Employee Hacks: Spotting Insider Threats
Organizations face security threats such as data breaches from numerous sources, however many only consider attacks from external sources. However, 60 percent of attacks are the result of trusted insiders with access to sensitive intellectual property, customer data or patient healthcare information. Whether intentional or through negligence, these insider threats can cause significant reputational and fiscal damage to a company.
IT security professionals need both insights and the proper tools to spot and stop insider activity and react properly when malicious actions occur. The following guidance can help.
What is an Insider Threat?
There are a number of employee-related threats to the productivity, security and profitability of an organization:
- Corporate fraud. The average instance of fraud takes 16 months to be discovered.
- Insider data theft. The average cost of a data breach today is slightly less than $3.4 million.
- Negligence. Innocently clicking a malicious email attachment or downloading a corrupted document can infect a machine with malware.
- Harassment/Discrimination complaints. Inappropriate behavior has serious financial repercussions.
- Unproductive employees. If every employee surfs the web for an hour a week, company productivity drops.
This list is just a start. Security professionals need to dig deeper when developing a strategy to combat insider threats. Think about how an employee’s actions (or inactions) can harm your business and build a list of detailed scenarios that define what “insider threat” means to your organization.
Leading Indicators
Employees don’t wake up one day and decide they’re going to defraud their employer. Existing circumstances, as well as shifts in communications and behavior, typically precede the action. Keep an eye on employees who:
- Are struggling with personal issues such as debt, divorce, depression or legal problems.
- Face work-related performance issues, are passed up for promotion or violate company policies.
- Arrive or leave work at odd hours. People are creatures of habit. Deviations may be cause for concern.
- Communicate about the company in a negative way, using “I” and “me” instead of “we” and “us.”
- Are looking for a new job. More than half of exiting employees take information with them when they leave. Look for repeat visits to job websites and job search notifications on their business email.
- Conduct internet searches for topics such as debt consolidation, marriage counseling, addiction or weapons. When tied with the personal issues referenced earlier, these searches can indicate problems.
Your organization’s human resources department is a good source of employee intel. They are aware of personal and professional issues and can provide guidance to IT on which employees may pose a risk. They can also step in to assist employees which exhibit changes in certain behaviors before they become a greater problem. User and entity behavior analytics (UEBA) solutions bolster that intel by monitoring and analyzing each employee’s behavior, comparing current and past behavior and communications to identify anomalies and create alerts.
Active Indicators
Most insider threats involve activities that are part of the employee’s job function. IT security professionals should look for the following active indicators:
- Unusual Logon Times – Logging in early or late and multiple successive logons.
- Abnormal Application Use – Repeatedly exporting data or running reports, using an application at an odd time or day and using a browser actively for an extended duration could indicate data exfiltration.
- Excessive Printing – Employees can steal data “the old-fashioned way” by printing reports or screen captures. Look at printing that’s abnormal for a given user.
- Abnormal Access of Sensitive Data – Accessing a project that hasn’t been touched in a year or accessing data after hours.
- Copying Sensitive Data – Saving data to a USB stick, copying to a folder that syncs with the cloud, uploading directly to a website or attaching to webmail means data is leaving the organization.
- Communications – Conversations via corporate or personal email, webmail, chats and messenger applications can provide context around employee malfeasance.
- Creating Backdoors – Employees fearful of being fired may create backdoor accounts to regain access once they’ve been fired.
Because most actions take place on the employee’s computer, high-risk employees should be monitored with user activity monitoring (UAM) programs to record suspect actions and search them for context. Security information event management (SIEM) solutions cast a wider net, aggregating information from disparate systems and applications to provide a single view of all auditable data.
Using UEBA, UAM and SIEM tools can help security professionals reduce the risk of insider threat as much as possible and provide the details required to respond to existing threat actions.
