On the Rise: The Enemy From Within

Under the Current Economic Conditions, Security Professionals Must Quickly Re-assess Their Approach to Defending Against Insider Threats. 

Many organizations are aware of the challenges related to external threat actors and therefore focus their efforts on creating deterrents to protect against these cyber-attacks. In doing so, they often overlook that the biggest threats can arise from within.

Over the last two years, insider-related incidents increased by 47% according to the 2020 Cost of Insider Threats Global Report by the Ponemon Institute. At the same time, the average global cost of insider threats rose by 31% to $11.45 million. These numbers are quite concerning, especially when bearing in mind that they came at a time of global prosperity and growth. The risk of company employees walking away with sensitive data or selling their access credentials has never been greater now that a record number of individuals have been laid off and face financial hardship due to the COVID-19 health crisis. So, what measures can organizations take to minimize their exposure to insider threats?

As we’re all painfully aware, external threat actors are taking full advantage of these uncertain times by launching a wave of new cyber-attacks, using phishing, ransomware, and credential stuffing tactics. In turn, organizations need to focus on improving cyber resilience while stretching their budgets further. However, employees and business partners can do just as much damage from the inside, whether due to malice or negligence.

Since insider threats are carried out by current or former employees, contractors, or other trusted business associates that have ― or had ― access to the organization’s IT infrastructure and sensitive data, these attacks are often difficult to detect as they occur under the umbrella of legitimacy. According to the 2019 Verizon Data Breach Investigations Report, insider threats represent an often-overlooked threat vector that significantly contributes to data breaches in verticals such as healthcare (59%), educational services (45%), information technology (44%), financial services (36%), and government (30%). 

Insider Threats Defined

The most common insider threats can be defined by the intent and motivation of the individuals involved. The 2019 Verizon Insider Threat Report defines five distinct insider threats based on data breach scenarios:

• The Careless Worker: Employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds; their actions are inappropriate as opposed to malicious, many of which fall within the world of shadow IT (i.e., outside of IT knowledge and management).

• The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.

• The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.

• The Malicious Insider: Actors with access to corporate assets who use existing privileges to access information for personal gain.

• The Feckless Third-Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

Today’s economic climate exacerbates these risks, as pending furloughs or pay cuts may tempt employees to exfiltrate data to secure a new job, make up for income losses, etc.

Indicators of Insider Threats

Insiders have a huge advantage, as they’re familiar with the company’s IT infrastructure and often know where the most valuable data resides. Furthermore, they may be familiar with how sensitive data is being protected and know how to sidestep any security measures. In addition, insider threats are harder to defend against than attacks from external adversaries, since the behavior of insiders often blends in with typical business activity.

Nonetheless, behavioral analysis can be used to establish early indicators for insider threats. These can include:

• Activity at unusual times (e.g., signing into systems in the middle of the night)

• The volume of data traffic (e.g., downloading terabytes of data sets)

• The type of activity (e.g., access unusual resources)

Tools such as User and Entity Behavior Analytics (UEBA) as well as Data Loss Prevention (DLP) systems are often deployed for these purposes. However, the fact that employees are currently mandated to work from home blurs the intelligence provided by these tools, since behavioral baselines typically used to identify abnormal activity have been dramatically altered. In addition, some employees might not be monitored by these security tools in remote work scenarios, which impacts visibility into their actions. 

Best Practices for Protecting Against Insider Attacks 

Besides relying on advanced detection technologies, organizations can take the following steps to help reduce the risk of insider threats:

• Enforce Segregation of Duties – Separate duties, especially for sensitive or shared processes and tasks. This ensures that no individual can complete a single task alone. In this context, organizations can for example leverage so-called “access zones” to tie the rights a user has to specific resources.

• Establish the Concept of Least Privilege – Only assign access privileges necessary to perform a regular task and require privilege elevation to gain access to sensitive resources. This approach limits unauthorized or unintended actions. 

• Implement Access Requests and Approval Workflows – Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.

Under the current economic conditions, IT security professionals need to quickly re-assess their approach to defending against insider threats. Since the near-term deployment of behavioral analytics tools for monitoring insider activities is not a viable option for most organizations, consider enhancing basic cyber hygiene practices by implementing segregation of duties and just-enough, just-in-time privileged access.