Identifying insider threats and fortifying your organization against them
An insider threat is any malicious or unintended security risk posed by an organization's trusted individuals having either legitimate or unauthorized access to the organization's resources. Insider attacks can be initiated not only by current employees, but also by former employees, partners, or contractors who may or may not be authorized to access company resources.
In this blog, we'll classify insider threats based on their motivations, and lay out an eight-step plan to initiate an insider threat prevention program in your organization.
Types of insiders and their motivations:
Based on their motivations, insiders can be classified into four types.
- Job seekers
Job seekers are a category of people who seek a change in career, have recently been hired at another company, or want to start their own company. Some of the characteristics exhibited by job seekers are frequent absenteeism and medical emergencies. They also publicly express their discontent towards the organization.
The attack becomes more dangerous when the job seekers recruit other employees into their schemes, and they tend to steal intellectual property from other servers and departments. This kind of behavior is exhibited by job seekers who have privileged access to sensitive information such as engineers, scientists, programmers, sales personnel, etc.
- Unhappy employee
As the name suggests, employees who are not satisfied with the organization fall under this category. They may be disgruntled due to a poor performance review or inadequate compensation, or believe the organization doesn't treat them fairly, and want to take revenge. These unhappy employees tend to speak ill of the company and display vindictive behavior.
Unhappy employees who possess the technical acumen to damage the IT infrastructure of the organization may carry out activities such as planting malware in systems or rendering critical servers unavailable, an attack known as IT sabotage. IT administrators, database administrators, and programmers who are technically sound and privileged users are more likely to carry out this insider attack.
- Data uploaders
Data uploaders are the type of employees who do not diligently follow the organization's data protection regulations, and upload data to unauthorized platforms, whether unintentionally or intentionally.
- Unintentional data uploaders: Also known as negligent employees, they may be unaware or ignorant of the organization's cybersecurity best practices, exposing it to constant threats and shadow IT problems. These activities may include sending official data to their personal email addresses, using third-party applications to process data, reluctance to use network shares within the organization, and so on. This category of insiders is not restricted to any particular job profile.
- Intentional data uploaders: These insiders have malicious intent and steal sensitive data to commit identity fraud for personal gain. The personally identifiable information (PII) they collect can be used to fabricate fake identities and used for illegal activities.
- Sellers
This type of insider is recruited unethically by another organization for procuring sensitive data. The insider may be blackmailed or offered monetary rewards for providing the data. Generally, employees in the lower salary range and who are not technically sound, such as receptionists and data entry operators, are more likely to indulge in insider fraud since they're financially motivated.
Implementing an insider threat program in your organization
Organizations need to formulate their own insider threat detection program to evaluate risks, clearly define IT security policies, and train and monitor the employees to minimize the risks of insider threats. Here’s a basic outline for organizations to get started on an insider threat program.
Step 1: Get buy-in from your executives
For a compelling business case, address the following questions:
- By how much will the business benefit from the insider threat program?
- How will this program enable the business to achieve its objectives?
- How will this program improve the productivity of the business?
Step 2: Identify the stakeholders
With respect to the insider threat program, some of the main stakeholders are:
- The executives who sanction these types of internal programs.
- The IT team, which has privileged access to networked resources.
- The legal team, which ensures data compliance.
- Managers from different departments who are data owners.
- The HR team, which can provide details about abnormal employee behavior.
- The insider threat team, which would collate, analyze the reports, and identify potential insider threats.
The HR team and insider threat team must work closely to map employees' physical behavior with their cyberactivities to recognize potential attackers.
Step 3: Define clear policies
Set clear policies for employees to understand what is acceptable behavior for data usage.
To restrict data access based on employee profile, one or more of the following methods can be implemented:
- Identity and access management (IAM) plays a big role in executing the principle of least privilege (POLP), where only employees with business requirements are given access to the respective data. It's a good security practice for organizations to review access controls at least every three months.
- Implementing risk-based access control is another method to ensure data is accessible only to the right people. To do this, you must analyze each employee's role in the organization and establish a risk profile. Then, the employee has access to a data asset only if their job really demands it, and if it's allowed for someone in that risk profile.
- Attribute-based access control (ABAC) is even more secure, and is a next generation authorization model. This access control model uses three different attribute types, namely user attributes, resource attributes, and environment attributes to define access control rules and process access requests. For example, ABAC would permit only users whose attributes match type=employees and department=marketing to access the marketing system, and only during business hours within the same timezone as the company.
