Insider threat prevention

A complete guide to stopping malicious insiders within your organization

Dive in to:

Let's Begin
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Types of insider threats

IT sabotage Intellectual property theft Insider fraud Negligent employee

What is an insider threat?

An insider threat is a type of risk posed by people trusted by an organization. They may either have legitimate or unauthorized access to the organization's resources. Insider attacks can be malicious or unintentional, and can be initiated not just by current employees, but also by former employees, partners, and contractors who may or may not be authorized to access company resources.

There is an upward trend in the number of insider attacks with every passing year.

From 2018 to 2019, the cost incurred by organizations due to insider attacks shot up by 15 percent. Today, an organization on an average loses about $1.6 million annually due to malicious insiders sitting right under its nose. Ridiculous, isn't it?

Explore the different insider threats
Go back

  • IT sabotage

    When an insider intentionally misuses information technology (IT) to cause harm to the organization or an individual.

  • Intellectual property theft

    When an insider misuses IT to steal intellectual property from the organization for personal gain or to sell this information to another firm.

  • Insider fraud

    When an insider utilizes IT to carry out unauthorized addition, deletion, or modification of the organization's information for personal gain, or steals data to conduct identity theft.

  • Negligent employee

    When an employee is oblivious to IT security best practices, and puts the business at risk due to their behavior.

Intellectual property theft

Attack anatomy

Attack Scenarios

Mitigation strategies

Attack Scenarios

Pharmaceutical sector

At Narcos Pharma Inc., the drug that could cure a global pandemic was in the final stages of testing. Susan Ryan, an accounting officer at Narcos Pharma Inc., was offered a million dollars in exchange for the drug's formulation by a competitor organization. Overcome by greed, Susan accepted the offer.

Susan won the trust of Dr. Richard Fleming, a scientist who had access to the drug's research database. Susan closely watched Dr. Richard and learned his account password. After office hours, Susan logged on to Dr. Richard's account from her work computer and copied the classified files to her hard disk.

Narcos Pharma Inc. not only incurred heavy monetary losses as the competitor released the new drug in the market first, but it also missed the golden opportunity to emerge as an industry pioneer.

Solution: Employing user and entity behavior analytics (UEBA) tools at Narcos Pharma Inc. can help prevent insiders from maliciously accessing their colleagues' accounts. UEBA tools can detect and alert information security officers when there is an anomalous login from an unusual IP address. It is also important to have stringent password policies so that malicious insiders cannot easily get illegitimate access to their colleagues' accounts.

Consumer electronics industry

Dodo Yua has had a successful career as an engineer at Zoroto Mobiles, Chicago, for thirteen years. Citing false medical reasons, she took a six month sabbatical and went to her hometown in Japan.

While there, she worked with the Japanese government to improve CCTV surveillance within the city by using Zoroto's cutting edge camera technology. Dodo and her team at Zoroto had worked for five long years to develop this technology, but the technology was patented by the Japanese government.

This industrial espionage cost Zoroto Mobiles millions of dollars it spent on researching and developing the technology.

Solution: Providing limited remote access to employees on a need-to-know basis can help prevent such insider threats. Tools utilizing machine learning concepts can identify and correlate multiple anomalous events such as logons from unusual locations and accessing sensitive data, and alert the system administrators in real-time.

Automotive sector

Tez Electric Vehicle Co., a fast growing company in the electric vehicle sector, had scheduled a meet with a potential investor the following day. Due to an unforeseen circumstance, the executive who usually handled partnership deals had to take leave. Andrew Costa, the marketing manager, was assigned to handle the meeting and close the deal. He was temporarily given access to all the technical documentation related to the product.

The meeting was successful, and due credit was given to Andrew. However, he had different plans in mind. He was going to quit soon and start his own electric vehicle venture. The IT team's failure to revoke the temporary permissions assigned to him made it that much easier for Andrew. All the technical details about Tez's proprietary long-lasting battery technology was taken by Andrew Costa for his new company.

Once Andrew resigned, he and his partner manufactured electric cars with similar technology for a much lower price, since they already had the technology and did not have to spend on research and development. This proved to be a fatal blow to Tez Electric Vehicle Co.'s market share.

Solution: Enabling just-in-time (JIT) privileged access for employees that need access to sensitive data temporarily can ward off future data misuse and theft. Automatically revoking access to critical files after a specified time period can help protect the organization from malicious insiders like Andrew Costa.

Mitigation strategies

1 Advanced analytics tools that utilize machine learning principles can generate baseline profiles for users on the basis of their usual behavior and instantly alert IT administrators about any deviation from this baseline.

2 Design and implement remote access policies cautiously to ensure that only trusted employees have access. Confine remote access to devices issued by your organization. Monitor and control remote access from all endpoints, especially mobile devices.

3 Organizations must automate providing just-in-time (JIT) privileged access to employees to avoid misuse by them. Additionally, user and entity behavior analytics (UEBA) can help in detecting anomalous behavior exhibited by users and increases the corresponding risk score warning the IT team of a potential breach.

