Insider threat incidents account for 34% of data breaches. CYDEF’s detection capabilities are not limited to external cyber attacks. They are also valuable detection controls that detect unusual activity on the inside of an organization.
What is Insider Threat?
Cybersecurity is focused on keeping malicious attackers out of business systems.
But what if the malicious attacker is already inside the business, with access to everything they want? That makes an attack too easy.
Insider threat is generally characterized as a security threat from someone that has legitimate access.
Examples of insider threats include:
- Terminated employees who, while retaining their network access, take vengeance on their former employers
- Employees who unnecessarily access confidential records to extract information about a colleague or a celebrity
- Contractors who download proprietary data to use with other clients or to divulge to the press
Insider threats are difficult to detect and control because they abuse legitimate access required to complete legitimate tasks.
So how can you differentiate between a legitimate request and an attack?
Combatting Insider Threat
How do you stop users with legitimate access from abusing these rights?
While a number of technical solutions are available (such as User Entity and Behavioral Analytics [UEBA]), one of the most effective solutions it to monitor employee behavior. Perhaps more important is to let them know they are being watched.
One of the most basic insider threats is cash theft. Think of a cashier stealing from a cash register. The cashier can open the register whenever they want, so why aren’t they just leaving with all the money?
It’s not because a fancy algorithm is calculating a risk score, or because a multi-level authentication solution is deployed on the register. The cashier doesn’t leave with the money because they think they will get caught.
Opportunistic Behavior
A lot of insider threat problems are opportunistic in nature. People suddenly find that they have access (or still have access), and then go a little beyond what they were employed to do.
After all, nobody will know, right?
This opportunistic behavior, however, disappears when the employee believes that someone will discover the inappropriate behavior.
The Value of Continuous Monitoring
That is why continuous monitoring can be used to deter insider threat.
Deterrence is one of the most underrated values of SoC-type operations.
Calling employees from time-to-time to ask about a weird command line they generated or a suspicious program they installed generates the impression that someone is watching the system. If someone is watching, they will know if something goes awry (aka. When cash goes missing from the register).
That often deters employees from taking chances, and makes them much less likely to attempt to take opportunistic action in the future.
Case Examples: Insider Threat Detected by CYDEF
We identified two examples of insider threats incidents detected by CYDEF.
Idle Time Suspension
In the first case, an employee was very annoyed that a certain machine in the workplace would lock up whenever it was left unattended. Presumably, they found it tedious to always have to enter the password.
So, the employee had someone make a script that would prevent the machine from going idle. The script removed the need to re-enter the password, and clearly violated the company’s security policy.
After a number of uses from different locations (the desktop, a shared drive, a USB drive), a manager deleted the script instance found in the SMART-Monitor alert.
However, it was clear that if left to their own devices the employee’s behavior would persist and others may have copied them.
Attempt to Add a User to a Local Administrator Group
In the second case, we saw an employee open a command line prompt and attempt to add themselves to the local administrator group. Luckily, the attempt didn’t work. The team at CYDEF caught the attempt and reported it to our customer.
When the customer’s IT team checked in with the employee, the employee responded simply that they were curious if adding admin access was possible.
If the employee hadn’t received a call from IT, what are the odds they would have stopped with one access attempt?
Do you think the employee will try anything else fancy after that?
Awareness of Detection Deters Insider Threat
In order to achieve deterrence, users must expect that erroneous action will be detected.
The most effective method to deter insider threat is to communicate that security monitoring takes place on an ongoing basis. Security cameras are visible in stores to deter theft (even if there is no camera recording). It is a way to signal to would-be thieves that someone is watching.
If you want to catch a thief, you use a hidden camera. If you want to prevent a thief from stealing, you install a very visible camera.
The same methodology applies in cybersecurity. If you want to catch an insider threat, you monitor the activity. If you want to prevent an insider threat, you communicate the detected actions and repercussions.
In the case of the user who attempted to add themselves to the system admin group, a sternly worded email explaining the situation is key to prevention. In this instance, the email would highlight the erroneous user action, indicate that the user would be reported to HR, and that system monitoring tools would catch bad behaviors when they take place.
Continuous Monitoring Can Be Easy
For many businesses, the burden of continuous endpoint monitoring requires too much effort and overhead.
Partners like CYDEF can provide the upside of continuous monitoring without the burden of management. Our solutions combine monitoring technology with in-person investigation, effectively moving the management of endpoint detection from your team to ours.
If you’re curious about how CYDEF can defend your business against cyber threats – from outside the organization and from within – get in touch!