Insider Threat Investigations
[ Reality of Insider Threat ] [ Types ] [ Threat Actors ] [ Dangers ] [ Red Flags ] [ Counter Measures ]
Insider Threat
The Insider Threat is real
The “insider threat” will sneak around in your offices like a snake, poke around in your network, look for confidential information, and check what is on your computers. Spies might install hidden trojan horses, backdoors, etc. All this activity can go on unseen, unheard, un-noticeable.
Until one day you notice something is wrong or misplaced, but by then it will most of the time already be too late. Internal malicious operators are experts in hiding, deceiving, and leaving a trail of decoys and deception. Professionals don’t work alone also and in the case of data exfiltration, there are external affiliates involved also.
To avoid disasters, and hidden insider threats, you will need to investigate certain matters discreetly. We can do this for you and check for red flags and other indicators.
Types of Insider Threats (threat classification)
Different types of organizations are subject to insider threats. It does not matter if you are a family-owned SMB / SME business or a huge Fortune 500 corporation. The same goes for local governments, state governments, and public infrastructure agencies, including major federal departments and agencies.
Any person, current or former employee that was entrusted with access to or knowledge of an organization can represent potential risks. Intentional or unintentional disruptive or harmful acts can have an effect across all infrastructure sectors and in virtually every organizational concept. Disruptions can cause significant damage.
The insider threat is a type of risk created by entities who have gained or given access to an organization’s physical or digital assets. Employees (current or former), contractors, vendors, or business partners all were given access to a network and digital assets (data) stored on computer systems or simple were given insight into a process, were given understanding, or privileges. Hence an insider threat can manifest itself in different ways:
- data breaches with help of insiders
- fraud schemes
- theft of trade secrets
- theft of sensitive & valuable data
- intellectual-property theft
- cyber-espionage
- sabotage of security controls
- outsiders getting insider access to systems and data
- non-compliance with corporate security policies
- negligence towards rules & regulations
Who is accessing your digital assets?
The Typical Internal Threat actors are:
- malicious insiders – using legitimate access to corporate data for personal gain
- inside agents – malicious insiders recruited by 3d parties – will steal, alter, delete, tamper with data
- disgruntled employees – emotionally driven attackers – will seek to harm or damage your organizational assets
- current or former employees
- careless workers – employees can choose to ignore or neglect the rules, including cyber security rules
- third parties – entities who gained access to internal company resources – will abuse or compromise your security
- professional spies or infiltrators (not always internal threats)
- moles, undercover agents
- unintentional insider threats
- APTgroups or hacker groups targeting organizations/companies with malware campaigns, phishing attacks, ransomware attacks, exploitation of endpoint devices
- information exploited by the presence of remote access software – file shares exposed
- third parties with access to company systems
- contractors & vendors
- external accountants & auditors
- part-time staff
- customers
- visitors
- suppliers
- service providers
- data leaks via email & instant messaging
- insecure / misconfigured filesharing via cloud systems (dropbox, google drive, Skydrive, one-drive, slack, skype, etc..) exposing your network to the internet
- accessing insecure wireless networks – lack of encryption & authentication
- posting company information, work-related messages to social media, blogs & forums
- communication with the unauthorized person about confidential company topics
Dangers of Insider Threats
- difficult to detect, until they manifest themselves (data already exfiltrated, attack already done)
- zero-day potential or capability (only spotted when they are being executed)
- infiltration starts with the abuse of stolen or compromised credentials, passwords, login-details
- companies & organizations don’t have a zero-trust model in place
- the concept of trust but verify/trust but control is not understood or being applied
Red Flags and Indicators of Insider Threat Activity in your organization
- disgruntled, angry, negative employees
- toxic company culture
- users circumventing the access controls – breach of security
- people turning off security controls
- employees “working” late or in the office
- employees present during times when there is nobody in the office
- violation of corporate policies & not following SOPs
- downloading large amounts of data; using torrents and P2P services
- using software or systems that have nothing to do with the job profile or official function
- linking company resources to outside technology or devices
- exfiltrate data outside the organization
- doing covert penetration testing by scanning for vulnerabilities
Insider Threat Investigation & Counter Measures to take
- re-establish proper identity management and access control protocols (CIA)
- awareness training
- develop a strategy for insider threat detection
- prevention and detection security measures
- start an insider threat mitigation project
- implement security best practices and perform continuous monitoring
- detection of spyware, viruses, ransomware, and other malware
- analysis of user behavior – detect suspicious profiles
- tracking of employees
- tracking of company assets
- do routine backups, perform maintenance on a regular basis
- enforce two-factor authentication (2FA)
- limit access to sensitive data
- reduction of the attack surface
- detect and fix the vulnerabilities