Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


A Practical Software Approach to Insider Threats

Data Security

Insider data theft presents multiple challenges for traditional IT security. Insiders are employees who are entitled to be in the network unlike hackers. Standard perimeter security measures won’t work. But there is a way out of the insider nightmare scenario.

Software based on User Behavior Analytics or UBA is the key to preventing or vastly mitigating insider threats. The secret to UBA’s insider-catching prowess is its ability to learn from log and event histories — such as apps launched, file accessed, logins — when employees’ online behaviors are normal and when they fall in the danger zone.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Unfortunately, insider threat is more twisty than vanilla external hacking. Employees are granted access to important data as part of their job. And while UBA can spot unusual access attempts even among employees, companies should take a multifaceted approach to internal cyber theft. This can include establishing and communicating employee privacy policies, and spotting and working with disgruntled employees to prevent them from becoming threats.

Who Are the Insiders That Commit Cyber Theft?

Academic researchers have made serious studies into the reasons employees commit insider cyber theft and disruption. Based on their work, they came up with three main motivation categories: theft for financial gain, theft for business advantage (IP theft), and IT sabotage.

Stealing for money is the most obvious motive for insider theft. This type of fraud is more likely done by lower level, non-technical employees, usually in cooperation with outsiders. These were employees, typically with financial problems, who were using their authorization level as a data entry operator or customer support rep to modify credit histories, adjust benefits, or create false login credentials —all for a fee.

Employee monetary theft may not make the headlines, but fraud examiners say that 5% of businesses lose money each year to fraud by unauthorized access to computer systems.

If we look beyond insider theft for financial gain, we start seeing a different type of insider. Those motivated by IT sabotage and Intellectual Property or IP theft are technically-oriented employees who were able to borrow another employee’s credentials or already have access to sensitive resources— code, documents, contracts, plans, etc.  This destructive employee may throw the virtual monkey wrench into the IT machinery — delete directories, insert bad code into critical infrastructure — and/or else steal huge amounts of confidential data.

These types of employees make headlines and their thefts can lead to major laws suits with the potential for enormous cash settlements —see for example Google’s successful lawsuit against Uber for IP theft.

Early Warning Signs for Insiders

Why do insiders carry out their cyber crimes? In other words, if it’s not purely for monetary reason, then why do it? Researchers note that there’s usually a trigger event: a job firing or disputes with the employer, or demotion, or dissatisfaction with a salary increase or bonuses. In other words, there are often strong psychological elements involved.

Thankfully most of all us will not react to these triggers. But for a small group with a predisposition that’s often associated with addictions, bullying, or other personal issues, it’s enough to push them to IP theft.

As employees, of course, insiders don’t really need any outside software or tools or special malware to gain entry. So it makes it even harder for them to be spotted.

However, there’s one important quirk of insiders that can be used against them. They exhibit precursor activities that usually involve performing a trial run of the the theft— this might involve exploring searching directories, checking permissions, and selectively copying code or other sensitive content. For developers and admins bent on destruction, this could translate into inserting harmless code snippets into existing software or subtly changing configuration files.

These precursor activities seem to be a way for the employee to test whether the company is watching, and, interestingly, whether they care! The insider may rationalize that since no one said anything during these probes of the system, then it’s OK for him to copy the entire core software system into his USB drive.

Many companies would, of course, rather trust their employees instead of monitoring them, but that leaves them open to just this type of employee attack. It is important to let potential insiders know they’re being watched — it can dissuade them from attacking. And smart companies will inform all employees of their internal privacy policies!

Monitoring Insiders With Software: User Behavior Analytics

Let’s put it all together. An employee with an insider predisposition experiences a trigger event at work — promotion denied, bonus lower than expected. He then starts probing the corporate IT environment and does trial runs of his data theft or sabotage to see if anyone notices. Then finally he’ll commit the insider act.

User Behavior Analytics software has an important role to play in detecting these precursors. UBA technology searches for patterns of usage that indicate unusual or anomalous behaviors. As the insider is looking around the file system in preparation for the attack, often in areas he usually doesn’t access, UBA will notice this new pattern and alert the appropriate IT security staff.

Not all UBA software has the ability to monitor file activity; those that do have an advantage in spotting precursor activities.

UBA can spot unusual access to files containing sensitive data.

For UBA to work, though, it requires an existing record or history of online activities and events —system or event logs, file access, and network activity. The UBA algorithms train themselves on these datasets so they can understand normal usage. Then when an employee starts on the path to becoming a threat, UBA detects when the insider is engaging in the telltale precursor activities.

If you’re thinking that some of the classification and prediction techniques of Big Data analysis —nearest neighbor, regressions, Bayesian—are appropriate for UBA, you’d be right. But whatever the exact method used, the analytics will establish a baseline from which it will be possible to predict what’s normal and what’s not.

UBA and Other Factors

As we saw earlier, it also makes sense to factor in other sources of information — particularly from personnel records, reviews, and other information when reviewing UBA results. An abnormal file access pattern — someone copying files over the weekend — coupled with information that the employee complained about not receiving a promotion would be far more predictive of an insider threat.

So proactive file and network monitoring and alerting when the first signs of behavioral issues start emerging is a good idea. But management should also be making it clear that insider threats are taken seriously.

There should be company-wide continuing programs and training on security awareness.  There’s strong evidence that when potential insiders know there are insider security policies in place and that they may be monitored, they’ll give up on their plans.

If there seem to be signs of unusual precursor activity by an employee and additional monitoring is called for, it might not be a bad time to send out an email blast reminding employees of corporate IP and security policies, including file monitoring.

Or to put it another way, “trust, but verify”! UBA then can be used as a tool to change behaviors thereby bringing potential insiders back into the fold.

Can traditional event-based rules—say from SIEM or DLP vendors—catch insider theft as effectively as UBA? The answer here is no. Not that DLP is ineffective, but a logged event on its own may not provide enough information or context to write an effective rule, so you’ll likely end up with too many “false positives”.

Where UBA differs from other methods is in its ability to learn in a statistical sense from past patterns. UBA that can analyze a history of file and email access activities is especially well-suited to spot insider theft of IP — i.e., valuable or sensitive data contained in documents, presentations, or graphics. With UBA, IT admins gain the ability to detect in or near real-time an insider’s precursor stage, thereby preventing data from ever leaving the organization.

And if UBA can’t prevents the attack, keep in mind that its audit logs and other monitoring results can be quite useful in court cases to prove that the theft took place.

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.