Organizations usually focus on cyber threats which are external in origin. These include anti-malware, external firewalls, DDoS attack mitigation, external data loss prevention, and the list goes on. That's great, external cyber attacks are very common so it's vital to protect your networks from unauthorized access and malicious penetration. The internet and unauthorized physical access to your facilities will always be risks and they must be monitored and managed. But it’s easy to lose sight of an often overlooked cyber attack surface, and that’s the one on the inside. Internal cyber attacks are more common than many people assume, and ignoring that reality would be at your peril. Here’s why you should be prepared for internal cyber threats, and what you can do about it.
The impact and importance of insider attacks
Insider threats to your network typically involve people who work as employees or contractors of your company. They belong in your facilities and they often have user accounts in your networks. They know things about your organization that outsiders usually don't–the name of your network administrator, which specific applications you use, what sort of network configuration you have, which vendors you work with. External cyber attackers usually need to fingerprint your network, research information about your organization, socially engineer sensitive data from your employees, acquire malicious access to any user account, even those with the least amount of privileges. So internal attackers already have advantages that external attackers lack.
Also, some insider threats aren’t from malicious actors. Some insider threats are purely accidental. Maybe an employee will accidentally leave a USB thumb drive full of sensitive documents in a restaurant’s washroom, or click on a malicious hyperlink that introduces web malware to your network. According to Ponemon Institute’s April 2018 Cost of Insider Threats study, insider threat incidents cost the 159 organizations they surveyed an average of $8.76 million in a year. Malicious insider threats are more expensive than accidental insider threats. Incidents caused by negligent employees or contractors cost an average of $283,281 each, whereas malicious insider credential theft costs an average of $648,845 per incident. But the bottom line is that all of these incidents are very expensive and they must be prevented.
Comparing insider versus outsider threats and attacks
So insider threats can be a lot more dangerous than outsider threats. As far as malicious attackers are concerned, insiders already have authorized access to your buildings and user accounts. An outside attacker needs to work to find an external attack vector into your networks and physical facilities. Those are steps inside attackers can usually skip. It's a lot easier to privilege escalate from a user account you already have than to break into any user account in the first place. A security guard will scrutinize an unfamiliar individual, whereas they will wave hello at a known employee.
The same applies to accidental incidents. I don’t know any sensitive information about companies that I’ve never worked for. A current or former employee often will, and it may be socially engineered out of them.
Because of the privileged access that insiders already have, they can be a lot more difficult to detect and stop than outsider threats. When an employee is working with sensitive data, it’s very difficult to know whether they are doing something malicious or not. If an insider behaves maliciously within your network, they can claim it was an honest mistake and therefore it can be challenging to prove guilt. Insider threats can be a lot more difficult to contain than outsider threats. According to Ponemon Institute’s 2018 Cost of Insider Threats study, it took an average of 73 days to contain insider incidents. Only 16% of insider incidents were contained in less than 30 days. Even if a threat to your network lasted 20 days, imagine how much harm that could be done in that time.
Lockheed Martin developed the Cyber Kill Chain framework as a model for identifying and preventing cyber intrusion. It’s an excellent system, but it’s best geared toward determining outside threats. Thankfully we’ve adapted a way of implementing the Cyber Kill Chain from the perspective of insider threats. Check it out!
Insider threat indicators to look out for
Because insider threats can be so much more difficult to detect and contain, it’s crucial to know which indicators you should look out for.
Disgruntled employees sometimes become malicious insiders.
The most dangerous are those who have received termination notices. They may decide that they have nothing to lose because they aren’t worried about getting fired anymore. Depending on the nature of your organization and the work you do, it might be a good idea for them to stop working for your company the moment they know they've been terminated. Get them to give you any physical keys they might have and disable their user accounts right away. It may ultimately cost your organization less money to just give your terminated employee their severance pay than to pay them to work an extra few weeks. But if they must work for some time after they've been terminated, watch them especially carefully.
Disgruntled employees who aren’t set to be terminated may also pose a threat. Signs of disgruntled employees who may become malicious insiders include those who have frequent conflicts with supervisors and coworkers, and those who demonstrate declined performance and general tardiness. Visits to websites with job listings are another clear indication of a disgruntled employee.
Interestingly enough, another type of indication of an employee or a contractor who could be a malicious insider is when they seem unusually enthusiastic about their work. They may volunteer for more work or additional tasks not because they want a raise, but because they want to expand their access to sensitive data. Yes, I work helpdesk but I have lots of experience with managing networks! I can fill in for the network administrator when they’re taking time off!
Frequent trips to other cities or countries can be a sign of industrial espionage. They could be sharing sensitive and proprietary information with another company.
Another major indicator of insider threat actors are employees or staff that have had significant unexplained changes to their financial circumstances. Why is that employee who makes $40,000 per year driving a Bentley all of a sudden? Or the indicators may be a lot more subtle than that. Either way, the extra money could be coming from industrial espionage, cryptomining malware, or stealing money from corporate accounts.
Insider attacks in the cloud
More and more organizations have implemented cloud networks. They can be cheaper to operate and they enable your network to expand without having to acquire larger premises, plus they’re a lot more scalable than on-premises networks. But cloud networks pose unique challenges to insider threats.
According to the spring release Threatbusters: Bitglass' 2019 Insider Threat Report, 41% of respondents say that assets migrated to the cloud aren’t monitored for anomalous activity. This makes insider attacks in the cloud harder to detect. Your organization usually lacks physical access to your cloud networks and it may take some time to become more familiar with implementing your cloud provider's security controls. So it's easy to understand why.
Your cloud environment interfaces with all of your infrastructure stacks and applications, so it’s very important to watch for any insider threats which may exist there.
In order to help prevent insider threats to your cloud, you need to make sure that it’s properly configured for optimal security. Secure-by-default landing zones can prevent new attack surfaces from opening up in development, staging and production environments. You must also implement identity access management that’s well suited to the cloud. The principle of least privilege can also be as useful for protecting cloud networks as it is for on-premises networks. No user should have more privileges than they absolutely need in order to do their jobs.
Conclusion: Don't underestimate the importance of insider threats
It’s clear that insider threats and attacks are a significant problem for your organization’s networks, regardless of your industry or network configurations. Proper and frequent training is key to mitigating insider threats. The people in your company should know about indications of insider threats and watch out for them. In order to help prevent accidental threats, users should be trained to be hardened against social engineering, and to be extra careful with how they handle sensitive data. People learn best when training is frequent and consistent. Therefore training sessions should take place at least two or three times per year, rather than just once.
Awareness and vigilance are of the utmost importance. Organizations often underestimate the risk of insider threats. Knowledge is power!