These threats can come from current and former employees, contractors, or third-party partners, and can be motivated by financial gain, retaliation, negligence, or compromised accounts.
Understanding insider threats
Insider threats can be categorised into three main types:
• Malicious insiders: These are individuals who knowingly seek to steal information or disrupt operations. This may be driven by financial motives, retaliation, or a desire to harm the organisation.
• Negligent insiders: These are employees who unintentionally cause harm due to carelessness or failure to follow proper procedures. This can include actions like leaving computers unlocked or failing to apply security patches.
• Compromised insiders: This group of employees are those whose accounts have been compromised by malware or other malicious attacks. These compromised accounts can be used as a foothold for further attacks.
Becoming compromised
Interestingly, there are a number of ways an organisation’s employees can become compromised insiders.
One of the most common is via a phishing attack in which a targeted individual is contacted via email or text message by someone posing as a legitimate party in order to lure the individual into providing sensitive data. Some phishing schemes may also try to entice an employee to click on a link that triggers a malware download.
Another method is via malware infection where a machine is infected with malicious software. The goal of the malware in the case of a compromised insider is to steal sensitive information or user credentials. An infection can be initiated by clicking on a link, downloading a file, or plugging in an infected USB key.
Yet another method is credential theft which involves the capture of a username and password of a targeted individual. This can be achieved through phishing and malware infection as well as social engineering techniques.
Finally, there is what’s known as ‘pass-the-hash’ attacks in which encrypted or digested authentication credentials are intercepted from one computer and used to gain access to other computers on the network. A pass-the-hash attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plain text password.
A growing threat
Overall, insider threats are a growing problem, as evidenced by data in a recent Ponemon study. It found that 60% of organisations experienced more than 30 insider-related incidents per year. Of those reported, 62% were attributed to negligence while 23% of incidents were attributed to criminal insiders. The report also found that 14% of insider-related incidents were attributed to user credential theft.
Insider threats are particularly challenging to detect because the threat actor has legitimate access to the organisation's systems and data. This makes it difficult to distinguish between normal and malicious behaviour.
Mitigation strategies
Thankfully, there is a wide range of proactive steps that organisations can take to mitigate the risk of insider threats. These steps include:
• Employee training: Conduct regular security awareness training to educate employees about the risks of insider threats and best practices for protecting sensitive information. Focus on topics such as phishing prevention, password security, and recognising suspicious activity.
• Co-ordination between IT security and HR: Establish strong communication and collaboration between IT security and HR departments to identify potential risks and address employee concerns proactively.
• Employ user behavioural analytics (UBA): Use UBA tools to monitor user behaviour and identify anomalies that may indicate insider threats.
• Implement access controls and review privileges: Restrict access to sensitive information and systems based on job roles and responsibilities. Also, ensure that employees have only the necessary privileges to perform their job duties.
• Monitor network traffic: Use network monitoring tools to detect unusual activity that may indicate insider threats.
• Conduct security audits: Conduct regular security audits to identify vulnerabilities and weaknesses that could be exploited by insiders.
• Leverage AI and machine learning: AI and machine learning can be used to analyse vast amounts of data and identify patterns that may indicate insider threats.
• Stay updated on emerging threats: Keep abreast of the latest insider threat trends and techniques to ensure that your organisation's security measures are up-to-date.
By implementing these strategies, organisations can significantly reduce the risk of insider threats and protect their valuable assets. Additionally, security teams should stay informed about emerging trends in the field of insider threat prevention.
By taking a proactive approach to insider threat management, organisations can better mitigate risks and ensure the security of their sensitive information and systems.
