What Are Insider Threats?

What is the difference between insider threats and external threats?

As their names suggest, insider threats come from inside the organization and external threats come from outside the organization. Companies of all sizes need to understand both types of threats to effectively protect themselves.

An insider threat can be a current or former employee, contractor, vendor, or another business partner that has access to the organization’s IT systems and a legitimate need to access company data. The threat comes from the potential for these individuals to abuse or misuse their privileges and either intentionally or accidentally cause the organization harm. Most insider threat incidents are accidental, such as an employee connecting a company laptop to a public Wi-Fi network and inadvertently exposing private customer information stored on their hard drive. But they can also be intentional insider attacks. Because of their personal connection to the organization, intentional insider threats are typically motivated by revenge, opportunity, financial gain or a personal or political cause.

By contrast, external threats come from outside actors who do not have authorized access to an organization’s systems or data. These individuals usually don’t act out of animosity toward an organization but rather choose targets based on potential financial gain. Although it's less common, external threats can be politically motivated cyber attacks, as in the case of “hacktivists” or state-sponsored actors targeting a company’s systems to disrupt operations.

Often, insider threats and external threats overlap, with external actors attempting to take advantage of an insider’s privileged access to commit cybercrime. This most commonly plays out as an outsider taking advantage of an employee’s or business partner’s carelessness to penetrate the network, such as in a phishing attack. Perhaps less common, an insider may collaborate with an outside party, proffering their privileged access for personal gain, or working as a mole for an outside political group or nation-state.

What are the main types of insider threats?

Insider threats can be broadly grouped into the following types:

• Intentional threats: These insider threats set out to purposely harm the organization, are premeditated and executed with a specific end goal in mind. They are sourced to a variety of motives ranging from a desire to exact revenge to using company assets for personal gain to supporting a political cause.
• Unintentional threats: An unintentional insider threat results from negligence rather than malicious intent. These security threats are typically the result of human error or poor security practices, such as using weak passwords, ignoring software updates, inadvertently opening malicious email attachments and/or leaving a company laptop or storage device unattended in a public setting.
• Third-party threats: Third-party threats are those perpetrated by someone connected to the organization who is not an employee, which include contractors, vendors, and other business associates who have authorized access to the organization’s systems and know where its sensitive data lives. Third-party insider threats can be intentional or unintentional.
• Malicious threats: Malicious threats are a type of intentional insider threat that deliberately aims to harm the organization. An employee may use their access to sabotage company equipment after being denied a raise or passed over for a promotion, for example. Other times, malicious insider threats are motivated by personal gain, such as stealing an organization’s trade secrets to sell to a competing company. This category also includes external threat actors’ use of compromised valid account credentials obtained from employees via social engineering and other data exfiltration techniques.
• Collusive threats: Collusive threats are insiders that partner with an external party to carry out an attack on their organization — a cybercriminal enlisting an employee to steal valuable data on their behalf is one example. By their nature, collusive threats are always intentional.

What are the signs of insider threats?

Insider threat indicators include an array of digital and physical behavioral anomalies. Be on the lookout for individuals exhibiting any of the following warning signs:

• Accessing, downloading, or moving large amounts of data
• Attempting to access sensitive data or systems that are not associated with their role
• Accessing data that they don’t normally access
• Using unauthorized devices to access or store data
• Copying, moving or deleting files from sensitive folders
• Sharing sensitive data outside the organization
• Frequently violating data protection and compliance rules
• Performing network activity at unusual times, such as in the middle of the night
• Attempting to bypass security controls
• Deliberately violating corporate policies
• Displaying disgruntled behavior toward coworkers or management
• Discussing new job opportunities or the possibility of resigning
• Frequently spending time in the office during off-hours
• Exhibiting high amounts of job dissatisfaction

An insider exhibiting one or two red flags does not necessarily indicate they are an insider threat, and it’s important to maintain a level of trust between the organization and its employees and business partners. But repeated offenses or a pattern of the above behaviors could signify a potential insider threat that needs to be addressed.

How do insider threats impact the organization?

Insider threats impact the organization by disrupting business operations or compromising sensitive data. The most vulnerable types of data are customer data, intellectual property, financial data and other critical assets.

The damage is often done long before the organization discovers it has an insider threat problem, simply because the attack is carried out by a trusted individual with valid access to its systems. Insider threats have become even harder to detect due to the adoption of work-from-home policies in response to the Covid-19 pandemic. As employees and business partners logged in from their home networks, they simultaneously opened their organization to new threats. The consequences were evident almost immediately; in July 2020, for example, hackers impersonated Twitter IT administrators and convinced newly remote employees to disclose account credentials, which they used to change the passwords of several high-profile Twitter accounts and conduct a Bitcoin scam, causing Twitter’s stock to fall by 4%.

What kinds of security risks do insider threats create?

