An insider threat is a security risk to an organization that comes from within the business itself. It may originate with current or former employees, contractors or any other business associates that have – or have had – access to an organization’s data and computer systems. Because it originates from within and may or may not be intentional, an insider threat is among the costliest and hardest to detect of all attack types.
Insider Threat Types
There are multiple types of insider threats that are defined on the intent and motivation of the people involved.
- “Negligent” insiders may not intend to put the organization at risk, but do so non-maliciously by behaving in insecure ways. These insiders may be non-responsive to security awareness and training exercises or may make isolated errors by exercising bad judgment. In either case, negligence is often cited as the most expensive type of employee risk.
- “Collusive” insiders will collaborate with malicious external threat actors to compromise the organization. While it is risky and rare, this type of insider threat is becoming more common as professional cybercriminals are increasingly using the dark web to recruit employees as allies. These cases often involve fraud, intellectual property theft or a combination of the two, which can make them very costly. This type of collusion may also take longer to detect as malicious external threat actors are typically well-versed in security technology and strategies for avoiding detection.
- “Malicious” insiders exfiltrate data or commit other negative acts against the organization with the goal of financial rewards or other personal gains. Malicious insiders looking for a second stream of income will typically exfiltrate data slowly to personal accounts to avoid detection. Another type of malicious insider, the disgruntled employee, will aim to deliberately sabotage a company or steal its intellectual property. They may be seen combing through sensitive company information or completing large data exports, especially around the time they resign from their position or give the customary two weeks’ notice before leaving a position.
- “Third-party” insiders are contractors or vendors that a business has typically given some kind of access to its network. These insiders may have employees that fall under one of the categories above or may simply have flaws in their own systems and devices that open vulnerabilities to attackers.
Risks Posed by Insider Threats
Insiders are particularly dangerous because unlike outsiders working to penetrate the organization, they typically have legitimate access to computer systems and the network, which they need in order to perform their daily jobs. If these authorizations are abused or leveraged to harm the organization, the results can be catastrophic and costly to the business.
When actively working to compromise an organization, insiders also have an advantage as they are typically familiar with the company’s data structure and where intellectual property resides. They may also know how that information is being protected, making it easier for them to circumvent any security measures.
Because an insider already has direct access to the organization and its network and does not need to hack in through the outer perimeter, insider threats are often harder to defend against than attacks from outsiders. They are also more challenging to detect as insider threat movements often blend in with business justified behaviors.
Detection of Insider Threats
Insider threats can easily evade existing defenses making detection more challenging. However, the familiarity with and access to sensitive data that insider have makes detection critical. Since insider threats may blend with business-justified activity, security teams must be able to look beyond individual artifacts to uncover behaviors and other patterns that may indicate a compromise. These patterns will vary depending on the type of insider threat.
The probability of detecting an insider, and points within the attack lifecycle where they’re likely to be discovered is different for each type of insider threat. Negligent insiders may be detected by identifying their existing vulnerabilities before they are compromised, identifying when their credentials are compromised or if their credentials are leveraged for command and control, or by uncovering unusual lateral movement that originates with that user. Collusive insiders are most often detected as they communicate with or pass data to their malicious external collaborators. Malicious insiders may show a pattern of accessing or exfiltrating information that they don’t need or shouldn’t have access to. Third-party insiders can be identified in all of these ways as well.
When detecting insider threats, it’s vital that organizations have a complete picture of the devices, people and other entities without requiring logs or endpoint agents across their network, since these may often not be available. These should be tracked even as IP addresses change, in order to identify data and behavior patterns. Security teams must also have access to complete context around these entities, including device and user profiles with a business function, email addresses, domains visited, files accessed, relationships and more.
Insider Threat Detection & Investigation
Awake detects insider threat attacks that blend in with business-justified activity by identifying anomalies and mal-intent. The Awake Network Detection and Response Platform parses full packet capture data to extract hundreds of security-relevant signals, deducing and profiling entities such as devices and domains, as well as their behaviors and relationships. It also captures institutional knowledge from the team including business context that can illuminate user roles and baseline behaviors. The platform then enables behavioral detection of attacker TTPs and organization-specific threats. All activity is correlated into a threat timeline that encompasses IOCs, TTPs, and non-malware. This process enables automatic triage with risk scores for each device and domain.
This level of visibility and detailed forensic analysis was previously possible for only the world’s most sophisticated security experts, and even then, was only possible through a manual, time-consuming process meant insider threats were uncovered belatedly, if at all. Awake has made detection of insider threats accessible to any organization, regardless of size, budget or sophistication, enabling security teams to conduct conclusive and rapid response by leveraging exhaustive intelligence from the network.