Insiders Threats

Imagine yourself in a dining room at your company with colleagues and friends enjoying a meal. Suddenly, the lights flash and everyone’s belongings mysteriously disappear. The only suspects are those in the environment, including you. But how to find the culprit?

As much as the introduction of this text sounds a bit dramatic and the plot seems taken from an Agatha Christie book or a Sherlock Holmes tale, the feeling of having a threat within the company is very similar. An insider attack happens when least expected, while everyone involved in that compromised environment goes from innocent workers to suspects in a moment, and identifying the culprit is a difficult task. 

These insider threats can be represented by careless or inexperienced employees, unhappy employees, third parties, partners, and undercover spies, or any inside component that exploits or intends to exploit their legitimate access to assets with the intention of doing something unauthorized.

According to a study by Verizon (2019), 57% of information leaks involve insider threats, and 15% of leaks are a consequence of misuse of privileges.  

As with detective cases, in which a thief or a neighbor who does not live in the house is the main suspect in crimes, many companies focus on threats outside the organization, such as hacking and malware, while a dishonest employee may be working among others for a long time without being identified, stealing information and damaging business. 

By having legitimate access and often unrestricted permission, these inside agents, whether malicious or not, are able to cause incidents within the organization without drawing attention, as they somehow are trusted by others while doing their jobs. 

Disclosing sensitive information, facilitating third-party access, and breaking down vital equipment for a system are some incidents these bad employees may have.  Also, the immature, inside agents who lack knowledge about the company and its processes are also insider threats, as they can cause errors when deleting important information or downloading infected files, for example, just because they are unprepared. 

Who are the suspects?

These insider threats can come from registered employees, contractors, and even partners or third parties who have access to the system: 

• Registered Employees: they are above suspicion, are considered part of the organization and are the last to be suspected of.  
• Contractors: Contractors’ skills are underestimated, and they can take advantage of their access.  
• Partners and third parties: They are always under contracts, and because of that, they are granted access with high privileges, so the contract offers false security for the company.  

Former employees are also a threat. According to Deloitte (2016) 59% of employees who leave a company voluntarily or involuntarily take data with them.

But what are the motivations?

In most cases, what motivates these malicious inside agents to cause an incident are financial, ideological issues, as well as the desire for recognition, loyalty to family, friends or country, and even for revenge.  In its research, Verizon (2019) includes motivations for fun, fear, and convenience to the list. 

Regardless of the motivations, malicious inside agents seek to leak confidential data and disrupt processes, as these are the events that can most harm an organization  (CNPI, 2013). This fact is clearly supported by cases made public in the media, such as: 

1. Edward Snowden Case: Snowden leaked nearly two million NSA files in 2013.
2. Ricky Mitchell: After finding out that he would be fired, he restarted EnerVest’s servers to factory settings and discontinued operations for a month.
3. Zhangyi Liu: Chinese programmer working for Litton/PRC Inc. who accessed confidential Air Force data. The contractor copied credential passwords that were allowed to create, change, and delete any file on the network, and posted them on the Internet. 
4. Christopher Grupe: After being fired from the Canadian Pacific Railway, he accessed the system again to delete files and change passwords, preventing administrators from authenticating themselves.
5. Paige Thompson: Former software engineer at Amazon Web Service, she accessed credit card information from more than 100 million Capital One’s customers. The configuration of Amazon’s cloud environment was not secure. Paige was aware of this misconfiguration and abused her privileges to access data and share methods in online chats.
   

Preventing an inside agent from stealing information may be more difficult than preventing an outside agent from gaining access to assets, as inside ones have unrestricted access to endpoints and the network, and are the components that correspond respectively to the means used to perform attacks to an organization. 

Other assets used to cause incidents internally are BYOD devices, which are increasingly accepted within companies today, even though their use is often uncontrolled. 

Through these assets, attackers reach their real targets – databases and file servers, as these keep the most valuable information for both inside and outside attackers, such as customer data, financial data, intellectual property, and privileged account data (credentials and passwords, for example). 

This type of attack increases due to insufficient strategies or solutions to protect data, as well as a lack of training, employee expertise, and risk awareness at the administrative level of the organization. 

What should be done to avoid it?

Of course, this type of attack is the hardest to predict and prevent. These are malicious agents who may be working by your side right now. 

However, some steps can be taken to make it more difficult for a new insider attack to happen:

• Checking employee background before hiring 
• Applying Mandatory Vacations and Job Rotation. 
• Monitoring employee behavior.
• Educating and training employees. 
• Controlling third-party access. 
• Encouraging employees to notify abnormal activities and strange behaviors by their colleagues if they notice.

In another study by Haystax (2017) or organizations, 60% of IT privileged users/administrators pose the highest risk. They have large permissions within a system to execute infinite commands and view a large amount of information.

Privileged users are like stewards in suspense stories. They are the ones who have unrestricted access to various rooms in the house, perform important tasks and are extremely trustworthy to members of the house, so it is no surprise when they are revealed as the guilty ones. 

Even with the risk this type of user poses, they are necessary for the system. So, how to control them? 

Privileged Access Management – or simply PAM -, the technology and processes that control privileged access, store all access records for auditing purposes and analyze the actions taken by users in real-time, generating alerts about unusual activities. Using this technology can make the identification and mitigation of insider attacks much faster and more efficient. 

senhasegura is a PAM solution that has granular access controls, credential management, detailed logging and session recording, and the ability to analyze user behavior. Request a demo now and discover hands-on the benefits of senhasegura to limit the damage caused by insider threats.