to perform their tasks effectively - the lowest level of privileges to minimize exposure following the principle of least privilege (PoLP).  

e) Effectively manage user privileges using an integrated identity and access management (IAM) solution

An integrated Identity and Access Management (IAM) solution is integral to a robust IGA (Identity Governance & Administration) policy. The implementation of role-based access controls (RBAC) is effective as organizations can have well-defined roles in place and know specifically which access privileges each role needs. However, as the organization evolves and grows, an IGA solution can decrease risk and allow for more efficient changes by focusing on role definitions and role assignments, as opposed to individual accounts. Identify and close compromised, dormant, or orphaned accounts. Ensure that non-active users, such as former employees, can no longer access your sensitive data or the system. Organizations should place access controls and monitor access to data to prevent lateral movements and protect the organization’s intellectual property from data exfiltration. Organizations can also implement entitlement governance that uses software to administer or revoke access to certain user privileges or entitlements to specific types of information.  

f) Enforce two-user authorization or the four-eyes principle. 

Organizations should enforce the four-eyes principle also referred to as the two-man rule, dual control principle, or two-user authorization when employees or contractors need two individual users to authorize the activity to access critical assets or data of high sensitivity. Such high-value assets and data are prime targets for potential malicious insiders and cannot be left unguarded, requiring certain user roles to be involved in the authorization process to further minimize the risk of insider threats.

g) Implement and enforce strict password and access policies 

Passwords are here to stay and aren't going away anytime soon. Organizations should give every employee or contractor or vendor who has access to their systems individual and unique credentials to identify them. Establish a robust password policy that ensures all users follow account and password management best practices to prevent compromising user credentials. However, some organizations might want to reduce or eliminate passwords wherever possible by using password vaulting or single sign-on to decrease the risk of insider threats. 

h) Set up strong biometric authentication measures

Restrict logical access to critical infrastructure and sensitive information using strict access controls to reduce the risk of insider threats. Use multi-factor authentication (MFA) and safe password practices to make it harder for unauthorized insiders or attackers to steal credentials. Passwords should be complex and unique. MFA helps prevent infiltrators from accessing the organization’s system even if they have user IDs and passwords.  

i) Establish a physical security presence

Restrict physical access to critical infrastructure and sensitive information using strict access controls to reduce the risk of insider threats, considering that not all threats originate digitally. Organizations in high-traffic buildings require a professional physical security presence to mitigate the risk of insiders snooping or roaming around in unauthorized areas or unauthorized intruders. Security personnel can identify any suspicious individual or persons and prevent them from entering certain restricted areas with critical infrastructure, such as server rooms. Security personnel can also require all visitors to disable their smartphone cameras and authorized personnel to lock the server room doors after use. Server rooms and other infrastructure housings should be guarded by Physical Access Control Systems (PACS) and integrated with the Identity Access Management system. Surveillance systems, including cameras and motion sensors, can also be installed. 

j)    Conduct proactive network monitoring 

Organizations should implement ongoing monitoring of each area, department, and corner of their business including the cloud and on-premises environment 24/7 to enable the quick identification of events that will require an immediate response. Organizations should develop protocols for reporting suspicious behavior and ensure those responsible for monitoring are trained in how to respond to incidents quickly, enabling alerts on all systems to receive real-time warnings of unusual user behavior. Organizations should also carefully monitor and control third-party access to protect their system against compromised third-party vendors and contractors. Although organizations cannot maintain the security of the third party’s environment, rather they can minimize the trust they give to third parties within their environment.

k)    Use categorization to minimize the risk of insider threats

An organization’s workforce can be categorized into two: privileged and standard, where privileged employees are those who have access to sensitive information and client data as they pose the greatest insider threat, and the rest of the employees, are classified as “standard,” as they require less restriction.

l) Follow a strict hardware and documentation recycling program

Organizations should establish an internal protocol following proper media sanitization guidelines on how to properly dispose of old hardware, including phones, hard drives, flash drives, or any storage device. Ensure that the information is thoroughly wiped and non-recoverable. Any hardware that contains critical information must be physically destroyed under the supervision of a specific IT personnel who oversees the process.  

m) Require continuous data backup and implement a business continuity and disaster recovery plan. 