Insider threats create several types of security risks, including:

• Sabotage and theft: Disgruntled employees and other individuals with a personal grudge against the organization often seek retribution by damaging IT hardware, deleting sensitive data, or disclosing intellectual property or trade secrets to a competitor.
• Elevated access privileges: Insiders can take advantage of security vulnerabilities or poorly configured access controls to elevate their privileges and gain access to high-value data. They may then steal or delete the data or conduct espionage for an outside party.
• Accidental or intentional data exposure or loss: Insiders can intentionally or accidentally expose data to, or share data with, outside actors. This can occur by using unauthorized devices to store or transport data, falling prey to a phishing scam, inadvertently sending files to the wrong email address, or posting sensitive information to a social media account, among other ways.
• Unauthorized devices accessing the network: The use of personal laptops and phones, USB drives, and other unauthorized devices on the organization’s network can expose sensitive company data, infect company systems with malware, and pose other risks.
• Theft or loss of physical devices: As more employees work remotely, the theft or accidental loss of laptops and mobile devices poses a growing insider risk. Unattended devices may also provide outsiders access to the organization’s systems when the employee is logged into the device and its applications.
• Downloading malicious content: Whether through non-work-related internet browsing or social engineering, the risk of insiders unintentionally downloading harmful files is extremely high.

What are best practices that help mitigate insider threats?

The following best practices and security measures can help with insider threat mitigation:

• Protect data at the source: Sensitive data, including customer information, financial data, intellectual property, and trade secrets, is typically the primary target for intentional insider threats, and most at risk from negligence. Both problems can be addressed by developing a data classification policy and investing in data loss prevention (DLP) tools. A vendor risk management policy and third-party risk management tools are also important for protecting assets stored with vendors.
• Protect physical assets: Insider threats can also compromise physical assets such as IT hardware, proprietary software, facilities and even people. Take an inventory of what physical assets are essential to deliver your products and services and determine the best way to protect all of them.
• Implement employee monitoring: As its name suggests, employee monitoring software provides visibility into an employee’s daily computer activity including internet browsing, application and social media usage, login and logout records, and more. This information can help security teams identify patterns and anomalies that may indicate an insider threat risk and provide an activity record that can assist with a breach investigation.
• Enforce data security policies: Establish and document policies that detail your information security controls and regulate how data is handled and transferred — then apply rigorous enforcement.
• Implement cybersecurity awareness training: Most employees are aware of external threats such as ransomware and malware, but not of the role negligence plays in many data breaches. Providing training on social engineering attacks, spearfishing, whaling campaigns, and other attacks that leverage insiders’ systems and data access, as well as best practices such as regularly changing passwords, that can help increase employee vigilance and reduce user errors.
• Adopt behavioral analytics: While no two insider threats will behave the same way, changes in a user’s behavioral patterns can predict risk. Machine learning models powering behavioral analytics solutions can detect these patterns more quickly and accurately than humans can and provide the context to determine whether anomalous behavior represents a legitimate threat.
• Deprovision employees after they leave: Remove user access and permissions to your network’s systems, applications, and data as soon as they quit or are terminated. This will ensure that they can’t access any sensitive data once they leave the company.
• Notify third parties of any employee’s termination: Let vendors and other business partners know when an employee is terminated so they can also de-authorize any access the employee may have had to their sensitive data.
• Enforce employee access controls: Follow the principle of least privilege to make sure employees and contractors only have access to the resources they need and only when they need it to perform their job functions. Ensure employees have only the appropriate level of access to each system according to their particular role, eliminate standing privileged access, and regularly perform account and access audits. Adjust access privileges with a robust authentication solution when current employees change roles within the company or contractors stop working on company’s projects.

How does UEBA help mitigate insider threats?

User and Entity Behavior Analytics, or UEBA, helps mitigate insider threats using a machine-learning technique called anomaly detection, which monitors the individual behavior of every user within the organization to learn what is normal so it can recognize activity that deviates from an established pattern. For example, if an employee who never logs in after work hours and only ever accesses Server A suddenly logs in at 1 a.m. and accesses Server B, UEBA would flag that behavior as suspicious. UEBA would then process this information in the context of the user's other activity and determine the likelihood that the behavior precludes an attack.

UEBA is critical for mitigating insider threats. Without UEBA, the signs of an insider threat, such as the uncustomary employee behavior, would have to be spotted by a human analyst. However, resource-depleted Security Operation Centers (SOCs) don’t have the staffing or bandwidth to keep eyes on individual behaviors at scale. UEBA is an essential tool for filling that gap. (More on Splunk UEBA can be found here)

Data theft, hardware sabotage and malware infections are increasingly being perpetrated by insiders both intentionally and unknowingly. Resulting breaches can be as or more costly than those inflicted by external actors, and often organizations have neither the visibility nor the understanding of insider user behavior to effectively combat these threats. An effective monitoring solution, along with access control, data protection and behavioral analytics tools, is essential for preventing insider threat attacks and protecting your business.