CERT Insider Threat Center, a research arm of Carnegie Mellon University’s Software Engineering Institute (SEI). They have defined an insider threat as: …the potential for individuals who have or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. Insider threats have the ability to expose an organization to a wide range of cybersecurity hazards, simply because they are considered trustworthy or close to the data or systems most at-risk.
Anthem was hit with an insider theft that resulted in personal data being stolen for over 18,000 Medicare members. Anthem’s Medicare insurance coordination services vendor learned in April 2017 about an employee that had been stealing and misusing Medicaid member data since as early as July 2016.
Target’s highly publicized 2013 credit card data breach was a result of a third-party vendor (another type of insider threat) taking critical systems credentials outside of an appropriate use-case. The credential access allowed the hackers to take advantage of weaknesses in Target’s payment systems to gain access to a customer database and install malware. Then, they were able to steal personally identifiable information (PII) of Target’s customers, including: names, phone numbers, emails, payment card details, credit card verification codes, and more.
One dramatic example is that of Greg Chung, who spied for China while employed at Rockwell and later Boeing, stealing hundreds of boxes worth of documents pertaining to military and spacecraft from 1979 to 2006, when he was finally caught. There’s probably no way to place a dollar figure on the amount of data stolen or to fully suss out the repercussions of its theft.
The insider threat has posed significant challenges to US DOD from millions of documents unearthed by former contractor Edward Snowden to recent breach where sensitive personal data of tens of millions of federal employees has been lifted that not only puts individuals at risk, but compromises certain operational practices of the U.S. military/intelligence complex.
Sometimes user negligence leads to the biggest insider threat incidents. In the case of RSA (the security arm of EMC), employees clicking on targeted phishing attacks led to a successful advanced persistent attack that may have compromised 40 million employee records (the full extent of which is still not known). The attack showed that no one,including security firms themselves are immune to insider-caused data breaches.
Across all companies and departments, insider threats are on the rise. In the Osterman Research white paper entitled White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime, it is found that insider threats account for a quarter of the eight serious cybersecurity risks that significantly affect private and public sectors. To put it another way, an organization’s current and former employees, third-party vendors, contractors, business associates, office cleaning staff, and other entities who have physical or digital access to company resources, critical systems, and networks are collectively ranked in the same list as ransomware, spear phishing, and nation-state attacks.
When companies traditionally look outwards for security threats, they should be looking inwards towards their most trusted asset, employees. Employees have access to sensitive information, especially in customer service. Employees can have negligent or malicious intentions; meaning they can exploit sensitive data knowingly or without knowing. Traditional methods – like firewalls – are almost obsolete when mitigating these types of threats, because trusted insiders already have privileged access and know the company’s ‘hurt’ points.
Technology to Find the Next Insider Threat
Organizations must implement ways to monitor and evaluate employees continually. Advanced monitoring tools that identify life stressors, strong emotions, and atypical behavior can provide early warning of potential misconduct or spot small-scale malicious acts before they become something more sinister, writes Daniel McGarvey a counterintelligence expert at Alion Science and Technology.
An initially loyal employee does not suddenly transform into a malicious insider. “The path to a significant destructive act is marked by small infractions that grow in response to mounting personal and professional stress. Employees who engage in one type of counterproductive behavior will often engage in others. Minor misdeeds can escalate into severe transgressions,” writes Daniel McGarvey .
Data on an employee’s non-work activities – such as arrest records, court records, and credit bureau reports – can also reveal concerning behavior. Personality-mapping tools use psycholinguistic analysis to identify personality traits that may predispose an employee to commit destructive acts.
Targets attack taught that you should have visibility into not only user behavior of your own direct employees, but contractors and third-party vendors who have access to your systems and data. These third-party insiders are often the culprits behind credential theft, and other insider threat incidents.
User behavior Analytics (UBA)
The idea behind UBA is that there’s no way to know which users or machines are good or bad. So you assume they’re all bad, that your network has been compromised, and you constantly monitor and model everything’s behavior to find the bad actors. UBA focuses on what the user is doing: apps launched, network activity, and, most critically files accessed (when the file or email was touched, who touched it, what was done with it and how frequently).
“Old security models have no room for insider threats. As companies pour millions into preventing outside attackers from gaining entrance to their network, they operate under the assumption that those who are granted internal access in the first place are trustworthy,” writes Chloe Green. One survey of 355 IT professionals found that 61% said they couldn’t deter insider attacks, and 59% admitted they were unable to even detect one.
UBA employs modeling to establish what normal behavior looks like. It searches for patterns of usage that indicate unusual or anomalous behavior — regardless of whether the activities are coming from a hacker, insider, or even malware or other processes. While UBA won’t prevent hackers or insiders from getting into your system, it can quickly spot their work and minimize damage.
Derek Lin, Chief Data Scientist at Exabeam, and his team use a variety of supervised and unsupervised machine learning algorithms to detect anomalous patterns of user behavior, as gleaned from a variety of sources, like server logs, Active Directory entries, and virtual private networking (VPN) logs. UBA then uses big data and machine learning algorithms to assess the risk, in near-real time, of user activity.
Lin tells Datanami. “For every user and entity on the network, we try to build a normal profile–this is where the statistical analysis is involved. And then on a conceptual level, we’re looking for deviations from the norm….We use the behavior based approach to find anomalies in the system and surface them up for the security analyst to look at.”
Next, UBA performs risk modeling. Anomalous behavior is not automatically considered a risk. It must first be evaluated in light of its potential impact. If apparently anomalous activity involves resources that are not sensitive, like conference room scheduling information, the potential impact is low. However, attempts to access sensitive files like intellectual property, carries a higher impact score.
“Consequently, risk to the system posed by a particular transaction is determined using the formula Risk = Likelihood x Impact,” says Saryu Nayyar, CEO, Gurucul. Likelihood refers to the probability that the user behavior in question is anomalous. It is determined by behavior modeling algorithms. Meanwhile, impact is based on the classification and criticality of the information accessed, and what controls have been imposed on that data.
“As insider and persistent threats become more sophisticated and frequent, organizations must employ security intelligence capabilities that can quickly assess, identify and analyze user behavior against risk tolerance,” said Mike Armistead, general manager, HP Security, ArcSight.
Data Loss Prevention (DLP)
DLP is a set of rules and processes to keep sensitive data safe. This technology takes action by classifying critical data, then setting violation procedures to mitigate a threat quickly. DLP is built upon basic principles like customizable alerts, monitoring, encryption and other useful prevention methods. DLP has a strong history in risk mitigation, but it is now becoming more regularly used in conjunction with insider threat prevention. As the technology becomes more robust, DLP can better target sensitive data composites and actively watch for a breach.
Privileged Access Management
The privileged user is the individual that has direct oversight to manipulate and influence a company’s data. Privileged Access Management (PAM) is the software that helps you prevent misuse of privileged access by these users. With admin controls, an insider threat can divulge and manipulate data at will. PAM monitors and authorizes privilege users in all important systems across the company. This software is one of most foundational to insider threat mitigation.
No single technology or technique will be a panacea. Through carefully designed programs that involve technology, human resources, comprehensive security policies, and effective leadership, government agencies and private companies can mitigate insider threat risks in ways that preserve employee privacy and assist at-risk employees before they can do damage. It may prevent the next Edward Snowden – a development that would benefit both the country and the individual who is diverted from a destructive path, writes Daniel McGarvey .
References and resources also include: