Insider Threats: Signs To Look For & Tips For Cyber Threat Hunting

Krunal Mendapara
Data Security Analytics
5 min readJun 27, 2022
Insider threats: Signs to look for and tips for cyber threat hunting

Data has become the most valuable digital asset in recent times, and it is under constant threat of being stolen, exploited or deleted by cybercriminals.

Cyberattacks are growing in numbers and sophistication. As a result, companies across the globe are under immense pressure to keep up with the rapidly evolving cybercrime landscape. A recent study reveals that external attackers can easily breach 93% of organizations’ digital ecosystems and access their local network resources.

While the companies have started to acknowledge the risk of external cyberattacks, a lack of awareness about insider attacks can put companies even in greater danger. Let us learn what an insider attack is and what we can do to prevent it.

What is an insider threat?

As the name suggests, this attack is launched by someone closely associated with the organization with authorized access rights. He can be an employee, third-party vendor, contractor, or partner. Insider threats can be unintentional and even malicious.

Malicious insider threats

Malicious insider threats originate from unethical employees and contractors. They leak the company’s confidential data or misuse the organization’s network for personal gain or to inflict damage.

In several cases, it is found that insider threats conspire with external threat actors such as competitors or hackers.

Negligent insider threats

Employees who get tricked by phishing emails or share data on USB sticks and other insecure devices are considered negligent insider threats.

A study by Ponemon Institute reveals that insider threat incidents have risen by 44% in the past two years, costing organizations millions.

Who can be an insider threat?

Current employees who commit theft for financial gain can pose a threat through fraud, external collusion or even by selling trade secrets.

Disgruntled or former employees who wish to sabotage the company’s reputation, steal intellectual property for financial gain or revenge.

Negligent employees who mistakenly fall for phishing attacks or give away the organization’s critical data.

Senior executives who are unaware of the importance of cybersecurity and exhibit irresponsible cyber behaviour repeatedly.

How severe is the problem?

Statistics by the Ponemon institute suggest that insider threats are a matter of grave concern for organizations.

- 60% of organizations witness over 30 insider threats every year.

- 62% of insider threats are negligent in nature.

- 23% of insider threats originate from criminal insiders.

- 14% of insider threats are the result of credentials theft.

What are the challenges?

It is difficult to detect insider threats. This is because companies have to give employees access to emails, cloud apps and other such network resources to enable them to do their jobs successfully. In addition, some employees even have access to sensitive information like financials, patents and client data.

In 2008, a San Francisco incident drew the world’s attention to how grave an insider threat can be! A discontented city administrator on the verge of losing his job blocked the city’s network and refused to reveal the admin passwords. It caused havoc in the town for a while.

The main problem of insider threats is that the threat actor has legitimate access to the organization’s IT environment. Therefore, the system does not detect any breaches. However, potent automated threat hunting solutions can also help companies protect themselves from insider threats.

Signs to look for:

- In case of a layoff, the organization should keep an eye on his IT behaviour if the employee is showing interest outside their duty areas.

- If the employee is working at unusual hours without authorization. This can specifically happen with individuals who were expecting promotions but did not receive any.

- If an employee spreads excessive negativity about the organization, he can become an insider threat. This can happen with employees who have not received the expected salary hike.

- The organization should also watch the IT behaviour of employees addicted to drugs or alcohol, who are going through a difficult financial phase, have large debts or are mentally unstable.

Remediation and mitigation strategies:

Effective threat-hunting solutions can help organizations fight against insider threats before they can inflict severe damage. The organization should take the below-mentioned steps to detect insider threats:

- Establish a centralized monitoring system and SIEM (Security Information and Event Management) platform to aggregate security data, detect insider threats and close visibility gaps.

- Use practical internet monitoring tools to detect alerts and monitor access, authentication and changes in account logs.

- Enhance the scope of Virtual Private Network (VPN) and endpoint logs.

- Create a baseline for normal behaviour and set risk scores for deviations. For example, changes in user geography, logging in at unusual times, downloading removable media, etc.

- Track behaviour anomalies and check if the external attacker has stolen the insider’s credentials.

A robust cyber threat hunting platform can help the security team secure the IT environment from insider threats. Apart from it, the security operations team should adopt a user-focused view to detect abnormal activities. Having a centralized security system in place is always better than manually tracking disparate data points’ security.

Importance of privileged access management:

It is found that employees with privileged access inflict more significant damage to the organization’s IT ecosystem. Therefore, an organization must have a Privileged Access Management (PAM) system in place where it can detect:

- Abnormal log-in attempts

- Multiple failed password attempts

- Any event that deserves an analyst’s validation

Once detected, an insider threat incident can be passed on to Security Orchestration Automation and Response (SOAR) system. Its playbook can help the security team remediate the threat. In addition, the team can revoke access through an automated process or IAM (Identity and Access Management) solution.

Zero-trust approach:

Detecting and remediating insider threats is as much about psychology as technology. First, the security team should study the attackers’ motivations and, based on that, should develop a proactive approach.

Zero-trust is one such approach with which organizations can manage insider threats effectively. In addition, the security team should keep an eye on connections between users, devices, apps and datasets associated with the organization’s IT environment.

With a zero-trust approach, organizations can:

- Isolate threats

- Reduce exposure in case of a data breach

- Prevent business disruption

- Detect exploits

For organizations, it is the time to understand that insider threats are equally dangerous as external cyberattacks. Therefore, they should also initiate a robust security system to detect and remediate insider threats.

--

--

Krunal Mendapara
Data Security Analytics
0 Followers

Krunal Mendapara is working as CTO for Sattrix Software Solutions where he Lead the strategy for technology platforms, partnerships, and external relationship