These days, most people you meet will be well aware of the prevalence of typical threats such as hacking, malware, social engineering and more. But what about the attacks that occur from the inside? More specifically, the threat posed by malicious insiders who are motivated to adversely impact an organisation by breaching confidentiality and integrity using the privileges associated with their position.
The Malicious Insider
A malicious insider is an employee of a company who takes purposeful actions in opposition of the interests of the organisation, utilising their employee privileges and access to do so. These attacks can range from sabotage, fraud, theft, prevention of access and more. Interestingly, 66% of businesses today consider the internal threat to be more common than external attacks. However, this threat area is often misunderstood and overlooked within a business’s security policy.
The motives behind malicious insider attacks are extensive and, quite frankly, terrifying. In 2017, the Federal Bureau of Investigation (FBI) described various motivating factors behind malicious insider attacks, splitting these into personal and organisational factors. The personal factors include:
- Greed or need;
- Anger or revenge;
- Problems at work such as lack of recognition, disagreements, potential termination etc;
- Divided loyalty;
- Adventure or thrill;
- Ego or self-image;
- Compulsive behaviour;
- Family issues.
The organisational factors tend to associate more with negligent insider threats, but many are still pertinent including:
- Availability and ease of access to information;
- Lack of physical access controls;
- Weak logical access controls i.e. lack of multi-factor authentication;
- Perception of lax control;
- Lack of training;
- Poor leadership;
- Poor policy implementation.
Of the 11,698 insider threat attacks reported in 2014, financial gain or fraud was found to be the primary driver. In 2018, Verizon verified this again by finding that financial gain motivated 40% of malicious insider attacks. However, each factor in itself contains more complexity and consideration, making the question of why employees commit these attacks an extremely difficult one to answer. This is one aspect that makes the threat so significant: the lack of understanding around motivation, causing an inability to accurately predict this behaviour.
Why Are They So Dangerous?
Malicious insiders are also extremely dangerous because they can be so damaging to a business. A 2010 CyberSecurity Watch Survey found that, “while outsiders are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders”. Indeed, in 2014 cybersecurity firm TripWire estimated that insider attacks cost an average $412,000 per incident. This is due to the level of access often afforded to the insiders, and the luxury of time they have to extract data and cover their trail, often making the volume of compromised data unacceptably high.
Organisations want to trust their employees, and many jobs often go hand-in-hand with working with sensitive data. At the end of the day, preventing employees from accessing the necessary data would also prevent them from doing their job, which is simply not an acceptable trade-off for any company.
What is more, malicious insider threat is on the rise. In 2015, internal actor attacks represented 20% of breaches that year, according to Verizon. This rose steadily each year and, in 2018, had gone up to 28%, showing no signs of dropping. Indeed, in the Public Sector specifically, 34% of threat actors were internal to the organisation last year.
Detecting & Stopping the Malicious Insider
In plenty of cases, patterns of detectable behaviour and network activity will emerge, potentially alerting a company to essential indicators of risk. Knowing what to look for and spotting these patterns can often lead to early detection, which can make a huge difference in preventing or minimising the impact of an insider threat.
The first step is to hire the right people. Background checks and vetting are easily implementable processes that provide vital information such as a person’s security attitude, criminal history, alcohol or drug usage, financial considerations, personal relationships and external loyalties, influences and associations.
From here, it is important to constantly monitor employee’s behaviour, and to be aware of any changes in the above information. More technical indicators may include logging into the network at odd times, increased personal website visits during work, regular unauthorised access of cloud storage sites and increased exports of company documents or downloading from internal systems.
Companies must also implement policies that protect their data to the greatest extent possible. This involves implementing strict password and account policies, enforcing the separation of duties, tracking the use of privileged accounts, implementing an approval process for access as well as logging, monitoring and auditing employee network activities.
Finally, companies must respond immediately to suspicious behaviour. Swift mobilisation gives the company a better chance to secure the necessary evidence to identify the insider, recover the assets and minimize the commercial and reputational impact of the attack.
Author: Elsa Chapple, Agilient Consultant