Your business, regardless of structure and function, likely holds valuable and sensitive information that would be useful to cyber criminals, so how do you know if you’re being taken advantage of?
“Insider threat” is a mislabeled term in that most insider threats are not initiated internally by your employees but by nefarious actors who take over employees’ accounts and attempt to steal data through impersonation.
When the culprit appears to be somebody who is working at your company, there’s usually one of three explanations:
Inadvertent neglect
Your employee is conducting research online and clicks on a bad link leading to a website that automatically installs malware onto their computer. Or they fall for a phishing scheme via a bad email. The employee, in this instance, is not educated on security and doesn’t know that they should be taking precautions. There is no malicious intent.
Collusive or malicious
Very rarely, and as seen in movies, an employee at your company could engage in collusive activity with a nation-state or another malicious external attacker. You may also have a resentful worker who is mad at the company and has a motive to steal your intellectual property. Other times someone who is offboarding may want to profit from taking something with them, like personally identifiable information or customer lists.
Third-party
A third party or a contractor you hire may be breached due to negligence in their operations, thus exposing your company’s data that was shared with them. More often than you might expect, vendors or contractors could also be working with you in an attempt to steal your corporate secrets.
Typically, the offender is found after the fact, and the damage has already been done. Security teams try to retroactively monitor behavior by setting up alerts in case, for instance, somebody sends more files out than they usually do. Still, by the time security teams are alerted, those files have already been sent out.
Retroactively avoiding breaches is very tricky, and user behavior analytics and analysis are the best ways to go about it. Unfortunately, most user behavior analytics solutions are expensive, hard to configure and set up, and filled with false positives and limited context. The market needs more intelligent and automated systems that compile, normalize and triangulate signals to surface the people who are riskiest that you should pay attention to.
What behaviors should you consider red flags?
Abnormal behaviors include but are not limited to unusual login times or locations, badging into buildings at odd times, a user logging into systems they don’t normally touch, a user asking for elevated credentials, a user receiving or giving elevated credentials, and a user downloading files at a much higher rate than usual. Additionally, alarm bells should ring if a user accesses documents they haven’t accessed before that aren’t owned by them, especially if those documents are marked as crown jewels or contain sensitive information belonging to another department.
Many seasoned cybercriminals use the “slow and go” method of accessing or tampering with items subtly so as to not be detected. Being able to triangulate such behaviors over a period of time will inform you whether or not a person is really a risk or if their account has been compromised.
What should you do when you’re alerted of risky behaviors?
If you find your employee’s account has been compromised, the first course of action is to change that person’s credentials and educate them and everybody around them on security. Come up with a curriculum to educate everyone in your organization on avoiding being inadvertently careless or neglectful. There are free and paid online courses worth putting in front of your team to help them become proactive around cybersecurity.
In the event of a bad actor, you have two options:
- You could go forth with an investigation, shut down the user’s access to your building and software, and if they’re a vendor, stop working with them. However, this method may not allow you to get to a root-cause analysis because you won’t know where the perpetrator was sending data and why they were doing it.
- You could set up a honey pot to entrap the perpetrator. The most sophisticated security teams will follow a criminal’s behaviors over a longitude of time, intentionally keeping paths open so the criminal continues grabbing data. By the time of the investigation, the data you’re presenting them with isn’t real but exciting enough to keep them engaged. Sometimes these facades last a year, and toward the end, you will understand if the perpetrator is your competitor, a nation-state, or other ransomware individual or group. Depending on what you find, you may need to alert the authorities and, in some cases, take legal action.
Most organizations don’t have the funding or resources to choose the latter option. Newer user behavior technologies can help you achieve these insights at a lower price and without the help of technical experts. Practicing good hygiene and getting proactive about security will help solve your problems, so as insider threats arise, you can quickly identify them and take appropriate action. The smarter your tools, the closer you’ll be to conducting more sophisticated social engineering and efficiently detect and prevent threats.
Tune in to a conversation with Fletch’s CEO and Founder, Grant Wernick, for more information around insider threats and how to mitigate them.
If you are interested in learning more about how Fletch can help you avert insider threats, please contact us at uba@fletch.ai or sign up for a demo on our website.