Step 4: Perform comprehensive risk assessment
All the data assets in the organization must be ranked from the most to the least risky.
Risk: The risk involved in a data asset.
Vulnerability: A point of security compromise for an endpoint in a network.
Threats: Any opportunity or motive that can lead to compromise of the data asset. A threat to a data asset can be predicted by analyzing historical trends.
Business impact: The negative impact on a business in case of a data breach.
Step 5: Establish concrete rules
For a systematic approach towards data protection:
- Clearly document security policies for monitoring user and entity activities, and create adequate awareness among the employees.
- Launch investigations in the event of a data breach.
- Reprimand malicious insiders.
- Take actions so risky behavior does not recur.
Step 6: Know your people
Most organizations conduct pre-employment screenings and background checks before the employee joins the organization. It's of the utmost importance to monitor the following traits when the employee is on the job:
- Employees who disagree with company policies
- Disagreements with coworkers
- Odd working hours
- Frequent absence
- Unusual travel
- Fear of layoff
- Difference in ideology
Training sessions should be conducted on the best cybersecurity practices, the importance of reporting suspicious employee behavior, compliance and regulatory requirements, privacy policies, and how third parties may recruit insiders. Customizing these sessions based on the employees' roles and the kind of data they have access to will lead to a more effective program.
Step 7: Set the right administrative controls
The following documents enable organizations to establish a secure environment that is in compliance with IT security regulations:
- Incident response plan
- Employee onboarding and user provisioning process
- Employee separation and user deprovisioning process
- IT acceptable use policy
- Intellectual property policy
- Social media policy
- Non-disclosure agreements with employees
- Non-disclosure agreements with partners
- Disciplinary action procedures
Step 8: Implement the right monitoring and detection technologies
Employ an able IT team, along with tools like Log360 that can do the following:
- Detect all the telltale signs of an insider attack
- Generate customized reports
- Be alerted on what is happening within your environment
- Take action for immediate resolution
Let's consider the following scenario.
PRIXIE is a global e-commerce platform that sells branded apparel. Roodie is a customer service executive at PRIXIE whose job involves addressing customer queries regarding package delivery date, exchanges, refund processing, and discounts. She has always fancied owning fashionable clothes but cannot afford it.
One day, overcome by greed, she takes advantage of her position and changes the delivery addresses of several customer orders to her own, and excitedly awaits the delivery of the shipments. However, she doesn't realize that PRIXIE uses Log360 to monitor privileged accounts. Log360 employs user and entity behavior analytics (UEBA) to observe the behavior of employees, and establishes a baseline profile for each of them. Any deviation from regular behavior increases their risk score and alerts the IT administrators.
The IT team at PRIXIE is alerted about Roodie's unusual behavior in real time as she modified several addresses in the customer database within a short span of time. They revoke her privileges immediately and restore the correct delivery addresses, protecting PRIXIE from falling prey to insider fraud and potential damage to its reputation.
Follow the eight-step plan to get started with your insider threat protection journey. ManageEngine's Log360 can make insider threat detection and prevention a seamless experience.
How Log360 detects insider threats
- Log collection: Every action performed by a user account or on a networked device in an organization's IT network generates event logs. Log360 collects all these logs for further processing.
- Log processing: Logs collected from various sources are parsed to convert the unstructured data into workable groups based on relevant attributes. Once the logs have been parsed, essential data is identified and mapped to distinguish between normal and abnormal activities. This process is known as log normalization. Normalized log data is then stored in indexed files for easy querying and to accelerate retrieval and interpretation.
- Event correlation: Correlating log data helps in determining if the various log sources correspond to one specific event that poses a threat to network security. It plays a crucial role in identifying anomalous activities within the network, preventing attacks.
- Real-time alerting: Log360 provides instant alerts through email and SMS, which are segregated based on the criticality of the potential threat. The product can also carry out an incident workflow associated with an alert, doing away with the need for manual response. With multiple options available, organizations can be sure that no security events are overlooked.
- Reporting and forensic analysis: The several out-of-the-box reports generated by Log360 play an important role in understanding user behavior, detecting threats, and preventing an attack before it occurs. The reports serve as firsthand forensic evidence in analyzing where the network was compromised, and trace how an attack was carried out.
About Log360
Log360 collects and analyzes log data from devices across your network in real time. Its reporting console, correlation engine, real-time event response system, and search engine work together to provide even the smallest details on your network's security.