Download Log360

IT sabotage

Attack anatomy

Attack Scenarios

Mitigation strategies

Attack Scenarios

Information technology (IT) sector

Robert William, a system administrator at Rogerman's digital solutions, suspected he was going to lose his contract due to frequent absences from work. And if he was leaving, he planned to bring down the organization before he left.

Just as Robert thought, his contract was not renewed on the grounds of frequent absenteeism, and he was asked to leave within two weeks. In the following couple of days, he planted a timed logic bomb in the operating systems of devices on the company's network. The bomb was programmed to execute after one month, and would delete the business-critical information about clients stored in specific file servers before rebooting them.

About two weeks after Robert left the company, the logic bomb went off, and the company lost sensitive data worth about $8.5 million. The organization was clueless about how the attack originated, and had to rebuild all the lost data.

Solution: Complex monitoring strategies must be enforced. Critical operations in the IT environment such as the modification of critical codes, access to sensitive file servers, and deletion of business-critical data must generate real-time alerts.

Food processing sector

Unhappy about not receiving adequate recognition and monetary compensation after three years of dedicated work, Sarah Cooper, a quality control lab assistant at Honey Bake Biscuit Company, decided to wreak havoc using her in-depth knowledge about the company.

Two days before government officials were scheduled to visit the company for a food safety audit, Sarah gained access to the recipe management software application and maliciously increased the flow rate of sodium benzoate into the biscuit dough mixer. Sodium benzoate is a preservative used to increase the shelf-life of food products and has the ability to get converted to benzene, a known carcinogen.

Unsurprisingly, during the inspection, the auditors found impermissible levels of sodium benzoate, which can also cause inflammation, allergies, and suppressed appetite. Following this, Honey Bake's food manufacturing license was revoked and the unit was sealed.

Solution: Multi-user access, also known as role-based access, must be enabled to guarantee that access is given solely based on job roles. This would restrict access to critical operations, such as altering recipes, for employees like Sarah who don't need them. Solutions that monitor custom applications and identify anomalies by comparing user and system actions with a baseline of expected behavior can alert administrators in real-time about indicators of compromise.

Energy sector

ABC Power Corp. is a major electricity distributor in Saudi Arabia. Farooq Abdulla, systems supervisor of Riyadh province, was recently fired due to his poor performance.

Disgruntled, Farooq realized that his access permissions had not been revoked yet. He remotely accessed the organization's SQL server and modified critical data on the energy distribution database.

This caused a complete energy maldistribution in the province, disrupting the livelihood of people for several hours before operations were brought back to normal.

Solution: All servers should be monitored to track changes, and to audit data modification language (DML) and data definition language (DDL) activities. Information on server usage, errors and other events of interest must regularly be updated to effectively monitor and protect database servers that house vital information required for the organization's day-to-day operations.

Mitigation strategies

1 IT practices like disabling user accounts, revoking user privileges, surrendering of IT assets, etc., must be aligned with employee termination processes. Before termination, all the access paths available to the employee must be identified and blocked to prevent intrusion.

2 Critical actions in an organization must go through a multi-level approval workflow to prevent misuse of controls.

3 Organizations need to be cautious with technically adept, privileged users, as they have the access and ability to commit and conceal malicious activities. Privileged user activity monitoring can help spot misuse of authority and prevent attacks.

Download Log360

Insider Fraud

Attack anatomy

Attack Scenarios

Mitigation strategies

Attack Scenarios

Healthcare sector

Mark Carter, a med student at the Chicago Hope Hospital, was in dire need of money. Out of desperation to pay his bills, he planned to steal and sell patient information that he had access to.

He sneakily copied patients' personally identifiable information such as address, Social Security number, and health history onto a USB device. He illicitly sold this information on the black market for a good price. It was so easy, he became a regular at this!

The innocent patients at the Chicago Hope Hospital unknowingly fell victim to an invasion of privacy.

Solution: USB devices are often used to exfiltrate data, as they are small in size and can store large amounts of data. It's important for organizations to proactively audit removable devices and configure alerts to protect the network.

E-commerce sector

Goaty Goaty Dresses, an Egypt-based e-commerce platform for clothing, delivers orders for free nationwide.

Roodie, a customer experience executive, always fancied owning fashionable clothes but couldn't afford it. She abused her privileges and modified several customers' delivery addresses to her own for multiple orders. When the customers raised complaints, the company's customer service could only check the delivery status, which showed a green signal indicating the delivery was completed.

Goaty Goaty Dresses got severe backlash through online reviews and came off as a fraudulent company. It lost its reputation and its customers.

Solution: Strict role-based access control must be implemented. Actions performed by employees, including what action was performed on what object and when, need to be monitored to identify malicious activities. Anomaly detection should be used to monitor actions performed by employees that do not conform to their expected behavior.

