October 15, 2021
Insider Threats – Who can you trust?
- command center
- threat detection
Insider threats are becoming center stage to some of the deadliest cyberattacks in recent news. Identifying insider threats is by no means an easy task, as many times, it includes zombie accounts created by users who are no longer in the organisation. The accounts exist, and when taken over, are lethal enough to carry widespread damage through their legitimate access paths. Insiders typically know what data is valuable to an organisation and where it is stored. Data breaches caused by insiders are significantly more expensive and dangerous for organisations than ones caused by an external attacker.
In a 2019 SANS Institute report on advanced threats, security personnel reported that the major gap in insider threat defense is primarily driven by a lack of visibility into baseline user behavior.
Method to the Madness
According to Gartner, insider threats are categorized into four categories: pawn, goof, collaborator, and lone wolf.
Pawns are employees who are manipulated into performing malicious activities without their intentional participation in the rogue behavior through social engineering.
Goofs are ignorant or arrogant users who believe they are exempt from security policies or overconfident in their actions beyond reason. Every organization faces the challenge of a significant percentage of employees actively trying to bypass security controls and almost 90 percent of insider incidents are caused by goofs.
Collaborators are users who cooperate with a third party, often competitors or nation-states, to use their access in a way that intentionally causes harm to the organisation. Collaborators typically use their access to steal intellectual property and customer information or to cause disruption to normal business operations.
Lone wolves are entirely independent and rogue insiders who act without external influence or manipulation. Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or DB admins.
Devising a detection mechanism for Insider Threats
While behavioral signs can be an indication of potential issues, digital forensics and analytics can aid in detecting insider threats. User and Entity Behavior Analytics (UEBA) help detect potential malicious behaviors
To effectively detect insider threats, organisations should address any visibility gaps to prevent security blind spots created due to a lack of control on user accounts and their associated privileges. This is achieved by aggregating security data into a centralized monitoring solution.
In a study conducted by IBM X-Force from 2018 to 2020, the research identified that 40% of incidents were detected through alerts generated via an internet monitoring tool. Organisations need to devise a sound privilege access management policy where the focus is on limiting elevated privileges than enabling a wider group to facilitate faster provisioning and access to organization resources.
After data is aggregated, it can be analyzed and weighted with risk scores behavior. Behavioral anomalies help cybersecurity teams identify when a user has become a malicious insider or if their credentials have been compromised by an external attacker. By adopting a user-focused view, security teams can quickly spot insider threat activity and manage user risk from a centralized location instead of manually piecing disparate data points that individually may not show the full picture.
Remediating Insider Threats
Organizations are constantly challenged with managing user privileges and accounts, often leading to unprecedented sprawl - new accounts, privileges, and resources. Organizations need to adopt a privileged access management (PAM) solution and feed data about access to privileged accounts from that solution into their SIEM. Once validated, an insider threat incident could be created in an integrated incident response workflow solution, where the playbooks specify what remediation is needed. Potential remediation could include challenging the insider with MFA, or revoking access, either of which can be done automatically in an IAM solution.
Insider threats are as much of a headache to organizations as external threats, if not more. Trust and access must be validated at every stage instead of being granted once and never audited. Zero trust is an important technology concept that curtails perpetually and promotes granularity in access which goes a long way in helping organizations to baseline their user population.