8 Ways to Spot an Insider Threat

When the challenge of battling inside threats arises, it's tempting to dismiss the process as little more than identifying the rogue employee(s), along with reviewing and refining permissions, controls, and authorizations to prevent recurrence. Depending on the industry, some public apologies may need to be made and some regulatory fines may need to be paid.

The good news and the bad news with insider threats? The good news is most insider threats derive from negligence, not malicious intent, as Katie Burnell, global insider threat specialist at security vendor Dtex Systems, explained in a November Dark Reading webinar about the insider threat. The bad news, she said, is the frequency of negligence is already ahead of where it was in 2018.

Compounding the problem is the fact there are more networks, more devices, and, of course, more data to monitor and secure. Organizations understand they can't equally secure it all. One approach has been to prioritize the monitoring of those users with the highest privileges, perhaps aided by the use of privileged access management (PAM) tools.  

Our list of insider threats identifies the "who," but what about the "how" of detection? Log files and SIEM data may offer some forensic footprints to see who accessed which servers, databases, and individual files. But the volumes of monitoring data are too great to do this for all users, security experts agree. This has opened the door to user and entity behavior analytics (UEBA), which flags anomalous behavior by user. Some security vendors are starting to push the idea of "identity as a perimeter," according to ESG analyst Doug Cahill, rather than using the more traditional physical perimeter of the network. "So you monitor who has access and whether they do anything anomalous," Cahill explains.

Vendors are also talking about adding artificial intelligence and machine learning to the security equation. While those implementations remain rather basic, you don't need an algorithm to see this is where security managment is headed. Detecting and stopping malicious insiders will need this extra oomph, which automates tasks otherwise left to humans.

(Image Source: vivali via Adobe Stock)

Figure 2:

Just Curious — Or Actively Resumé-Shopping?

Most employers retain the right to monitor their employees' online browsing history, and most employees understand their online activities may be scrutinized. But it's not always easy to ascertain which employees have one foot out the door. Many security pros agree it's smart to have a general sense of those who make regular visits to LinkedIn, Glassdoor, or CareerBuilder.

And this is where allies within the organization can help, according to Dtex's Burnell. "Find and identify stakeholders from across the business — from human resources and legal — stakeholders from all areas to prop up and address insider threats," she said.

Of course, checking job descriptions doesn't make someone a rogue or a threat. But if job-site visits are excessive or start to become long-term habits, it may be worth taking a fresh look at the privileges and permissions enjoyed by the job seeker. The last thing an organization wants is for a departing employee to carry off reams of proprietary data to another company (potentially a competitor) or use that data as leverage to land a new position.

(Image Source: Andrey Popov via Adobe Stock)

Figure 3:

The Rise of the 'Persistent Insider'

There's a particular kind of user who seems to be all over the network — "How did she access that server?" — possibly gauging how different departments organize their project data, how often data gets refreshed, or which files see a lot of action or are password-protected. In a spookier realm, all of this could simply be called reconnaissance.

But a successful persistent insider has to keep tabs stealthily, including which permissions they steal or give themselves, servers they access, and files they touch. By maintaining good cover, a persistent insider can use changes in the internal data landscape for bargaining, blackmailing, or outright profiteering. And that means the potential pool of persistent insiders spans everyone from the most bespoke CEO to that taciturn summer intern. Seeing users in parts of the network they don't belong is a call to action for security personnel to double-check permissions for suspected persistent users.

This kind of rigorous monitoring isn't "a checkbox activity" to keep the audit team at bay, Burnell said. Monitoring and managing must be done proactively to really work, she added.

(Image Source: ktsdesign via Adobe Stock)

Figure 4:

Encrypt Much?

Most organizations that use any kind of encryption also flag the act of encryption data in its log files or security management platform. In addition, they typically note the amount of stored data since encryption sucks up more drive space than unencrypted data.

