I am about to complete my college and have been really busy with sitting and applying for job interviews. I would say I am pretty decent in red-teaming and have focused more on the attack side of cyber security in comparison to defence. While giving these job interviews I realised that companies are looking for more people to hire for their blue team and working on to enhance their security. Most of these companies had several requests and plans as to how they will be securing their networks from outside malicious hackers but there was one thing unique to me, which I had never focused on and to be true never thought of before and that was “ insider threat ”.
In the past few weeks I have been rigorously studying and trying to understand how serious a threat are the people working at your company, who are on your payroll and I figured out that it is pretty immense. Most of the cyber-sec professionals or at least those who are starting out never focus on this aspect. While researching about the harms a malicious insider can lead to, I came across some mind-boggling stats, that made me realise how big a threat it is and is generally overlooked by those who are starting out as the red teaming part of it seems to be very ludicrous and where people spend most of their time on.
Combatting insider threats is one of the most important part of blue teaming and the info-sec defence team. So, I decided to write regarding this as what should be those major points that anyone securing their infrastructure should focus on and how to defend their organisation against those who are trying to harm it from the inside.
Let’s dig in!
So, the first step that we need to take to understand what insider threats are, we need to very clearly identify who are these people and categorise them so that we can properly focus on them and later on deal with them. I would categorise them under three main profiles and that would be, compromised, careless and malicious. Compromised are those employees who might have had click a phishing link, executed a malware or did something that has compromised their system. Careless employees are those who are getting their work done but aren’t following the rules, procedures and policies. These are those employees who might write down their login credentials and leave it lying around or those who might access important data on a public wifi. These employees are those which are most likely to be compromised in the future. Then comes the most nefarious of employees the ones who have a malicious intent, to do harm or deface the company or organisation they are working for.
Now that we have focused on the type of people we need to deal with, we also need to understand why detection of these insider threats is such a difficult task to perform. The most prevalent reason to that is, these employees have legitimate access to the systems and data. Then the nest problem is to differentiate the good and the bad, in a scenario where millions of queries are made to the database it becomes extremely difficult to analyse which particular query is bad and which isn’t. Another problem for them is the alert overload, the syslog that generate a lot of alerts if the policies aren’t written properly, these alerts are send over to the SOC ( security operations centre ) but these alerts are never really properly assessed. The last problem would be the lack of context, as normally a company might have tens of different departments and the cyber security team has to deal with all of these with minimal knowledge of where the issue has been generated from and thus not having a clear picture of how to tackle the problem.
Understanding the breaches
To tackle insider threats we need to start identifying them, this can be only done by understanding the threat vectors so that we can nab them from the very beginning itself. We need to co relate the user attributes to the data attributes, so that we can have a clear understanding, that the leakage of certain user parameters means there is a leakage of a certain data attribute.
To understand when the breach might take place we need to know the behaviour / early indications of a breach and that will happen when we keep a note of the indicators of a breach. These mostly include the abuse of the service account, suspicious access of application data, excess queries from the database or huge number of failed login attempts. These behaviour can let us know that something wrong is going on and needs to be looked into.
How to stop insider threat?
In case of an insider threat there are few questions that we need to know the answer to so that we can figure out who the perpetuator is.
- Who is connecting to the database?
- What means do they use to connect to the database?
- What data are they accessing?
- Is their peers accessing the same set of data?
- How much amount of data are they querying?
Once we have clear answer to these questions we can combine the results from these different questions and narrow it down to who might have been the reason behind an insider attack or who is most likely to carry such an attack, this can help a lot in figuring out the trends inside the organisation and helping you keep tabs on your employees. There are other points that you can keep in mind to deflect an insider attack.
- Log, monitor, and audit employee online actions
- Monitor and be quick to respond to suspicious or disruptive behaviours
- Keep a record of employee activity & monitor the content they are accesing
- Prevent offloading/downloading of huge amount of data
- Implement end point data leak protection and secure them properly
- Keep tabs on account activities & regularly carry out privilege check
- Publicise you security policies and let your employees be aware of this
There are various more steps like these that you can implement in your organisation and after having done these major steps you can decrease the chance of an insider threat to a huge extent.
Insider threats can be extremely dangerous and harmful for your orgnisation as the person who is carrying out the attack knows exactly where the most important data and files of your company is present, they know what are the security policies you have in place and also knows what are the ways to circumvent those policies. So to keep insider threat under control follow the above policies and add more rules which are specific to your organisation and will help you keep your organisation safe from insider threats and make it even more difficult for external malicious entities to gain access to your systems.
If you enjoyed it please do clap and happy hacking!
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : email@example.com