An insider threat is a malicious activity carried out by a current or former employee who has access to sensitive information and has authorized privileges to access this information but misuses this access by sharing and leaking the information causing threat to the organization.
Insider threat is more dangerous and expensive because the insiders have first-hand information on all valuable data, they have access and control to the network system in your organization and have legitimate credentials to access different accounts.
There are two main types of insiders
- Malicious insiders.
- This is a business employee, contractor, partner or former employee with authorized access to business data, system or network who intentionally misuses the privilege by exposing confidential data belonging to the business.
- Unintentional insider is a current or former employee, partner or shareholder in the business with authorized access to the business information system and data who unintentionally exposes the business and increases the risk of a cyberattack.
TYPES OF INSIDER ATTACK
- The misuse of access
- The insider uses legitimate access for improper purpose. For example, in a masquerading attack an attacker uses fake identity to access personal information through legitimate access.
- Defense bypass
- The insider may bypass some defense mechanisms set like firewall rules and is able to access more information.
- Access control failure
- This may involve misconfiguration of systems exposing sensitive information to vulnerabilities and unauthorized access.
INDICATORS OF MALICIOUS INSIDER ACTIVITIES IN AN ORGANIZATION
- Abnormal access requests. This may involve workers trying to access information not related to their job group or category.
- User privileges. When users increase their privileges to access systems and information may cause more threat in exposing sensitive information.
- Sending and receiving emails containing sensitive and confidential information from receipts outside the organization who are not clients, vendors or partners in the organization may be an indicator of an insider threat.
- Accessing information and systems during off and odd hours.
- Fraud suspicious financial gains by an employee.
- Compliance violation.
- Erasing, modifying or tampering with any record-keeping data system.
- Disabling of antivirus and firewall settings to introduce unauthorized software.
- Unusual logins.
- Intellectual property theft.
- This is mostly conducted by agents outside the organization with an aim of disrupting the operations of the target organization to carry out insider attacks.
- Unintentional insider threat which may include responding to phishing scams, unknowingly download malware or employees sharing their account details which allow others access this accounts and access confidential data and information about the organization.
COUNTER MEASURES TO PREVENT INSIDER THREAT
- Perform vulnerability assessments to identify gaps in your security strategy.
- Include security awareness training for all staffs, partners and all third parties involved in accomplishing business operations.
- Apply data security measures to identify and access management measures
- Create a security policy that is mandatory in order to protect an organizations asset.
- Maintain a least privilege access model to determine who can access your sensitive data and who should not.
- Create a response plan to react on an insider attack.
- Identify and classify critical data in your organization.
- Routinely audit the security practices of your service providers and contractors to identify governance and data handling processes.
TECHNOLOGIES USED TO PREVENT INSIDER ATTACKS
- Security information management log analysis
- Organizations can employ security information and event management tool (SIEM) to collect data from log files for analysis and report on security threats and events. This will help in monitoring security insider threats before they cause damage to the organization.
- Network Flow Analysis
- These solutions monitor data packets for malicious activities and help the security personnel determine any information being leaked through the network.
- Database activity monitoring
- Monitoring database logs helps you determine every database transaction made and block unauthorized ones from being performed.
- Data loss prevention
- Limit user access with privilege access management solutions. Control access to privileged accounts and manage the provisioning of privileges to access critical systems and applications in the organization
- User behavior analytics solutions are used to detect behaviors from the outside norm.
- User activity monitoring tools are user centric and provide the ability to understand context of incident to enable the investigator understand what actually happened.
HOW TO CREATE AN INSIDER THREAT PROGRAM?
An insider threat program is a program used to detect, prevent and respond to insider attacks.
- The first step is preparation. In this stage you need to gather as much information as you can about your current cybersecurity measures, compliance requirements, list the assets and all stakeholders who are involved in this program.
- Carry out and perform a risk assessment. Classify your assets from the most sensitive to least sensitive. Performing a risk assessment will help you detect the assets and mitigate possible threats on them. The risk assessment process entails:
- Potential threat sources
- Cybersecurity vulnerabilities
- A list of risk levels for the assets. You can classify them as high, medium and low.
- Estimate the likelihood of an insider threat.
- Determine and access the risks.
- Estimate the resources needed to create the program. These includes administrative support, technology solutions to monitor events and financial resources to purchase cybersecurity insider threat detection software.
- Acquire support and approval from the stakeholders you shortlisted earlier on with key reasons for implementing and having an insider threat program in your organization.
- Create an insider threat response team and have a scope of responsibilities for each team member in the response team.
- Determine all necessary insider threat detection measures best suited to serve your organization.
- Make the program clear and realistic to all parties involved.
- Plan your procedures for investigating insider attack incidents and measures to respond to an attack.
- Create user awareness by educating all technical and non-technical users and employees.
- Set some time to review and update your insider threat program.
INSIDER INCIDENT RESPONSE
The incident response team should:
- Investigate how and when the compromise occurred.
- Identify what data and systems were compromised in the incident.
- Specify the person responsible for the compromise.
- Identify, collect and preserve all evidence.
- Perform forensic analysis and data analysis.
- Access the damaged caused by the compromise and provide an appropriate containment measure.
Give appropriate guidelines to eradicate and continue with the business operations.