Finding and Detecting Insider Threats

Laptop with hands in foreground.

In 2023 it was reported that the average cost of an insider incident is $16 million – that doesn’t include the
cost of loss of confidence by customers, shareholders and even employees.

An insider threat refers to a potential or actual security risk that originates from within an organization. It involves individuals who have authorized access to an organization’s systems, data, or resources and exploit that access to cause harm, whether intentionally or unintentionally.

Insider threats can take various forms, including:

Malicious Insiders

These are individuals within an organization who intentionally misuse their access privileges to steal sensitive data, commit fraud, sabotage systems, or harm the organization in some way. Their motivations can vary, such as personal gain, revenge, ideology, or coercion. They comprise only 20% of all insider incidents.

Negligent insiders 

These insiders do not have malicious intent but inadvertently compromise security due to carelessness, lack of awareness, or inadequate training. For example, they may accidentally share sensitive information, fall for phishing scams, or mishandle data, resulting in unintended security breaches.

Compromised Insiders

80% of insider incidents are not malicious. In this scenario, insiders unwittingly become threats due to external factors. Their accounts or credentials may be compromised through hacking, social engineering, or other means, allowing unauthorized individuals to gain access to sensitive information or systems.

Insider threats can pose significant risks to organizations, as insiders often have knowledge of the organization’s systems, processes, and vulnerabilities. They may bypass security measures more easily and cause substantial damage before their actions are detected.

To mitigate the risk of insider threats, organizations employ various strategies, including implementing strong access controls, monitoring employee activities, conducting regular security awareness training, implementing behavioral analytics to identify anomalous behavior, and establishing incident response plans to address any security breaches promptly.

It’s worth noting that while organizations focus on external threats, insider threats remain a critical concern that requires ongoing attention and vigilance.

Detecting Insider Threats

Detecting insider threats requires a combination of technical controls, monitoring systems, and behavioral analysis. Here are some common methods used to identify potential insider threats:

User Activity Monitoring: Implement systems that monitor user activities, such as logins, file access, data transfers, and system commands. Analyzing this data can help identify suspicious or unusual behavior that may indicate an insider threat.

Data Loss Prevention (DLP) Solutions: DLP solutions help prevent sensitive data from being leaked or misused. They can monitor data in motion, data at rest, and data in use, providing alerts or blocking actions that violate security policies. DLP solutions can help detect insider threats by identifying abnormal data access patterns or unauthorized attempts to exfiltrate data.

Anomaly Detection: Employ machine learning and behavioral analytics techniques to establish baselines for normal user behavior. By continuously monitoring and analyzing user activities, deviations from the established patterns can be flagged as potential insider threats. Anomalies might include unusual login times, excessive data access or downloads, accessing unauthorized resources, or attempts to bypass security controls.

Privileged User Monitoring: Focus on monitoring activities of privileged users who have elevated access privileges. These users have more authority and control within the organization’s systems and pose higher risks if their accounts are compromised or they misuse their privileges. Monitoring their activities closely can help identify any suspicious actions.

Employee Monitoring and Reporting: Encourage employees to report any suspicious activities they observe among their colleagues. Establish clear channels for reporting concerns, ensuring confidentiality and protection against retaliation. Whistleblower programs can be useful in fostering a culture of awareness and accountability.

Security Information and Event Management (SIEM): SIEM tools collect and analyze logs from various systems and applications to detect security incidents. By correlating data from multiple sources, SIEM solutions can help identify patterns or events that indicate potential insider threats.

Continuous Evaluation and Background Checks: Conduct regular background checks on employees, especially those with access to sensitive information or critical systems. Implement periodic reviews to evaluate their continued eligibility for access privileges.

Data Access Controls: Implement strict access controls, least privilege principles, and role-based access management to ensure that employees only have access to the resources necessary to perform their job responsibilities. Regularly review and update access privileges to align with changing roles or responsibilities.

It’s important to note that while these methods can assist in detecting insider threats, no approach is foolproof. A comprehensive insider threat program combines technical measures with organizational policies, employee education, and proactive risk management to minimize the risk and impact of insider threats.

Monitor all data and its movement: Unusual file movement is a common red flag that might indicate an insider threat. By constantly scanning your systems, you can establish a baseline pattern of file movement and get the context needed to know if it’s risky. Activities outside of that normal pattern of behavior might indicate an insider threat and should be investigated in order of priority:

File exfiltrated: Removing a file from its original location using zip file, USB or even AirDrop could mean the data ends up in the wrong hands.

File destination: Ensure that company files are moved to destinations you trust rather than personal or unsanctioned cloud applications.

File source: Looking into the source can clue you into its potential danger. Suspicious file sources, such as attachments sent via ProtonMail, could be malware or ransomware in disguise.

User characteristics and behaviors: Investigate all potential signs of suspicious insider activities. Monitor excessive spikes in data downloading, moving data at unusual times of day or acquiring privileged access to high-value data.

Investigate unusual data behavior.

It isn’t enough to simply detect signs of a potential insider attack. It is important to follow up with robust investigation. Not all unusual behaviors will be problematic, but they should be investigated regardless. 

Creating new user accounts: Copying data that’s not related to their work. Using unauthorized applications. 

Renaming files for concealed exfiltration

Increasing access permissions

How to respond to insider threats

Arguably the most important step following insider threat detection is the response strategy that IT and security has in place.  While blocking data exfiltration upfront can be a “quick fix” to a data breach in progress, to reduce insider threat incidents over time, you will need to develop and execute a comprehensive response plan. 

Set expectations: Clearly communicate security policies with your users. By aligning on what is and what’s not acceptable when sharing data, you can hold employees accountable when these established rules are breached. 

Change behavior: Real time feedback and just-in-time training videos are crucial when working to improve a user’s security habits. These practices hold employees accountable and help them to follow best practices, which ultimately changes behavior over time. 

Contain threats: Even with training and holding employees accountable, insider threat data risks are inevitable. When they happen, the key is to minimize the damage by revoking or reducing access on a user level if necessary. Then you can investigate and determine the best course of action to remediate. 

Block activity for your highest risk users: Preventing your riskiest users from sharing data to unsanctioned destinations is a crucial step in your response plan. Blocking certain activities from those users allows the rest of your organization to work collaboratively without hindering productivity, all while knowing your data is safe from those likely to cause harm.

Responding to insider threats is no easy task. Staying vigilant with the right tools, processes and programs can keep your company ready when insider threats occur. 

Insider Threat Management with TMPC

Insider threats can have a devastating impact on an organization if not managed correctly. A departing employee from Yahoo.

In May 2022, Yahoo’s senior research scientist Qian Sang stole confidential information about Yahoo’s AdLearn product. The compromised data included 570,000 files containing source code, backend architecture information, secret algorithms, and other intellectual property. Sang downloaded this data to his personal storage devices minutes after receiving a job offer from one of Yahoo’s competitors. After discovering the incident, Yahoo has since filed three charges against Sang, including for IP data theft, asserting that his actions exposed the company’s trade secrets, giving competitors a significant edge. Regardless of the outcome of the charges, Yahoo has lost IP. 

Insider threats can have a devastating impact on an organization if not managed correctly. A huge downfall is that they tend to be more challenging than external attacks to detect and so security professionals continue to figure out the most effective way to contain them.

Security teams need better tools to detect insider threats, monitor data movement and respond to potential risks in real time. TMPC can assist your organization in doing this.

Set An Insider Threat Strategy

For more information, visit our site where you can find out more about proper Insider Threat Risk Management  and get in touch with our experts: