Blog :: Uncategorized

What are insider threats? Challenges, indicators, & more explained

insider threats

Insider threats bypass traditional security systems, which focus on the network perimeter. This is because, as the term suggests, the attack originates from behind most defense systems. Unfortunately, insider threats are more common than you may think. But this blog will arm you with the knowledge you need to start combating this insidious type of cyberattack.

What are insider threats?

The “insider” is anyone who has access to an organization’s systems, data, and/or security practices. This person could be a current or former employee, a contractor, or a business associate. They become a threat when they misuse that access to harm the organization.

An insider threat can be unwitting—e.g. a well-meaning but tech-unsavvy employee who falls for a vishing scam and gives away their credentials. Organizations can reduce this kind of risk with regular employee training. But the rest of this blog will focus on savvy insiders who are acting maliciously.

A quick search in the news yields many real-world examples.

For example, in 2017 Bupa Global acknowledged that an employee had accessed and removed information on 108,000 health insurance policies. Another, even more alarming case was the 2016 arrest of an NSA contractor for stealing highly classified code.

These examples clearly demonstrate that no organization is immune to insider threats. The NSA, which is likely one of the most security-focused organizations on the planet, was breached by an insider threat. So why would any of the rest of us fail to adopt security strategies that account for the possibility?

Insider threat challenges

In addition to bypassing perimeter defenses, insider threats are difficult to track. If the malicious insider is tech-savvy, they will cover their tracks by deleting files and logs as they go along. Furthermore, they tend to avoid using email to move the stolen data, since email is easy to track. Instead, they’ll likely transmit the data over file transfer protocol to an external server. And to make it even harder to track, they’ll transmit small amounts of data over a long period of time, i.e. low and slow.

You may notice that US-CERT documents certain behaviors as potential red flags—here meaning real-world, human behaviors. But in my humble opinion, this is a tenuous way to look for malicious insiders. Several of the behaviors, such as “interest in matters outside of the scope of their duties” are equally true of an eager employee looking to contribute more or earn a promotion. Making red flags of other behaviors listed, such as “financial difficulties” or “poor mental health,” puts you in danger of villainizing an employee who simply needs sympathy and support.

Instead, the strongest evidence you’ll find comes from patterns within the network data itself.

Insider threat indicators & detection best practices

In our experience, using network traffic analysis is the best way to find and respond to problems before they grow huge and costly. This means that rather than relying only on perimeter defenses to stop all cyberattacks, you’ll use flow and metadata exported by your network devices to monitor for odd patterns.

Here are some insider threat indicators that you can detect with network traffic analysis:

  • Actions in violation of your organization’s security policies and procedures
  • Unauthorized data access
  • Use of a single set of user credentials across many different servers and databases

Another added benefit to this approach is that it’s more suitable for detecting the low and slow patterns that malicious insiders tend to use. Some monitoring systems only report on top talkers; this is useful for some situations, but not suited to insider threat monitoring.

In his series on network forensics, my colleague Jake discusses the wealth of information you can pull from a single event using network traffic analysis.

  • IP address of host
  • User that was logged in during the event
  • Timeframe of anomalous behavior
  • Suspicious behaviors seen
  • Any lateral movement

We can also combine this with other data sources to see URLs, DNS queries, and applications used during this timeframe to help figure out not just whether they were an insider threat, but what they were after… A big benefit of collecting these types of telemetry data is the ability to go back in time to see how long this type of communication might have been happening!

— Jake Bergeron, Engineer, Plixer

It’s this kind of deep context that not only enables effective detection, but also informs an incident response plan and helps bolster your insider threat defense for the future.

Concluding thoughts

We need to move away from a pure focus on perimeter defense. While important, it fails against insider threats, which grow more and more prevalent.

For more reading on insider threats and how to stop them, check out some of our other articles: