With Insider Threats on the Rise, These Are the Insider Threat Indicators to Look out for
With Insider Threats on the Rise, These Are the Insider Threat Indicators to Look out for
In today’s security environment, external threats pop up so often that it can be easy to forget that the risk from insider threats is rising too. According to a 2022 report from the Ponemon Institute, insider threat incidents have increased by 44% over the last two years. But most infosec professionals aren’t prioritising this. Analysis by Imperva shows that almost a third of IT and security professionals don’t see their organisation’s employees as a major threat.
Because insiders have legitimate access to corporate networks, insider attacks are particularly challenging to spot. It’s difficult to tell the difference between normal user activity and anomalous behaviour. Unsurprisingly, the rate at which detection and containment of insider threats happens today is poor and is getting worse. It now takes most companies 85 whole days to contain an insider incident—eight more days than in the previous Ponemon Institute study conducted a year ago.
The longer it takes an organisation to detect an insider threat actor, the more damage it can do. To improve detection and remediation, organisations need to invest in tools like SenseOn that can spot potential indicators of compromise (IoC) quickly, correlate these across the network, and issue high-value alerts.
What Is an Insider Threat?
An insider threat is a cyber threat started or enabled by someone with authorised access/understanding of an organisation. Insider threats can happen due to negligence (i.e., poor security awareness) or malice (i.e., a motivated attacker). Possible insider threat actors include current and past employees, contractors, partners, suppliers, and vendors.
Although malicious insider threats make great news stories, the most common cause for insider threats is negligence. For example, a stressed employee might decide to take a shortcut (like saving their password on a browser), not realising that it could be potentially dangerous, or download an unauthorised app (i.e., “shadow IT”) that may contain malware. A worker may also forget to log out of corporate accounts or click on an attachment in a phishing email. More than half of cyber incidents observed by the Ponemon Institute were caused by employee negligence.
However, that’s not to say that the possibility of malicious insiders should be ignored altogether. Just over a quarter of cyber incidents last year could be attributed to insiders with malicious intent.
Why Are Insider Threats on the Rise?
There are many reasons why insider threats are skyrocketing. Here are some of them.
Remote work
It’s no coincidence that the risk of insider threats escalated with the rise of remote and hybrid work.
DTEX Insider Risk Report 2022 noticed a significant increase in data loss from negligent insiders in a work-from-anywhere environment. The reason why is that most home offices don’t have the security controls of corporate networks. Nor are most staff provided with necessary security support.
Not only does that mean employees are more likely to take more risky actions (for instance, employees are now taking twice as many screenshots during Microsoft Teams and Zoom meetings than before), but they’re also more vulnerable to cybercriminals.
“If your organisation didn’t observe a proportional increase in attempted or actual data loss, then you were likely not looking," says the report.
The Great Resignation of 2021
As a record number of people left jobs in 2021, many organisations suffered from data loss—some without even realising it.
A striking number of employees admit to taking company data when they leave. On the other hand, close to three-quarters of cybersecurity leaders and practitioners lack visibility into what/how much sensitive data departing employees take with them.
Solicitations from ransomware gangs
To improve their chances of success, ransomware gangs are now directly asking employees to help establish initial access in return for financial gain.
In a Hitachi ID survey, which interviewed more than 5,000 employees at 100 large IT firms, 65% of respondents said hackers had directly asked them or their colleagues to participate in cyber attacks.
This trend is accelerating. Between November 2021 and December-January 2022, there was a 17% increase in the number of workers who received proposals from cybercriminals.
IT burnout
When security information employees feel burned out, security protocols can and do take a hit. Burned-out employees are less likely to follow their organisation’s security policies, which can result in past employees maintaining user access privileges.
Over 8 in 10 employees say they accessed their accounts even after leaving a company, and about half said they used this digital access for malicious activities.
In some instances, it’s not disgruntled employees who might abuse access to their accounts but hackers. The 2021 Nefilim ransomware attack used “ghost” credentials (i.e., active credentials belonging to former employees) to breach corporate networks.
Common Insider Threat Indicators
Some of the more common indicators of insider threat include:
Odd login behaviour. Legitimate users’ login behaviour will follow a pattern. Login activities that deviate from this pattern can indicate an insider threat. These may include login attempts from unusual locations/devices, login attempts occurring at atypical hours (i.e., outside working hours, during weekends or holidays), and authentication logs starting with numerous occurrences of “test” or “admin” username attempts.
Excessive downloads. A higher-than-usual volume of data downloads or downloads that happen at uncommon hours of the day/come from strange locations can point to an insider threat.
Unauthorised use of applications. If critical systems and apps that house sensitive data are unexpectedly accessed by unauthorised users or users whose job function is not associated with them, or if you notice repeated attempts to access sensitive information, that could be a sign of a potential insider threat.
Privilege escalation. Privilege escalation is one of the most common infection points for ransomware. Users that escalate their own or others’ privileges could suggest a potential risk of insider threat.
Installation of unauthorised software. Signs of unusual software may be nothing more than an employee downloading an app they think they need to do their job. But it could also be an insider threat actor installing malicious software.
Unauthorised use of external systems and devices. These may include laptops, tablets, USB sticks, etc. According to MITRE, external/removable media is a popular data exfiltration channel.
Disabled security systems. In some cases, insiders might try to disable security systems like firewalls and antivirus tools to prevent detection.
Detecting and Containing Insider Threats
Insider threat detection is not impossible. The bigger problem is that most organisations either still don’t view insider threats as a serious risk or take the wrong approach in detecting them in the first place.
For example, the Imperva study mentioned earlier found that to protect against insider threat risk, most companies rely on employee training, manual monitoring of employee activity, and encryption. But over half of respondents said that despite these measures, end-users still managed to evade data protection policies.
To actually stop insiders from causing harm, organisations need to follow zero trust principles and use advanced threat detection, investigation, and response tools like SenseOn. Most insider activities leave a trace in a corporate network. It’s just a matter of seeing it in a timely manner—and then dealing with it as effectively as possible.
SenseOn, which monitors endpoints (including remote endpoints), network activity, and cloud environments, uses machine learning and behavioural analysis to create a baseline of what “normal” activity looks like for your company. Anytime there’s a deviation, SenseOn looks at the suspicious behaviour from different perspectives to determine if it’s actually malicious or a false positive, with only genuine alerts brought to the already overburdened attention of analysts.