With the seemingly endless barrage of high-profile hacks and data breaches, it can be easy to lose track of the insider threat hiding right under our noses. Regardless of how well we secure our assets from outside parties, we ultimately need to give access to our employees, contractors and partners in order for them to do their jobs. Misuse of this privileged access, whether through data theft or damage, is an unfortunate, yet inherent risk of doing business for most organizations.
The frequency of insider attacks is staggering, as is the loss that results. CERT’s recent 2014 US State of Cybercrime Survey report published by CERT, more than 37 percent of the surveyed organizations reported having encountered an insider cyber-attack in the last year, with insider threat cases making up roughly 28 percent of all cybercrime incidents. SpectorSoft’s 2014 Insider Threat Survey found estimated employee fraud losses at $2.9 trillion globally.
While the impact of these threats is clear and quantifiable, most organizations continue to struggle with how to respond. Let’s take a closer look at the problem to better understand some of the causes, and what organizations can do to protect themselves.
Insider Threats Apply to Everyone
It’s easy to associate insider threats with Edward Snowden or Bradley Manning and conclude that insider threats are limited to government agencies. However, the reality is that changing business practices and an evolving workforce make insider threats increasingly applicable to every organization.
One of the most common sources of loss occurs when employees leave the company, and take key data or assets with them to their next job. These assets aren’t post-it notes and staplers. Studies show that more than 60 percent of job quitters steal confidential company data.
Many employees believe that when they leave their job they should be free to take their “own” work with them, without remorse or investigation. In fact, a recent Symantec report found that 59 percent of employees in the United States tech industry believe that software developers should have the right to re-use source code they created for another company when changing jobs.
More Efficiency Leads to More Paths for Insiders
While employee attitudes play a role, changing business practices contribute to insider threats as well. Organizations have increasingly turned to outsourcing agencies and third-party contractors in order to reduce costs and increase agility. While effective, this approach can also vastly expand the number of individuals with access to key data and systems. Likewise, the use of personal devices (BYOD) and Web-based applications such as Web-mail and file-sharing applications has greatly expanded the avenues where enterprise data can be lost.
Even though the risk of the insider threat is clear, it remains one of the most under-estimated and under-addressed aspects of cybersecurity. It is such a large issue that it is sometimes difficult to know where to begin. Here we introduce the basics of detecting an insider threat based on monitoring key assets in the network, understanding the communities that use those assets, and recognizing some of the key technical indicators of an insider attack.
The first step for a security team is to identify key actors and responsibilities inside the organization. The responsibilities for detection, intervention and prevention of insider threats are typically shared among the information security, legal and human resources (HR) departments of a company. A clear definition of action items and accountabilities is crucial to the implementation of an effective insider threat program.
Second, define the critical key assets that must be protected, as well as your organization’s tolerance for loss or damage if they are leaked. Every organization needs to understand exactly what their key assets are and where they are located, and implement technology to monitor and track those assets. Where does company IP reside? Are data protection policies in place? If theft were to happen, is there a sufficient audit trail available for forensic analysis and ultimately litigation? A consequent and efficient investigation of any type of IP theft is essential for protection and deterrence of future threat cases.
Next, in order to prevent a threat to key assets, ask yourself what kind of behavioral precursors could be observed and caught across company departments before critical assets are harmed. Actively monitoring internal network traffic can identify the exploration and execution phases of an insider attack. Even though someone is already inside the network, an insider may still need to find and gain access to key assets. As a result, active monitoring of internal network traffic can identify the exploration and lateral movement of an insider attack in progress as well as the theft of the data itself.
For example, identifying a host that is scanning machines for a port that will enable stealthy communications or performing a brute-force password attack on a server can be an important sign that an insider is digging deeper into the network. Identifying when a user is aggregating and exfiltrating massive amounts of data is an additional strong sign that something bad is going on.
However there is no guarantee that the attacker will need to perform exactly these reconnaissance, lateral movement, or exfiltration patterns. To be prepared for future (unknown) attacks, organizations need to understand the users and communities that surround these key assets. What connections are normal for a particular user, and what assets are normally used? By monitoring the interaction of users and data servers in a community, security teams can identify the users and hosts that communicate in anomalous ways inside and outside these communities. Observing abnormal connections, specifically to key assets, can provide a critical indicator of a novel and ongoing type of insider attack.
For instance, if Chuck’s laptop, which normally connects only to hosts within the system administration community, begins communicating with hosts in the finance community over the weekend and downloads selected files of credit card data, his host will appear as a new connection in the finance community even though he is using stolen credentials to access the finance servers. This detection should clearly be a warning sign.
It is clear that insider threats span a variety of disciplines, including HR, Legal, business processes, and information security. The expansive nature of the problem can make it a daunting task to address, but all of the data indicates that this problem is not going away. An ounce of prevention today could easily prevent a disaster in the future.