Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

07:30 AM
Bryan Sartin
Bryan Sartin
Connect Directly
E-Mail vvv

Ignore the Insider Threat at Your Peril

Attacks from insiders often go undiscovered for months or years, so the potential impact can be huge. These 11 countermeasures can mitigate the damage.

The fear of cyber breaches looms heavy for many businesses, large and small. However, many companies are so busy looking for bad actors throughout the world that they ignore the threat from within their own walls.

According to Verizon's Insider Threat Report — which analyzes cases involving bad actors from the 2018 Data Breach Investigation Report — 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.

What's scarier, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

However, many organizations often treat insider threats as a taboo subject. Companies are too often hesitant to recognize, report, or take action against employees who have become a threat to their organization. It's as though the insider threat is a black mark on their management processes and their name.

The Verizon Insider Threat Report aims to change this perception by offering organizations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive insider threat program.

In no small part, the first step is to understand the types of insider threats than an organization can face. The Insider Threat Report profiles five distinct insider personalities.

  1. The Careless Worker: These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of "shadow IT" (i.e., outside of IT knowledge and management).
  2. The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.
  3. The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.
  4. The Malicious Insider: Employees or partners with access to corporate assets who use existing privileges to access information for personal gain.
  5. The Feckless Third Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

So, how do you build countermeasures against inside actors?

There are several practical countermeasures to help organizations deploy a comprehensive insider threat program, which should involve close co-ordination across all departments from IT security, legal, and HR to incident response and digital forensics investigators.

Two factors hold the key to this success: knowing what your assets are and who has access to them.

Ways to Fight Back
These 11 countermeasures can help reduce risks and enhance incident response efforts:

  • Integrate security strategies and policies: Integrating the other 10 countermeasures listed below, or, better yet, having a comprehensive insider threat program with other existing strategies (such as a risk management framework, human resources management, and intellectual property management) can help strengthen efficiency, cohesion, and timeliness in addressing insider threats.
  • Conduct threat-hunting activities: Refine threat-hunting capabilities such as threat intelligence, Dark Web monitoring, behavioral analysis, and endpoint detection and response (EDR) solutions to search, monitor, detect, and investigate suspicious user and user account activities, both inside and outside the enterprise.
  • Perform vulnerability scanning and penetration scanning: Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to maneuver within the enterprise environment.
  • Implement personnel security measures: Human resource controls (such as employee exit processes), security access principles, and security awareness training can mitigate the number of cybersecurity incidents associated with unauthorized access to enterprise systems.
  • Employ physical security measures: Physical methods to limit access such as identity badges and security doors should coincide with digital access methods such as card swipes, motion detectors, and cameras.
  • Implement network security solutions: Implement network perimeter and segment security solutions, such as firewalls, intrusion detection/prevention systems, gateway devices, and data loss prevention solutions in order to detect, collect, and analyze suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity, and the use of remote connections.
  • Employ endpoint security solutions: Use established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring tools in order to deter, monitor, track, collect, and analyze user-related activity.
  • Apply data security measures: Apply data ownership, classification and protection as well as data disposal measures in order to manage the data life cycle and maintain confidentiality, integrity and availability with insider threats in mind.
  • Employ identity and access management measures: Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a privileged access management solution for privileged access.
  • Establish incident management capabilities: Establishing an incident management process to include an insider threat playbook with trained and capable incident handlers will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.
  • Retain digital forensics services: Have an investigative response retained resource available which is capable of conducting a full spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint, and network traffic, in often delicate and human-related (or user-account-related) cybersecurity incidents.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/8/2019 | 8:51:22 AM
Bad Practices: Turn good people into your enemy.
THE OUTSOURCED EMPLOYEE: If an employer wants to make a solid employee otherwise free of any intent at all, just outsource and have him or her train a replacement.  That breaks all bargains.  No loyalty at that point and, when a whole IT department is sent packing - alot of assets go with them.   140 walked out of one firm a few years ago and I was part of another wholesale ransack JUST to save costs.   That is worse than being fired - it is an insult. 

WE RESPECT YOU IF YOUR LEAVE BUT WE CAN FIRE IN A HEARTBEAT: Equal that with WE want two weeks notice but we can fire YOU with a phone call this afternoon.  Have a nice day.  Oh really?   I gave one day notice for that reason to an employer who did terminate staff with just one or two day notice.   Revenge pure and simple

WE'RE SORRY WE FIRED YOU. Beware terminating critical personnel too.  My daughter lost a real-estate position when the wholel firm closed, 320 laid off and among them was the IT guy who maintained asset inventory.  Well they suddenly wanted him back for a time to track non-returned inventory and ..... well he told them they could put that offer where the sun did not shine.  Result: lost inventory and assets.   

One firm I worked for fired a lawyer and turns out they needed him realy bad.  A mistake.  They invited him back.  No hard feelings.  He was not offended nor did he turn bad employee BUT HE WAS FIRED so it was time to renegotiate salary!!!!!!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...