Threats that arrive from outside an organization are difficult to deal with, but at least business leaders understand that they exist and prepare a proper defense. However, many managers don’t expect one of their employees to cause a problem from the inside.
Sure, there will always be a worker who steals money from the cash register or walks out with a few reams of printer paper, but the true insider threat is much more dangerous.
The U.S. military has a long history of dealing with insider threats, whom they also call spies. Let’s look back to April 2023, when U.S. officials confirmed that a U.S. Air National Guard member photographed and uploaded more than 50 classified documents to a Discord server and other social media sites.
So, let’s start with a quick primer on what constitutes an insider threat. An insider threat can be broken down into two categories.
One is intentional. This variant is an individual who misuses their privileges to maliciously compromise, damage, and harm an organization’s assets, conduct fraud, theft of intellectual property, social engineering, and cyber sabotage.
The second is an “innocent or unintentional” insider threat, a person who makes an error that leads to an attacker gaining entry. For example, clicking on a malicious link in a phishing email, accidentally disclosing data/information, or losing documents that contain sensitive data.
Identifying either type of insider threat is difficult because some security tools lack the ability to oversee small errors committed by employees that can go unnoticed. There is also the fact that insider threats tend to be knowledgeable of the organization’s network infrastructure, security policies, and procedures, allowing them to bypass security controls.
How to Spot an Insider Threat
A malicious employee in the right position, unfortunately, has a great deal of opportunity to harm an organization.
Say a company has a disgruntled IT person. This individual can design systems in a way not aligned with recognized industry practices, implement unpermitted systems, e.g., proxy servers, reduce the logging capabilities of the software, and implement Toggles that can skip security checks. It’s always smart to keep an ear open for people who persistently petition to use “niche” software that in fact, might be problematical.
Other reasons to keep an eye on someone is if the person requests information that is outside their job role or logs into the system at unexpected times. Then, there are those who involuntarily and voluntarily leave the firm. A fired or laid-off person might wish to exact revenge. The same can be said of a dissatisfied employee; listen for people complaining or expressing a desire to hurt the company.
The actions that an insider might take can be quite broad. The person could:
- Gain unauthorized access to organizational resources
- Install malware/backdoors on organization systems and assets
- Extract of information, trade secrets, and propriety information
- Disseminate and disclose the organization’s sensitive information
- Delete sensitive organizational information
- Unauthorized modification of documentation, systems, and assets.
Innocent Insiders
The last words an IT or security team member wants to hear from someone is, “Oops, I didn’t mean to do that,” referring to opening an unexpected PDF that did, in fact, harbor malware.
But it happens.
Innocent Insiders, also known as the Well-Intentioned Misguided Person (WIMP), present an entirely different problem than those trying to do damage.
In many cases, we can describe innocent insiders as individuals who show an interest in solving complex issues or are striving to become good corporate citizens. In their attempt to contribute to the organization’s success, they often share files without having the necessary permission or provide access to certain systems/resources by sharing passwords.
Sometimes, these people, either through a lack of knowledge or again by trying to be helpful, engage in some wildly unconventional activities.
For example, an employee from the IT department assists an employee from the marketing department to gain access to IT source code. In another case, it could be evading network security measures such as changing internet security settings or uploading files to unapproved applications e.g., Dropbox.
When looked at from an innocent insider’s perspective, both requests appear benign, but if those making the request have malicious intent, then this seemingly polite activity can result in a major security breach for the organization.
Need help keeping an eye on your security status? Click the above image to get started with Trustwave Managed Detection and Response (MDR).
Software Development Life Cycle (SDLC) Insider Threats
This variety of insider threat goes several levels deeper than average and, once again, can be done either intentionally or by accident.
Vulnerabilities can be either unintentionally and deliberately introduced at various stages of the software development life cycle, including requirements definition, design, implementation, deployment, and maintenance. Recognizing these vulnerabilities allows business leaders to adopt effective practices for their mitigation.
During the development process, insiders can tamper with or compromise sensitive information within the organization.
This activity can include stealing or leaking an organization’s intellectual and proprietary assets, and this can be accomplished at the time of development, but we have also seen insiders placing backdoors and vulnerabilities within the software application.
An unintentional threat might include poor coding that makes it easy for an attacker to gain access or not building in key security protocols during development, again making the software an easy target once deployed.
There are a few key methods to mitigate insider threats within the SDLC:
Separation of duties - Ensuring that not only one individual has the ‘keys’ to the organization’s assets.
Peer review - The work done by a colleague needs to be reviewed to guarantee it meets detailed standards and does not contain critical vulnerabilities.
Passwords - Using different and unique passwords for the development of the program.
Backup - In a breach, a lack of backups can compromise business continuity.
Conclusion
Insider threats pose a substantial risk to organizations, often going unnoticed until they wreak havoc from within.
Identifying insider threats is challenging, as perpetrators often possess intricate knowledge of the organization’s infrastructure and security measures. Malicious insiders may engage in activities like unauthorized access, malware installation, information extraction, and data dissemination. On the flip side, the innocent insiders, while well-intentioned, can inadvertently compromise security by sharing files or providing access without proper authorization. Their actions, though seemingly benign, can result in serious security breaches.
In today’s dynamic threat landscape, recognizing and addressing insider threats is essential to safeguarding an organization’s assets and maintaining business continuity. Vigilance and proactive security measures are paramount in the ongoing battle against these elusive threats.
