The War Within – Combatting Insider Threats

Morey Haber, CTO, BeyondTrust
Morey Haber, CTO, BeyondTrust
7 years ago

By definition, an Insider Threat is an internal persona behaving as a threat actor; with or without their knowledge. Insider Threats occur for a variety of reasons. This includes aspects of a human persona looking to hurt or gain an advantage against an organization. An old-school example of this type of threat is client lists. It’s an Insider Threat that’s still relevant today, by the way. A salesperson, executive, or other persona planning to leave an organization might photocopy or print client lists and orders before leaving the organization, to have a competitive edge when they start with a new employer.

Regardless of their intent, it’s the digital aspect of an Insider Threat that warrants the most attention. Human beings will do the most unusual things in the direst situations, but if they are not permitted to, many of the risks of Insider Threats can be mitigated. Consider the following for your business:

  • How many people have access to sensitive information in mass? I am not asking about who is using a program to retrieve one record at a time, but rather who has direct access to the database or can run a report to dump large quantities of information from a query
  • Are all accounts valid people that are still employed or relevant?
  • How often do you change the passwords for sensitive accounts?
  • Do you monitor privileged access to sensitive systems and data?

Now in fairness, answering these questions honestly could be opening Pandora’s box. Nonetheless, you should answer them if you care about Insider Threats. Here is why:

  • Only administrators (not even executives) should have access to data in mass. This prevents an insider from dumping large quantities of information, or an executive’s account being hacked and leveraged against the organization
  • Users should never use administrative accounts for day-to-day usage like email. This includes administrators themselves, in case their accounts are compromised too. All users should have standard user permissions
  • All access to sensitive data should be restricted to valid employees only. Former employees, contractors, and even auditors should not have access to this sensitive data on a daily basis. These accounts should be removed or deleted per your organization’s policy
  • Employees come and go. If the passwords are the same, as people leave and new hires are acclimated, the risk to sensitive data increases since former employees technically still have known passwords to the company’s sensitive information
  • Monitoring privileged activity is critical. This includes logs, session monitoring, screen recording, keystroke logging, and even application monitoring. Why? Well if an Insider is accessing a sensitive system to steal information, session monitoring can document their access and how they extracted the information and when

If you think that following these steps will protect you from Insider Threats, you are wrong. This assumes the threat actor is coming in from the front door to steal information or conduct malicious activity. Insider Threats can also evolve from traditional vulnerabilities, poor configurations, malware, and exploits. A threat actor could install malicious data capturing software, leverage a system missing security patches, and access resources using back doors to conduct similar types of data-gathering activity. Insider Threats are about stealing information and disrupting the business but depending on the sophistication of the threat actor, they can use tools that are traditionally associated with an external threat and compromise an unsuspecting employee. Until you begin an investigation, you will not know the motives of the Insider and whether they are innocent or not. We need to realize Insider Threats come from, essentially, two sides: excessive privileges (covered above) and poor security hygiene (vulnerability and configuration management). To that end, all organizations should also regularly perform these tasks to keep their systems protected:

  • Ensure anti-virus or endpoint protection solutions are installed, operating, and stay up to date
  • Allow Windows and third-party applications to auto update or deploy a patch management solution to deploy relevant security patches in a timely manner
  • Utilize a vulnerability assessment or management solution to determine where risks exist in the environment and correct them in a timely manner
  • Implement an application control solution to allow only authorized applications to execute with the proper privileges to mitigate the risk of rogue, surveillance, or data collection utilities
  • Where possible, segment users from systems and resources to reduce “line of sight” risks

While these seem very basic, the reality is that most businesses do not do a good job at even the most basic security. If they do, the risk of Insider Threats can be minimized by limiting administrative access and keeping information technology resources up to date with the latest defenses and security patches. Insider Threats are not going to go away. They have been around for hundreds of years, but the medium and techniques for stealing information have evolved with modern technology. The goal is the same: stop the data leakage and be aware that an Insider has multiple attack vectors to achieve their goals. As security professionals, we need to mitigate the risks at the source. A briefcase of paper is still an Insider Threat but not as relevant as a USB stick with your entire database of sensitive information. In the end, an Insider still needs privileges to steal all this information and that should be monitored very closely.