An insider threat is a security risk that originates within the targeted organization. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner, or board member.
34% of data breaches in the 2019 Verizon Data Breach Investigations Report involve internal actors.
According to the 2019 Varonis Data Risk Report, 17% of all sensitive files were accessible to every employee.
So what do these statistics tell us? Insiders have the capabilities, motivations, and privileges needed to steal important data – which makes it a CISO’s job to identify and build a defense against all of those attack vectors.
Anyone who has insider knowledge and/or access to the organization’s confidential data, IT, or network resources is a potential insider threat.
Types of Insider Threats
In order to protect your organization from insider threats, it’s important to understand what insider threats look like. The two main types of insider threats are turncloaks and pawns, which are malicious insiders and unwilling participants, respectively.
A turncloak is an insider who is maliciously stealing data. In most cases, it’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials but is abusing their access for fun or profit. We’ve seen all sorts of motives that drive this type of behavior: some as sinister as selling secrets to foreign governments, others as simple as taking a few documents to a competitor upon resignation.
Gregory Chung, an engineer at Boeing, is an infamous turncloak. Mr. Chung is convicted of using his security clearance at Boeing to smuggle trade secrets to China in exchange for a small fortune, and he is
A pawn is just a normal employee – a do-gooder who makes a mistake that is exploited by a bad actor or otherwise leads to data loss or compromise. Whether it’s a lost laptop, mistakenly emailing a sensitive document to the wrong person, or executing a malicious Word macro, the pawn is an unintentional participant in a security incident.
How to Detect an Insider Threat
There are common behaviors that suggest an active insider threat – whether digitally or in person. These indicators are important for CISOs, security architects, and their teams to monitor, detect, and stop potential insider threats.
Common Indicators of an Insider Threat
See the common digital and behavioral signs of an insider threat below.
Digital Warning Signs
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with their job function
- Accessing data that is outside of their unique behavioral profile
- Multiple requests for access to resources not associated with their job function
- Using unauthorized storage devices (e.g., USB drives or floppy disks)
- Network crawling and searches for sensitive data
- Data hoarding, copying files from sensitive folders
- Emailing sensitive data outside the organization
Behavioral Warning Signs
- Attempts to bypass security
- Frequently in the office during off-hours
- Displays disgruntled behavior toward co-workers
- Violation of corporate policies
- Discussions of resigning or new opportunities
While human behavioral warnings can be an indication of potential issues, digital forensics and analytics are the most efficient ways to detect insider threats. User Behavior Analytics (UBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.
Insider Threat Examples
Here are a few recent examples of insider threats from the news.
Tesla: A malicious insider sabotaged systems and sent proprietary data to third parties.
Facebook: A security engineer abused his access to stalk women.
Coca-Cola: A malicious insider stole a hard drive full of personnel data.
Suntrust Bank: A malicious insider stole personal data, including account information, for 1.5 million customers to provide to a criminal organization.
Fighting Insider Threats
A data breach of 10 million records costs an organization around $3 million – and as the adage says, “an ounce of prevention is worth a pound of cure.”
Because insiders are already inside, you can’t rely on traditional perimeter security measures to protect your company. Furthermore, since it’s an insider – who is primarily responsible for dealing with the situation? Is it IT, or HR, is it a legal issue? Or is it all three and the CISO’s team? Creating and socializing a policy to act on potential insider threats needs to come from the top of the organization.
The key to account for and remediate insider threats is to have the right approach – and the right solutions in place to detect and protect against insider threats.
Insider Threat Defense and Response Plan
- Monitor files, emails, and activity on your core data sources
- Identify and discover where your sensitive files live
- Determine who has access to that data and who should have access to that data
- Implement and maintain a least privilege model through your infrastructure
- Eliminate Global Access Group
- Put data owners in charge of managing permissions for their data and expire temporary access quickly
- Apply security analytics to alert on abnormal behaviors including:
- Attempts to access sensitive data that isn’t part of normal job function
- Attempts to gain access permissions to sensitive data outside of normal processes
- Increased file activity in sensitive folders
- Attempts to change system logs or delete large volumes of data
- Large amounts of data emailed out of the company, outside of normal job function
- Socialize and train your employees to adopt a data security mindset
It’s equally important to have a response plan in place to respond to a potential data breach:
- Identify the threat and take action
- Disable and/or log out the user when suspicious activity or behavior is detected
- Determine what users and files have been affected
- Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
- Restore deleted data if necessary
- Remove any additional access rights used by the insider
- Scan and remove any malware used during the attack
- Re-enable any circumvented security measures
- Investigate and perform forensics on the security incident
- Alert Compliance and Regulatory Agencies as needed
The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavior.
Insider Threat FAQs
Check out the section below for questions frequently asked about insider threats.
Q: What are insider threat indicators?
A: Insider threat indicators are clues that could help you stop an insider attack before it becomes a data breach. Human behaviors are the primary indicators of potential insider threats. Train your team to recognize different abnormal behaviors and use Varonis to detect activity that indicates a potential insider threat. Like a user accessing data, they have never touched before or copying large amounts of data from one place to another.
Q: What motivates an insider threat?
A: The primary motivation for an insider attack is money. 34% of data breaches in 2019 are insider attacks. 71% of data breaches are motivated by money. 25% of breaches are motivated by espionage or attempts to gain a strategic advantage, which makes that the second motivator. The majority of insiders want to make a quick buck off the data that they stole.
Q: How do you detect an insider who is supposed to be accessing sensitive data?
A: Users need to access sensitive data as part of their job. You, the security professional, need to discern intent as those users perform their job. You can’t determine intent with a single input – you need multiple data points. Ask yourself – Does the user regularly access this data? Is the user exhibiting any other abnormal behaviors? Are they uploading large quantities of data to email? You can also use Varonis to analyze user behaviors and help you determine what is normal or not.
Q: Are threshold-based alerts prone to false positives? (e.g., simply re-structuring folders)
A: Threshold-based alerts are bad at determining intent, and can lead security pros on wild snipe hunts or a “cry warg” situation. Here is a simple scenario – a user moves one folder of sensitive data to a new location. If you have a threshold-based alert for “500 file operations on sensitive data in one minute” that user just tripped it (I won’t get into the details of why just trust me). Your security team’s time is more precious than chasing down every folder change. Use security analytics to make more intelligent alerting instead.
Q: How useful are watch lists?
A: Watch lists – lists of users that you need to keep an eye on – can be helpful, but they have a real dark side as well. If you think about watch lists hard enough, you can easily see how they could become overused and put your security team in a difficult position with the rest of your users. On the flip side, you want your users to be “security aware” and have a safe method to report suspicious activity. You need to develop and keep to best practices for your watch list. Investigate and drop users off the watch list quickly, and lean on your security analytics to keep tabs on the abnormal behavior for you.
Take insider threats seriously, and most importantly, monitor your users and your data. Varonis gives you peace of mind that your data and your users are staying in their lanes. But if they aren’t you get a full context alert and associated logging to begin a thorough investigation.
Watch Troy Hunt’s video training series “The Enemy Within: Understanding Insider Threats” to learn more.