Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:00 AM
Mike Tierney
Mike Tierney
Connect Directly
E-Mail vvv

The Insiders: A Rogues Gallery

You can defend against an insider threat if you know where to look.

Insider threats range in severity and scope depending on the insider’s level of access, skill, sophistication, and intention. Most, however, fall into one of three categories: imposters/external threats, malicious insiders, and non-malicious insiders.

  • External threats/account takeovers occur when an outsider hijacks credentials and poses as a legitimate user. This imposter leverages the inherent trust of the organization’s infrastructure to gain access to critical data or dupe other users into installing additional malware. Perpetrators can be former employees acting out of malice or retribution or outsiders using stolen credentials to access and take sensitive data.
  • Malicious insiders – employees or other legitimate users like contractors – have access to privileged data and systems, and seek to cause direct or indirect harm to an organization. Most often, they act to negatively affect the confidentiality, integrity, or availability of the organization’s most valuable and sensitive information.
  • Non-malicious insiders may still directly or indirectly cause an organization significant harm. By accidentally exposing sensitive data or falling prey to a phishing scam, these insiders open the door for an Advanced Persistent Threat (APT) to compromise the network.

Within those categories, we’ve identified six archetypes responsible for the bulk of insider threats. Who are these attackers and how can you identify them? Here are some behavior cues and tips to keep your data safe:

The Imposter: The Imposter is an external actor who has gained access to insider credentials or a former insider who has retained access logins. Imposters typically target individual, service, or shared accounts as well as other privileged credentials.

Enforcing least-privileged access helps combat imposters by preventing them from leapfrogging from one place to another at their discretion. Using the right tools, organizations can spot imposters in both the initial and data-gathering phases of an attack. They can look for overt activities, such as password cracking and large, unexplainable spikes in the volume of information being accessed. New data streams that are not part of the network baseline should be analyzed.

Entitled Eddie: This insider believes he has an unquestionable right to his work product, even when he intends to take it with him and use it to compete with his current employer. He exploits his access to the work product and his knowledge of valuable information for personal gain. He is often associated with information and IP theft, and typically acts alone.

Organizations can thwart such activities by discussing work-product ownership up front and ensuring all IP and other agreements are clear. Because Entitled Eddie tends to “forget” policy or fall back on miscommunications, it is best to reinforce the rules whenever possible and review his online activity when he gives signs of departing the company.

The Ringleader: This insider does not work alone. She wants more than what she helped create. She wants information she doesn't have access to because it falls outside of the scope of her responsibilities. Often, Ringleaders want to go into business for themselves or work for a competitor. They are typically motivated by financial gain and recruit other employees – who may not know why she asks them for trade secrets and other confidential information – to get what they want.

To protect themselves, organizations can use some of the same things they use against Entitled Eddie, such as ensuring all IP and other agreements are clear. Fostering a sense of shared interest in security in all employees can help catch The Ringleader during the recruitment stage of an attack. Finally, as with all departing employees, companies need to review the Ringleader's online activity as soon as they become aware she is leaving the organization.

Disgruntled Debbie: Unlike some insiders, Disgruntled Debbie is not motivated by financial gain. Instead, she feels completely justified in exacting revenge on the organization and rationalizes her destructive activities.

Luckily, she is more predictable and easier to detect than other malicious insiders. The causes of employee disgruntlement are common, ranging from poor reviews and smaller than expected raises to conflicts with management or rumored layoffs. Organizations can monitor employee activity and enhance security systems when such events occur. To identify and mitigate Disgruntled Debbie’s activities, Information Security needs to communicate with members of their HR departments, who can alert them to higher-risk employees so they can keep tabs on their behavior.

The Mole: The Mole is the quintessential double agent. Working inside one company, but working for the benefit of an outside entity. The Mole typically possesses specialized skills – often in science or engineering – involved in creating IP and has access to the organization’s most critical data.

To guard against moles, organizations need to encourage employees to think about risk and foster a strong culture that reaffirms core values regarding security and IP. Companies need to emphasize transparency, but also need to monitor employees who have privileged access and employ security technologies such as encryption and log access to protect privileged data.

Hacktivist Harry: Hactivist Harry sabotages computer systems to make a political or social statement. He often targets government systems and high-profile corporations, but might also target organizations in any industry.

In addition to leveraging data encryption and anomaly detection, organizations can combat Hacktivist Harry by fostering an internal culture that emphasizes shared company goals and an open, transparent environment.

Do you recognize any of these archetypes in your organization? Let’s chat in the comments about what works and doesn’t work against insider attacks.

Mike Tierney is the Chief Operating Officer at SpectorSoft, a leader in user activity monitoring and user behavior analytics. SpectorSoft develops software that helps businesses identify and detect insider threats, conduct efficient and accurate investigations, and enhance ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...