The traditional meaning of “insider threat” is: a current employee or contractor who, intentionally or accidentally, misuses his or her authorized access to a secure network to carry out malicious activity. This activity can include sabotage, theft, espionage, fraud, mishandling of data or physical devices, as well as the use of information to gain a competitive advantage.
A good example of this dates back to 2008, when a disgruntled San Francisco city employee changed administrative passwords to gain exclusive access to most of the city’s municipal data. Gavin Newsom, the mayor at the time, had to go to the jail where the perpetrator was being held to talk to him and convince him to reveal those passwords.
Another example is when a recently fired IT employee from the Indianapolis-based American College of Education changed the password for the Google account that stored email and course material for 2,000 students. The employee offered to give up the password, but only if the college paid him $200,000. In this instance, the insider threat turned into a password ransom case, but not all insider threats are as cut-and-dry as these examples.
Insider vs. inside threat
I serve on advisory boards for a several companies and the same debate – insider vs. inside threat – comes up often during meetings.
Dubbing an attack as “insider threat” makes the assumption that if something is happening inside the network, then it must the work of an insider. The reality is that it’s typically an outsider disguised as an insider (an employee).
As a result of compromised credentials through spear phishing, threats often manifest inside the network but the attacker is usually not associated with the company, and may be located on another continent altogether. The threat seems to come from within, but when companies dig deeper, it usually becomes clear that the employee had nothing to do with the attack.
The term “insider threat” is often misused. The correct term should be “inside threat,” as it addresses compromises of user credentials and systems by an outside entity. And I say “entity” because it’s only a matter of time before we see attacks attributed to artificial intelligence applications, not just attackers running scripts while sitting in front of their keyboard.
Protecting against inside threats
The first step is achieving situational awareness and being able to acknowledge and recognize abnormal or inappropriate activity by systems, services, and people on your network. That is often the earliest sign that an attack is in progress. This step requires keeping track of who has administrative privileges, and having full control of the network that is connected to company resources, including endpoints.
It used to be easy to figure out network perimeters, but since the BYOD culture skyrocketed, it’s harder to keep track of them. Companies need to focus on securing the network’s endpoints as – more often then not – is where attackers come through. Most corporations now differentiate between endpoints that they own and control, and those they do not (employees’ own devices). It’s not uncommon for these two endpoints to have significantly different risk profiles.
Many phishing attacks come through endpoints, but there are also major breaches that started with attackers targeting enterprise “edge devices” with devastating results. For example, the 2013 Target breach occurred because hackers breached the external network of the company’s HVAC provider and moved laterally into Target’s network, where they went on to be undetected for quite awhile.
This is where situational awareness and defense-in-depth (including the endpoints) come into play. When a breach is initially detected, it often manifests as an “insider”. But it’s best to assemble the facts and data to establish a forensic pattern of truth before jumping to conclusions.
By redefining the term and protecting against attacks through situational awareness, acknowledging and recognizing breaches, having full control of the network, and knowing where the company’s perimeter is to protect all endpoints, companies can better respond to suspicious activity “inside” their network.