Insider threats 101: The threat within

Recent events – both in the United States and in Japan – have forced IT administrators everywhere to reevaluate the possibility of insider threats. Because of their very nature, it can be difficult to handle these problems, particularly because the mindset needed to handle them can vary.

The insider threat can be broken down into three issues: why do people within become threats, what damage can they do, and how these can be prevented.

Why do people become insider threats?

It can be difficult to understand the motivation of people who are insider threats: they act against an organization that they are (or were) a part of and indirectly act against their own interests.

One model we can use to examine motives is espionage. If not quite as severe, the basic question is similar. The motives of would-be spies are frequently described using the acronym MICE:

  • M – Money
  • I – Ideology
  • C – Coercion
  • E – Ego.

Frequently, more than one of these motives is in play. Depending on what the motivation is, the nature of the attack may also differ: for example, an insider interested primarily in monetary gain might prefer to set up a quiet way to steal (and sell) confidential or proprietary information. Someone else driven by a sense of personal grievance might do a series of attacks like defacing the company’s website or, worse, conducting information theft- in either case, they would be a more “demonstrative” attack meant to highlight that something did happen.

What is obvious is that trying to determine what drives somebody to become a “threat” to their own organization is a complex, multi-faceted question with no single answer.

However, employee discontent is a powerful incentive towards becoming an insider threat. Example of these include pay cuts, layoffs, or other activities that can cause otherwise placid employees to become disgruntled. If an organization is slow to remove access, former employees can still pose an “insider threat” if they still have access to the network.

Employee discontent is just one of the possible motives behind an insider attack. Another would be ego: an employee who may have not received the response he believes he deserves (be it blame or praise) may lash out. Other insider attacks are deliberate and premeditated; these are performed by employees who join companies to specifically gather insider information.

What damage can an insider do?

The exact damage an insider can cause would depend on their motives, but there’s no two ways about it: the damage they cause can be significant.

The exact damage that can be caused would depend on who the insider is. For example, at first glance, it would be logical to assume that a system administrator can cause far more damage to a network than a receptionist. But someone with access to and knowledge of critical information, coupled with knowing the right people to sell/leak it to could cause far more financial damage to the company than the admin.

In a worst case scenario, an attacker would be able to do anything and everything they pleased to their target network. They would be able to access (or modify/destroy) any information they wanted, bypass any defenses that were in place, and leave no one the wiser as to what had happened. The question in such a case is what they couldn’t do.

In addition, the insider could enable someone else to access the network and cover for them. Spear-phishing, watering hole attacks, and other types of attacks would no longer necessary.

In a properly designed network, users would only have access to the information that is necessary for their jobs. This limits the information that could be accessed by any single user. However, this is still a significant amount of damage. The wrong person at the right place with just their access can still have catastrophic results. The rule of thumb will be: an insider can use any data he touches or modifies on a regular basis to compromise this network.

In the event of a breach that is the work of an insider, the nature of the information that has been leaked might be used to identify the identify the sources of the breach. However, it should be noted that tracing back the activity to a particular source can have mixed results. Insiders may befriend other employees and use their devices to get the information they want. They could also give them weaponized documents to read or software to use.

Preventing insider attacks

Broadly speaking, prevention and mitigation techniques against insider attacks can be grouped into two categories: technical and non-technical.

Technical steps to prevent insider attacks are broadly similar, if not identical, to security best practices. We need to start to look at insider attacks as we do external attacks. We cannot prevent them from happening, so we need to work on detecting them as quickly as possible.

Monitoring and logging of activities, such as what data is moving through the network and what is going out the network, can be used to detect potentially suspicious behavior by insiders as well. The key principle of a defense in depth strategy is to assume compromise; this should include compromised insiders as well. In addition, proper access control should be put in place to ensure that employees are not able to access information that they do not need for their day-to-day functions.

However, non-technical means of security may be more important in dealing with these as well. As we mentioned earlier, employee discontent increases the risk of insider attacks; it is not only good management practice to handle delicate situations well, but good security practices as well. In addition, the credentials of employees who leave an organization should be disabled as soon as possible to prevent security leaks.

Dealing with insider threats is possibly one of the most difficult tasks facing an information security practitioner today. However, best practices implemented correctly can help mitigate this threat.

Author: Jim Gogolinski, Senior Threats Researcher at Trend Micro.

Share this