Insider Threat Investigation

Insider Threat

The Insider Threat is real

The “insider threat” will sneak around in your offices like a snake, poke around in your network, look for confidential information, will check what is on your computers. Spies might install hidden trojan horses, backdoors, etc. All this activity can go on unseen, unheard, un-noticeable.

Until one day you notice something is wrong or misplaced, but by then it will most of the time already be too late. Internal malicious operators are experts in hiding, deceiving, and leave a trail of decoys and deception. Professionals don’t work alone also and in the case of data exfiltration, there are external affiliates involved also.

To avoid disasters, and hidden insider threats, you will need to investigate certain matters discreetly. We can do this for you and check for red flags and other indicators.

Types of Insider Threats (threat classification)

The insider threat is a type of risk created by entities who have gained or given access to an organization’s physical or digital assets. Employees (current or former), contractors, vendors, or business partners all were given access to a network and digital assets (data) stored on computer systems. Hence an insider threat can manifest itself in different ways:

  • data breaches with the help of insiders
  • fraud schemes
  • theft of trade secrets
  • theft of sensitive/valuable data
  • intellectual property theft
  • sabotage of security controls
  • outsiders getting insider access to systems and data
  • non-compliance towards corporate security policies
  • neglicence towards rules & regulations

The Internal Threat actors are:

  • malicious insiders – using legitimate access to corporate data for personal gain
  • inside agents – malicious insiders recruited by 3d parties – will steal, alter, delete, tamper data
  • disgruntled employees – emotionally driven attackers – will seek to harm or damage your organizational assets
  • current or former employees
  • careless workers – employees can choose to ignore or neglect the rules, including cyber security rules
  • third parties – entities who gained access to internal company resources – will abuse or compromise your security
  • professional spies or infiltrators (not always internal threats)
  • moles, undercover agents
  • unintentional insider threats
  • APTgroups or hacker groups targeting organizations/companies with malware campaings, phishing attacks, ransomware attacks, exploitation of endpoint devices
  • information exploited by the presence of remote access software – fileshares exposed
  • third parties with access to company systems
    • contractors & vendors
    • external accountants & auditors
    • part-time staff
    • customers
    • visitors
    • suppliers
    • service providers
  • data leaks via email & instant messaging
  • insecure / misconfigured filesharing via cloud-systems (dropbox, google drive, skydrive, one-drive, slack, skype, etc..) exposing your network to the internet
  • accessing insecure wireless networks – lack of encryption & authentication
  • posting company information, work related messages to social media, blogs & forums
  • communication with unauthorized person about confidential company topics

Dangers of Insider Threats

  • difficult to detect, until they manifest themselves (data already exfiltrated, attack already done)
  • zeroday potential or capability (only spotted when they are being executed)
  • infiltration starts with abuse of stolen or compromised credentials, passwords, login-details
  • companies & organization don’t have zerotrust model in place
  • the concept of trust but verify / trust but control is not understood or being applied

Red Flags and Indicators of Insider Threat Activity in your organization

  • disgruntled, angry, negative employees
  • toxic company culture
  • users circumventing the access controls – breach of security
  • people turning off security controls
  • employees “working” late or in the office
  • employees present during times when there is nobody in the office
  • violation of corporate policies & not following SOPs
  • downloading large amounts of data; use of torrents and P2P services
  • using software or systems that have nothing to do with the job profile or official function
  • linking company resources to outside technology or devices
  • exfiltrate data outside the organization
  • doing covert penetration testing by scanning for vulnerabilities

Insider Threat Investigation & Counter Measures to take

  • re-establish proper identity management and access control protocols (CIA)
  • awareness training
  • develop strategy for insider threat detection
  • prevention and detection security measures
  • start an insider threat mitigation project
  • implement security best practices and perform continuous monitoring
  • detection of spyware, viruses, ransomware and other malware
  • analysis of user behavior – detect suspicious profiles
  • tracking of employees
  • tracking of company assets
  • do routine backups, perform maintenance on regular basis
  • enforce two-factor authentication (2FA)
  • limit access to sensitive data
  • reduction of the attack surface
  • detect and fix the vulnerabilities