How to Mitigate Insider Threats on the Network
We’re inclined to focus only on digital threats that emanate from outside the network. In so doing, however, we overlook a key risk: threats that come from within the network itself.
I’ll use this blog post to discuss what these “insider threats” look like, what types they come in, how they’re increasing and how organizations can defend against them. We’ll also look at some recent examples to help us better understand how insider threats work.
What Are Insider Threats?
In its simplest term, an insider threat is a security risk that comes from within an organization. This threat can come from an employee, officer, or someone else who’s directly involved with the organization at the time of the incident. It can also come from consultants, former employees, business partners, or board members who might have the necessary capabilities and privileges to access important data.
Of course, it’s important to remember that not all insider threats are the same. Some of these actors have malicious intentions in mind, while others jeopardize organizations’ digital security by accident. These different motivations explain why insider threats come in different types.
IBM’s Security Intelligence identifies five main varieties:
- Non-Responders continue to fall prey to test phishing exercises and behave negligently despite receiving security awareness training;
- Inadvertent Insiders behave with security awareness in mind, but they commit isolated errors and periodically misjudge circumstances pertaining to digital security issues;
- Insider Collusion isn’t very common; in these types of circumstances, malicious insiders willingly collaborate with external attackers to prey upon the targeted organization;
- Persistent Malicious Insiders are criminal insider threats who access sensitive business assets and exfiltrate data with the goal of persistently benefiting financially; and
- Disgruntled Employees are more limited in nature than persistent malicious insiders; they deliberately conduct sabotage or intellectual property theft on a short-term basis.
Four Recent Incidents Involving Insider Threats
Insider threats oftentimes are small incidents in which employees steal their current company’s data, accept a position at a competitor company and sell this information to help their new employer gain a competitive edge. But some are much larger in nature and garner media attention. Here are four insider threat attacks that have recently made headlines:
- Phillips Research Center: In February 2019, ClearanceJobs reported how Hongjin Tan abused his position as a materials scientist at the Phillips 66 Research Center in Bartlesville, Oklahoma to steal hundreds of files. Some of those files pertained to a technology product worth a billion dollars on which Tan was working while at the Research Center.
- Capital One: The New York Times reported in July 2019 that a software engineer had breached a server owned by Capital One and hosted by Amazon Web Services (AWS). Paige Thompson, 33, of Seattle, Washington, used her job at AWS to infiltrate the server and steal the personal information of over 100 million customers of the bank.
- General Electric: In an October 2019 report, CrowdStrike revealed that the Chinese government had conducted a digital espionage campaign against western aerospace manufacturers. This campaign involved collusion with an insider at General Electric along with internal actors at other companies to help the Chinese government gain the necessary knowledge to help it build the C919 commercial airliner.
- Twitter: In early November 2019, the U.S. Department of Justice unsealed an indictment against Ali Alzabarah, 35, and Ahmad Abouammo, 41. The complaint accused the two former Twitter employees of having improperly accessed thousands of users’ accounts.
Why Are Insider Threats a Concern?
Insider threats should weigh heavily on our minds for several reasons. First, these types of attacks are on the rise. Verizon’s 2019 Data Breach Investigations Report found that insider threats have risen every year since 2015 and that an insider was involved in some form in a full third of all breaches analyzed in the most recent study. In support of these findings, 73 percent of IT professionals who responded to Bitglass’s 2019 Insider Threat Report said that insider attacks had become more frequent over the past year. Fifty-nine percent of respondents told Bitglass that their organization had suffered at least one insider attack over the past year.
Second, insider threats are difficult to detect. Returning to the Bitglass report, just 12 percent of IT professionals said that their employers had successfully detected insider threats stemming from personal mobile devices. This finding stands in stark contrast to the assurances of 50 percent of survey respondents that their organizations are capable of detecting and/or recovering from insider threats within a day. Instead, Ponemon’s 2018 Cost of a Data Breach study found that it took an average of 197 days to identify an insider breach and 69 days to contain it.
Given the length of time they go unnoticed, it’s not surprising that these attacks tend to be expensive. Ponemon’s 2018 Cost of Insider Threats study found that the average insider threat cost companies about $513,000 and that these threats can cost companies up to $8.76 million overall. (That figure is even higher in North America at $11.1 million.) Those costs are rising, too; Accenture & Ponemon’s 2019 Cost of Cybercrime study found that the average cost of a malicious insider attack rose 15 percent from 2018 to 2019.
How Organizations Can Defend Against Insider Threats
As noted by SearchSecurity, we can use insider-centric security policies, security awareness training, multi-factor authentication, and least privilege models to harden our defenses against malicious insiders. But these controls can only go so far. Ultimately, we need to be able to monitor the network for suspicious activity such as the abuse of legitimate credentials to exfiltrate sensitive information.
This is where Lastline’s network detection and response (NDR) solution comes in. It uses network traffic analysis and file analysis together with the power of artificial intelligence (AI) to spot anomalous behavior that could be indicative of insider threats. Spotting behaviors that may not be a smoking gun of maliciousness, but appear to be abnormal can be enough to tip off your security team to take a deeper look at an event. As such, these solutions allow you to prevent insiders from making off with your sensitive data (or substantially limiting the damage an insider can do) without bogging your security professionals down with the need to investigate false positives or security issues that aren’t there.