Liferaft Blog | Resources for Corporate Security

What are Insider Threats (and How to Detect Them)

Written by Liferaft | January 28, 2022

When we picture a threat actor, outsiders usually come first to mind: hackers, shoplifters, active shooters, crime outfits.

But what if the biggest threat lurks inside your organization?

Last year, Twitter revealed two ex-workers had gathered data illegally on behalf of the Saudi Arabian government. In February, U.K. police arrested several phone company insiders in a global SIM jacking scam. And in March, eCommerce company Yandex disclosed a rogue employee leaked the account details of 5,000 customers.

Admittedly, these are high-profile examples. But numerous studies have pointed to the growing problem insiders represent for security teams. And these incidents can present an expensive issue for businesses. Not to mention the risk they pose to the safety of customers and employees.

But exactly what are insider threats? Why are they so dangerous? And how can your team better detect them? Let’s dive in.

 

What are Insider Threats?

Simply put, insider threats are people that use their access to corporate assets to damage a business.

Typically, this will be a current employee. But insider threats also include partners, contractors, or ex-staff members. And their actions could be accidental or carried out with malicious intent.

For security teams, unfortunately, insider threats tend to represent a bit of a blind spot.

Companies spend a lot of time watching out for bad actors outside of their organizations. But many have learned the biggest risk walks through the front door each morning.

Numbers from the Ponemon Institute make this point clear.

Insiders, according to their research, now account for 60% of corporate data breaches. Moreover, insider-led data breaches cost businesses on average $11.5 million per incident. That’s twice as much as data leaks resulting from external actors.

Why such a difference? It all comes down to detection.

Insiders already have legitimate access to company assets and information. That makes it tough to distinguish between normal and malicious activity.

Even worse, insiders know where a company’s most important assets hide. So when they’re behind an incident, insiders can inflict more damage.

Insider threats can hurt your organization beyond data breaches, too.

Employees and contractors are well placed to commit fraud or steal inventory. Rogue insiders can also leak data, damage equipment, and steal intellectual property.

Furthermore, not all insider threats have malicious intent.

For example, an intern may post a picture of their work badge on social media. Or a contractor may leave customer data on an unsecured device.

An employee posting their work badge on social media, discovered by Navigator.

These individuals may not have bad intentions. But they can still create security headaches for businesses.

Criminals, for instance, could recreate workplace badges, thereby gaining access to secured facilities. Outsiders might access unencrypted data on cloud services.

That can result in fines and losses for the business. Or worse, impair the safety of VIPs, customers, and employees.

 

The Types of Insider Threats

Industry research giant Gartner breaks insider threats down further into four categories:

The Goof. Goofs are non-malicious. Incidents may result from a mistake or incompetence. Or they may be the result of a person trying to sneak around security measures for the sake of convenience. Regardless, Goofs can create costly breaches for businesses. And they account for the bulk of insider incidents.

The Pawn. Pawns represent unwitting insiders tricked into performing malicious actions on behalf of attackers. And typically, attackers manipulate pawns through tactics like social engineering or spear phishing. For instance, an employee may download ransomware to their computer. Or a contractor may disclose sensitive data to a criminal disguised as an executive.

The Collaborator. Collaborators are insiders working with a third party to damage an organization. These third parties could include criminals, nation-states, or rival businesses. And they could have any number of motives, such as fraud or IP theft.

The Lone Wolf. Lone wolves represent malicious individuals operating on their own. By definition, they don’t talk with outsiders. So security teams are unlikely to spot any communications indicating a threat. Lone wolves present an especially high risk when they earn a privileged role, such as a system or database administrator.

 

How to Spot Insider Threats

The faster you spot an insider threat, the less damage they can inflict upon your organization. And in some cases, you may be able to avoid a costly and embarrassing incident altogether.

Businesses have three main methods to detect bad actors hidden in their ranks.

Firstly, security teams should be on the lookout for behavioral changes among employees at work.

It’s a low-tech method. And no single incident proves beyond a doubt that a worker presents a serious risk.

But if an employee displays several warning signs, it could indicate that something is amiss.

Common red flags include:

  • Skipping paid holidays and vacations.
  • Visiting the office at odd hours.
  • A negative attitude towards colleagues.
  • Talking about quitting or new career opportunities.
  • A general dislike of dogs and furry office pets.

Second, teams should keep a close eye on internal network logs.

Security information and event management (SIEM) systems represent a great tool for this purpose. These programs scan through logs of network infrastructure to spot unusual activity.

For organizations, automation saves considerable time and resources. And when installed correctly, they can be quite effective at sniffing out insider attacks.

What kinds of signals do these systems look out for?

Here’re some examples:

  • Logging into systems at unusual hours.
  • Storing data on external devices like USBs.
  • Copying data from sensitive folders.
  • Emailing important documents to outside parties.
  • Turning off encryption.
  • Accessing files or systems that are not a part of an employee’s normal responsibilities.

Finally, monitoring public, open data sources represents the last line of defense.

As a best practice, security teams should keep an eye on the following:

Dark Web Forums: Dark web forums serve as hubs for criminal activities. Insiders use these sites to promote illicit services, like deploying malware or assisting in thefts. Look out for mentions of your company’s name, products, and staff members. 

Social Media: Insider threats can reveal themselves on social media. These platforms can be useful for spotting a disgruntled worker or accidental data leaks. Security teams should always watch mainstream sites, like Twitter, Reddit, and Instagram. But don’t overlook the growing number of “alt-tech” offerings, such as Gab and Parler.

Online Marketplaces: Insiders may attempt to unload stolen goods in mainstream online marketplaces. In the United States, the largest and most popular sites are eBay and Craigslist. Look out for mentions of your company’s products alongside phrases like “unused” or “unboxed.”

Paste Sites: Much of the content shared on paste sites is harmless. But insiders have exploited these services to leak data or promote illegal services. Pastebin ranks as the largest and most popular. But you can find dozens of others across the deep and dark web.

 

The Bottom Line

Companies spend a lot to protect their property and personnel from external threats. But in recent years, insiders have often emerged as a bigger risk.

Given their range of motivations, teams need many strategies to address these threats.

Of course, the post above only scratches the surface of this topic.