Emphasis on perimeter defense has long been a dominant conversation in cybersecurity, with malicious hackers and sophisticated cybercriminal groups behind most high-profile leaks and breaches. But not every threat originates outside the organization. Forrester predicts that insider data breaches will rise 8 percent in 2021 and that a third of all incidents will be caused internally, and many organizations are wholly unprepared to deal with these kinds of threats.
With a largely remote workforce in 2021, the risk of insider threats has grown exponentially. Employees may be mixing personal and work behaviors and operating under less secure home networks, introducing consumer-rated and unknown IoT and family devices to the network. Accounting for the risks they bring is a critical concern for the year ahead, and cybersecurity professionals need a broader focus: what can we do about the guys on the inside?
Types of insider threats and their causes
First, it is important to consider the different types of insider threats and how they originate. There are three main types of insider threats. The first is inadvertent insider threats, in which an employee may simply be careless with network systems and security. The vulnerabilities they introduce may also be the result of errors from insufficient security policies or training. These types of inside actors mean no harm but put their networks, employers, and other technology assets at risk. In December 2019 this type of insider threat gained notoriety when a misconfigured Microsoft database that contained over 250 million entries and was publicly accessible for a month, exposing IP addresses, support case details and email addresses. Employees were adjusting to a new version of Azure security rules and accidentally caused the leak.
The second is malicious insider threats, which are often vengeful employees. These malicious actors may have been terminated, received a bad review, or expect termination in the future. They may also sometimes seek financial gain in leaking company information by sharing or selling data on the dark web. For example, in 2018 a former Cisco employee accessed the company’s cloud infrastructure and deleted over 450 virtual machines associated with the Cisco Webex Teams application, shutting down 16,000 Webex Teams for two weeks. Cisco lost $1.4 million in employee time to respond to the incident as well as $1 million in refunds to affected customers.
The last type of threat is compromised credentials & login information. This is when a threat actor gains access to common user credentials or contractor credentials by targeting employees or suppliers. A good example of this is the Marriott breach from 2020, in which hackers accessed 5.2 million hotel guest records, using compromised credentials belonging to two Marriott employees who routinely logged into a third-party application. This included personally identifiable information (PII) such as contact information, gender, birthday, loyalty details and more.
The connecting variable between all these threats – and what makes insider threats so challenging to mitigate – is that they are incredibly hard to detect. In two out of the three, employees may not even know they’re creating risk. Additionally, it is incredibly awkward to try to audit your coworkers.
Why stopping them is critical
Not only are these threats hard to find, but they can also cause more damage than you would think. Careless or poorly trained employees may create multiple incidents before proper procedures are established or mitigation occurs. When it comes to malicious internal threat actors with knowledge of internal processes, they can set several attacks in motion before detection. This can include disabling various cybersecurity software measures, extracting data, and setting up malware in the network. It can take months to recognize these threat actors are in your network, and slower detection means more damage.
A data breach, on average, costs $3.86 million today. And according to a recent Ponemon Institue Study, the average cost of an insider breach rose 31 percent to $11.45 million. The first things to consider are the hard costs like PCI and HIPAA fines, and forensic investigation and damage mitigation efforts like isolation, data backup and restoration and security audits.
But even more important is the impact on top line revenue and the bottom line. Soft costs extend to loss of customer trust and other brand reputational impacts. 25 percent of customers stop engaging with a brand following a breach, impacting business revenue and shareholder value along the way. Not only is it important to consider the upfront costs, but the hidden costs of a damaged reputation.
Defending against insider threats
Detection can be a challenge, but behavior analytics provide a great foundation to keep you up to date on any strange and out-of-the-ordinary activities on the network. By creating a baseline for each users’ usual activities, it is easier to see standout indicators of compromise. For example, by tracking geolocations, you can immediately notice if an employee happens to login from their hometown one day, and halfway across the globe the next.
Organizations can also rely on tools such as the MITRE ATT&CK Framework to help with detecting and responding to insider threats. The framework, which stands for Adversarial Tactics, Techniques, & Common Knowledge, is a federally funded public knowledge base of threat attack techniques. With data and mitigation methods for hundreds of distinct threat techniques, the framework observes several events that can be indicative of insider threats. The patterns outlined in this indexed framework can be extremely useful in recognizing unusual behavior and can help you quickly understand the true nature of it – whether it’s a slight, but benign, variation of normal activity, or if it’s truly an out-of-band behavior related to a risky actor.
Above all, vigilance is key to defending against insider threats. Continuous monitoring can help with noticing abnormalities on the network before attacks and vulnerabilities go too far. Whether through an MSSP with a Security Operations Center (SOC) or a dedicated internal IT Security team, a combination of robust technology, disciplined process, and skilled people is crucial to covering both internal and external threats across the network.
Rarely do we expect threats to come from inside of our own organizations – and oftentimes, they’re not intentional – but an essential piece of your security strategy needs to account for insider threats.
Michael Ohanian, Vice President of Product Management – Managed Threat Protection, Netsurion