The fear of cyber breaches looms heavy for many businesses, large and small. However, many companies are so busy looking for bad actors throughout the world that they ignore the threat from within their own walls.
According to Verizon's Insider Threat Report — which analyzes cases involving bad actors from the 2018 Data Breach Investigation Report — 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.
What's scarier, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.
However, many organizations often treat insider threats as a taboo subject. Companies are too often hesitant to recognize, report, or take action against employees who have become a threat to their organization. It's as though the insider threat is a black mark on their management processes and their name.
The Verizon Insider Threat Report aims to change this perception by offering organizations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive insider threat program.
In no small part, the first step is to understand the types of insider threats than an organization can face. The Insider Threat Report profiles five distinct insider personalities.
- The Careless Worker: These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of "shadow IT" (i.e., outside of IT knowledge and management).
- The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.
- The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.
- The Malicious Insider: Employees or partners with access to corporate assets who use existing privileges to access information for personal gain.
- The Feckless Third Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.
So, how do you build countermeasures against inside actors?
There are several practical countermeasures to help organizations deploy a comprehensive insider threat program, which should involve close co-ordination across all departments from IT security, legal, and HR to incident response and digital forensics investigators.
Two factors hold the key to this success: knowing what your assets are and who has access to them.
Ways to Fight Back
These 11 countermeasures can help reduce risks and enhance incident response efforts:
- Integrate security strategies and policies: Integrating the other 10 countermeasures listed below, or, better yet, having a comprehensive insider threat program with other existing strategies (such as a risk management framework, human resources management, and intellectual property management) can help strengthen efficiency, cohesion, and timeliness in addressing insider threats.
- Conduct threat-hunting activities: Refine threat-hunting capabilities such as threat intelligence, Dark Web monitoring, behavioral analysis, and endpoint detection and response (EDR) solutions to search, monitor, detect, and investigate suspicious user and user account activities, both inside and outside the enterprise.
- Perform vulnerability scanning and penetration scanning: Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to maneuver within the enterprise environment.
- Implement personnel security measures: Human resource controls (such as employee exit processes), security access principles, and security awareness training can mitigate the number of cybersecurity incidents associated with unauthorized access to enterprise systems.
- Employ physical security measures: Physical methods to limit access such as identity badges and security doors should coincide with digital access methods such as card swipes, motion detectors, and cameras.
- Implement network security solutions: Implement network perimeter and segment security solutions, such as firewalls, intrusion detection/prevention systems, gateway devices, and data loss prevention solutions in order to detect, collect, and analyze suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity, and the use of remote connections.
- Employ endpoint security solutions: Use established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring tools in order to deter, monitor, track, collect, and analyze user-related activity.
- Apply data security measures: Apply data ownership, classification and protection as well as data disposal measures in order to manage the data life cycle and maintain confidentiality, integrity and availability with insider threats in mind.
- Employ identity and access management measures: Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a privileged access management solution for privileged access.
- Establish incident management capabilities: Establishing an incident management process to include an insider threat playbook with trained and capable incident handlers will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.
- Retain digital forensics services: Have an investigative response retained resource available which is capable of conducting a full spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint, and network traffic, in often delicate and human-related (or user-account-related) cybersecurity incidents.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.