Organizations must make sure their cloud storage and mailboxes are continuously and automatically backed up. In case of intentional or accidental deletion of critical data, a business continuity and disaster recovery plan should be in place.

n) Take event data from SIEM seriously

Organizations should take event data from a security information and event management (SIEM) solution seriously by aggregating, normalizing, and interpreting the vast data feeds from your cybersecurity monitoring solutions. Security professionals should spot or pay attention to unusual changes to user profiles, invalid login attempts, changed or deleted objects, intrusion detections, and changes in system values and act on them swiftly to minimize the potential impact of the insider threat or attack. Post-insider attack forensic analysis is also a critical part of responding to and preventing future insider attacks. An organization must be prepared to handle an attack promptly and effectively in the unfortunate event that it does occur. Organizations must examine what occurred in the environment and visualize and analyze what is occurring in real time. A comprehensive SIEM solution that provides real-time threat detection and prioritization is critical. 

o) Build a threat-hunting team and use threat modeling

Rather than reacting to incidents after they are discovered, threat hunting takes a proactive approach rather than a reactive approach to an incident after they are discovered. Organizations should have a dedicated threat-hunting team on the IT security team to look out for telltale signs, such as those listed above, to intercept operational disruption or theft before they occur. Apply large-scale threat modeling to better understand the organization’s threat landscape, including potential threats and attack vectors related to malicious code or vulnerabilities. Identify potential insiders that might compromise the organization’s system and how they might gain access to the assets to put in place the proper security controls. 

p) Prioritize and use effective risk communication

A clear and well-written message with non-technical and non-complicated verbiage is vital when it comes to communicating to employees or contractors about exploitable vulnerabilities to avoid loss of interest in reading the messages or missteps that might lead to a breach. Clear communication should not be an afterthought but rather a priority. 

q) Implement security awareness training for insider threats

It is essential to conduct or implement a regular non-dreaded effective and interactive security education training awareness (SETA) that educates employees to proactively detect or spot risky behavioral traits and warning signs among employees and contractors to minimize insider threats. Also, the training should encompass how to differentiate between legitimate and malicious emails and then flag them for the security professionals in the organization. Employees must be taught to properly understand the difference between strong and weak passwords. Employees can unintentionally become a threat; therefore, teach them to observe good security hygiene by conducting a self-audit that assesses their own risk.  

r) Enforce security policies

Organizations must enforce wide-sweeping security policies that will safeguard their business against insider threats. The policy should include details about limiting access to personal data about employees who can access what data and type of data. The security policy should also include procedures and processes that will prevent and identify any malicious activities. With more employees working from home or hybrid than ever before, organizations must deploy sufficient protocols to monitor and control remote access. It is critical to review which employees have remote access and which devices they're using to access the network, including mobile devices. A ‘bring your own device’ (BYOD) policy should be in place as employees or contractors can access the corporate network through these devices. An unsecured device can expose the organization’s data and assets to huge risks. 

s)  Social media policies or guidelines

Even though many organizations block access to popular social media platforms and personal social media accounts, they might not consider the risk posed by corporate-sanctioned social platforms or collaboration tools. Organizations should implement social media guidelines as employees or contractors are likely to click on links posted on the comments section of their corporate social pages or platforms as well, while on the corporate network. Users might also simply click “share,” spreading the malicious link to others within the corporate network. This social media policy or guideline may help minimize the number of employees and contractors who may become compromised insiders.

t) Coordinate security teams and HR 

Security teams are often blindsided by layoffs or an annual passed-over promotion or raise which could trigger a disgruntled employee or contractor to do the unthinkable. Effective coordination between the CISO and the head of HR can help thwart a potential insider threat or attack by boosting discrete real-time behavioral monitoring around the employee or contractor or putting them on an internal watchlist. Security teams in coordination with HR can conduct sentiment analysis to ascertain the intentions and feelings of individuals to identify whether an employee is performing poorly, experiencing financial troubles, or under stress to help identify potential malicious insiders. Organizations in the tech, financial, and healthcare sectors are particularly at significant risk of insider threats due to the valuable nature of the industry's assets, data, and processes. Therefore, HR can collaborate with security teams to develop a thorough security-based new hire screening protocol or policy that's integrated into the hiring process to help prevent insider threats.