This month marks the first-ever National Insider Threat Awareness Month, as pronounced by the National Counterintelligence and Security Center (NCSC). The NSCS, which was created to lend cybersecurity and counterintelligence support to federal agencies and the private sector, proclaimed September a national day for insider threat awareness in an effort to propagate information sharing and education around insider threats, and encourage proactive reporting mechanisms to avoid damage done by insider threats.
This day of observance has been instated at a critical time, as insider threats are proliferating and becoming increasingly high-profile due to related data breaches and damages. Over the past few years, data breaches caused by insider threats have snowballed. A recent survey by Forrester Research indicated that 53% of data breaches that impacted respondents were caused by insiders—over half of whom had malicious intentions.1
Stopping insider threats requires understanding who they are and how they work. Unfortunately, insider threats are notoriously complicated. “All data theft is an inside job,” according to a Forrester report by VP and Research Director Joseph Blankenship and Researcher Claire O’Malley, because stealing data requires having access to that data.2 Stolen data is “either obtained by actors who, using compromised credentials, masquerade as insiders, or it’s granted to an insider as part of his or her job,” writes Blankenship and O’Malley.
At the end of the day, there are only three types of bad guys: the bad guy on the outside, the bad guy on the inside, and the stupid guy on the inside.
The bad guy on the inside often gets the most visibility in news headlines. This may be the employee who is resigning and looking to swipe IP to bring with her to a new job, or the employee trying to pad his pockets with duplicate expense reports. Unfortunately, threats are becoming increasingly common. According to Forrester, 57% of internal data breaches caused by malicious intent in 2018—up from 26% in 2015.3
But not all insider threats are disgruntled employees with an axe to grind. Insider threats also constitute human error—the stupid guy on the inside—which is a repeat offender when it comes to data breaches. (Note that I say “stupid” with all the love in my heart. These are users who are not doing this maliciously and often it is not even their fault, such as when dealing with difficult UI that makes it hard to implement good security best practices.) Bad cyber hygiene often leads employees to make critical security mistakes that compromise sensitive company information, such as an employee erroneously sending an email with confidential data to a third-party recipient or inadvertently downloading a file with malware. The stupid guy on the inside often opens the door to the bad guy on the outside. For example, you may be looking at a situation where an insider’s credentials or machine were compromised by an outsider, and that outsider is now moving through your systems with free reign.
Regardless of which actor is at play, insider threats are both very common and traditionally very difficult to detect. Unlike a run-of-the-mill malware attack, these threats don’t have fixed signatures or known patterns of attacks by which security software can spot them. Insider threats manifest in complex ways, often flying under the radar by purposely or inadvertently leveraging their privileged access to commit fraud, sabotage operations, or snoop around your systems looking for IP to swipe. It can be tough to spot a bad actor when that actor is using valid credentials. This type of threat becomes even more complex when this “insider” threat isn’t just about stopping an employee but thwarting an outsider.
Ultimately, insider threat awareness is more than just a matter of trying to spot and stop an unhappy employee—it’s a call to action for a more sophisticated approach to threat detection that will allow you to stay ahead of even complex, unknown threats like malicious insiders or targeted outside attacks. At Micro Focus, we believe user and entity behavioral analytics (UEBA) is key to helping companies achieve this proactive security posture.
Learn more about insider threats and how to prevent them with behavioral analytics in our A Guide to Insider Threats infographic, and join us on Wednesday, September 25th, at 2 p.m. EST to hear Micro Focus Interset CTO Stephan Jou and special guest Joseph Blankenship discuss insider threat detection leveraging UEBA and the MITRE ATT&CK framework. Register now!
1-3Forrester Research, Inc., “Best Practices: Mitigating Insider Threats,” Joseph Blankenship and Claire O’Malley, May 31, 2019.