But this storage management vector also provides a keyhole into who may be stealing data from the organization. If nothing else, it's worth asking Pete in accounting why he downloaded – and encrypted – terabytes of data from engineering. Chances are good he's not going to be using it on upcoming quarterly financial filings. But security experts agree there should be some explicit justification for those downloading encrypted data; downloading huge volumes also ought to set off some alarms.

(Image Source: Feodora via Adobe Stock)

Figure 5:

Short-Timer's Syndrome

IT monitoring experts and human resources professionals can agree on one thing: Employees, even top performers with sterling integrity, often act differently once they've given notice, been laid off, or gotten fired.

People on their way out may decide they helped a product, service, or new line of business and are therefore entitled to take the fruits of that labor with them as they exit the company. So they download and/or print out entire databases. Whatever the faulty rationalization, these short-time employees are worth actively monitoring, possibly even restricting or cutting off access entirely.

Just like with compulsive job-seekers, it's worth coordinating with HR and legal about upcoming departures to ensure company data stays safe.

(Image Source: Elnur via Adobe Stock)

Figure 6:

Eddie Haskell in the SOC

Is there some overenthusiastic infosec pro in your security operations center who's always volunteering to fill in for others who have to leave early or take vacation? It could just be benign ambition. Or it might be someone anxious to collect lots of credentials and permissions (even if temporary) to learn more about the network, the policies that control it, and how the data is organized.

But this is tricky to investigate since the solicitous employee may have only the highest intentions and companies don't typically like to discourage people from being helpful. "But the wrong kind of IT admin could suddenly become a risk to your business. … Who's checking on them and what they say they're doing when they come in on the weekends?" Burnell asked.

Who covers for whom in such circumstances shouldn't be a casual decision. The more sensitive the permissions, the more caution should be exercised when delegating roles to other staff. Offers of help shouldn't be a red flag, but smart infosec pros should take notice when those offers start to become more frequent. No need to hold the vault doors open for the bank robbers.

(Image Source: masterzphotofo via Adobe Stock)

Figure 7:

Rolls-Royce Ride, Buck Budget

When the government performs background checks for employee security clearances, they always ask personal references, "Does this person live within their means?" A less gentle translation: Does your college roommate have a debt problem? Are they what demographers refer to as "super-aspirational"? Are their tastes and spending in line with their income?

Someone living above their pay grade might be a sign of someone willing to trade credentials for a business opportunity. Security consultant Larry Ponemon points to a 17-person internal fraud scheme that went unnoticed for a couple of years. Yet the Bentley a midlevel accountant drove somehow went unnoticed. Employees with new luxury cars, blingy jewelry, or regular extended vacations to exotic locales could all be signs of an insider who's profiting off ill-gotten goods.

Careful, though! Those same signs may be pointing to a perfectly legitimate trust fund. Caution before accusations.

(Image Source: erllre via Adobe Stock)

Figure 8:

Watch That Exflitration

In addition to data volumes, systems and management consoles can discern the type of device being used to download data. But download destinations that might give security teams some pause include USB thumb drives or external hard drives. They're easily portable and not hard to conceal physically or hand-carry out of an office.

While download to external devices may be entirely above board, the use of encryption may indicate they've got something to hide — something highly proprietary that belongs to the company. And if they're downloading to a server on the Dark Web, it's definitely time to ask, "What the file?" At last glance, there were no business-critical reasons for using the Dark Web. But if caught, it may be useful to blame the new cloud services provider.

(Image Source: Maksymiv Iurii via Adobe Stock)

Figure 9:

'I'm Very Private'

Some users seek out ways to anonymize themselves or conceal any personally identifying information (name, phone, IP address, etc.).

The tools they turn to most frequently are private VPNs that give them plenty of cover, as well as the TOR browser, designed for anonymous browsing that also protects the user against any traffic analysis subsequent to their searching, clicking, and downloading.

Dtex's Burnell said these practices are alarmingly common — 60% of the company's survey sample found users actively attempting to bypass security measures through private or anonymous browsers.

(Image Source: Jane Kelly via Adobe Stock)