Education sector

A computer science research assistant at Noal University, Ohio, was interested in mining for bitcoins. Fully aware that his personal laptop would not provide sufficient computational power, he secretly installed a computer worm using the research facility's supercomputer for bitcoin mining.

Soon, students started facing severe problems loading study material and uploading assignments. Several complaints were raised, but no one knew what was draining the bandwidth.

There was complete chaos at Noal when students and staff were unable to upload rosters, assignments, and quizzes. Unable to upload or download study material, there was an overall drop in student performance.

Solution: IT security correlation tools can aggregate events from all connected devices and instantly discover patterns spread across disparate log sources. By checking for unauthorized services installed in quick succession across numerous devices in the network, these tools can spot the proliferation of worms and notify network security professionals to take appropriate actions.

Mitigation strategies

1 Large-scale data breaches have devastating consequences on organizations. Auditing removable devices can prevent the exfiltration of sensitive data from the organization and the introduction of malware into the organization's network.

2 Permissions must be carefully delegated on a need-to-know basis. Establishing an environment of least privilege by enforcing appropriate access control policies can thwart insider attacks.

3 Employing IT security tools with a powerful correlation engine that can pinpoint and provide the most important data from a large mass of events can help safeguard an organization from most common cyberattacks.

Download Log360

Negligent employee

Attack anatomy

Attack Scenarios

Mitigation strategies

Attack Scenarios

Retail sector

George Simon is a product marketing executive at Street Mart Ltd., one of the United Kingdom's most popular supermarket chains. He has access to customer databases to plan and execute marketing campaigns. Unfortunately, George has an accident and needs medical leave for two months before he can resume work.

Lisa Gates, a cybercriminal, learns about George's absence from work and decides to steal customer information by performing a brute-force attack on his temporarily inactive account. George's weak password further simplifies her hack.

Lisa extracts personally identifiable information from the customer databases to generate synthetic identities. These synthetic identities are then used to carry out illegal activities.

Solution: Monitoring critical database servers is mandatory to prevent data from falling into the wrong hands. Locking down inactive privileged accounts, like that of George's, must be automated to prevent misuse by cybercriminals.

Financial services sector

Salvador Allen is a financial advisor at La Futura Investments. He constantly keeps a tab on stock prices to provide appropriate investment recommendations to his clients. One day, Allen mistyped the URL of the stock prices website and loaded the page.

Salvador fell prey to a typosquatting attack. Before he realized that a different web page had opened, a ransomware payload downloaded on Salvador's computer. Unaware of the consequences, he closed the page and resumed his work.

Ransomware spread across various computers in the network and encrypted the data stored in those systems. La Futura Investments' operations came to a standstill until it could recover from backups. Apart from the monetary loses due to the disruption, the company also lost their clients' trust.

Solution: Early detection is the key to threat mitigation. Cross referencing inputs from prominent global threat feeds and the organization's security logs can help in identifying malicious IPs, URLs, domains, and known threats. By constantly updating Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII)-based threat feeds, organizations can effectively defend themselves from many targeted cyberattacks such as ransomware.

Government Sector

Eco Squad, a hacktivist group, was unhappy with the Eco-conservatory Tribunal's decision to approve the building of a second airport in the outskirts of Chennai, India, as it involved clearing 300 acres of reserved forest area. In order to express their disapproval, Eco Squad decided to launch a cyberattack against the government.

An assistant deputy general at Eco-conservatory Tribunal fell prey to spear phishing initiated by Eco Squad. The attachment in the phishing email contained malware that compromised the victim's account and provided the hackers remote access. Using their command and control server, the hackers could then move laterally in the network.

Once they had control over the hundreds of devices within the office, the devices were converted into botnets, and a massive distributed denial-of-service (DDoS) attack was launched. The Eco-conservatory Tribunal was unprepared for such an attack and had to shut down its operations for several days.

Solution: User account compromise can be identified using user and entity behavior analytics. Execution of numerous commands to connect to a remote server will be flagged as an anomaly. Attempts to identify and access unprotected network devices from a remote location will increase the risk score of the corresponding entities. The drastic increase in the risk score alerts system administrators to carry out necessary action before the devices can be converted into botnets.

Mitigation strategies

1 Employing a security management solution that tracks not just user profiles, but also entities such as printers, routers, and switches can help in identifying compromised devices and prevent cyberattacks.

2 Humans are the weakest link in the information security chain, and any chain is only as strong as its weakest link. Awareness of the best practices to improve overall cybersecurity in an organization can be achieved through professional training programs.

3 Privileged accounts that have access to sensitive information must be automatically locked down following a predefined period of inactivity to prevent misuse by cybercriminals. Enabling multi-factor authentication and assigning appropriate password management policies are essential to secure organizations against attacks that occur due to employee negligence.

Download Log360
IT sabotage IP theft Insider fraud Negligent employee

Kickstart your organization'sinsider threat prevention journey today.

  • Please enter business email address
  • By clicking 'Let's begin', you agree to processing of personal data according to the Privacy Policy.