Jason Lackey
Director, Product Marketing
Blog

Insider Threats - What Do You Need To Know?

October 9, 2019 by Jason Lackey

Introduction

This post is adapted (by which I mean stolen wholesale) from a piece posted by a member of the Keysight security team, Lawrence Fu, originally targeting an internal audience. We thought that it was applicable here as well, so here you go:

We often think of cyber threats as coming from an anonymous criminal, hundreds of miles away behind a computer screen. However, current and former employees who have intimate and valuable knowledge about a company are also capable of committing a cybercrime. An insider threat occurs when a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data, intentionally misuses that access in a manner to commit a cybercrime.

Recognizing and Reporting Insider Threat

  1. Data theft requires access to the data
  2. Data access is either obtained by hackers using compromised credentials, masquerading as insiders, or is granted by an insider
  3. An Insider can be an employee, contractor, partner, or vendor who has access to corporate data and systems

 

Behavioral Indicators of Malicious Insiders

A good way to prevent an insider threat is to learn to recognize some common behavioral indicators. The US Computer Emergency Readiness Team (US-CERT) has identified the following as behavioral indicators of malicious threat activity:

  • Remotely accesses the network while on vacation, when sick, or at odd times during the day
  • Works odd hours without authorization
  • Unnecessarily copies material, especially if it is proprietary or classified
  • Expresses interest in matters outside the scope of their duties
  • Shows signs of drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health, or hostile behavior

Common Motivations and Intentions of Malicious Insiders

  • Financial Distress: insider may seek quick monetary gain to address financial problems
  • Disgruntled: angry employee seeks retribution for perceived wrong
  • Entitlement: employee believes they are entitled to access to sensitive information and intellectual property
  • Layoffs: employee may seek to retaliate in response to layoff
  • Ideology: political or religious beliefs may motivate malicious action
  • Outside Influence: organized crime or state-sponsored actors can recruit insiders

In conclusion

It is pretty common to picture some far away hacker in a dark basement staring at a glowing screen in the dark riding zero-days into your network. Sure, these things happen, but an even greater threat is the insider. They usually don't even need to do any great feats of hacking - they are already in. So when you are building your security framework with defense in depth in consideration, don't forget to start at the beginning - your own camp.