Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Trustwave Blog

Insider Threats: Ensuring Angry Employees and Innocent Do-Gooders Don’t Derail Your Organization

Threats that arrive from outside an organization are difficult to deal with, but at least business leaders understand that they exist and prepare a proper defense. However, many managers don’t expect one of their employees to cause a problem from the inside.

 

Sure, there will always be a worker who steals money from the cash register or walks out with a few reams of printer paper, but the true insider threat is much more dangerous.

 

The U.S. military has a long history of dealing with insider threats, whom they also call spies. Let’s look back to April 2023, when U.S. officials confirmed that a U.S. Air National Guard member photographed and uploaded more than 50 classified documents to a Discord server and other social media sites.

 

So, let’s start with a quick primer on what constitutes an insider threat. An insider threat can be broken down into two categories.

 

One is intentional. This variant is an individual who misuses their privileges to maliciously compromise, damage, and harm an organization’s assets, conduct fraud, theft of intellectual property, social engineering, and cyber sabotage. 

 

The second is an “innocent or unintentional” insider threat, a person who makes an error that leads to an attacker gaining entry. For example, clicking on a malicious link in a phishing email, accidentally disclosing data/information, or losing documents that contain sensitive data.

 

Identifying either type of insider threat is difficult because some security tools lack the ability to oversee small errors committed by employees that can go unnoticed. There is also the fact that insider threats tend to be knowledgeable of the organization’s network infrastructure, security policies, and procedures, allowing them to bypass security controls.

 

How to Spot an Insider Threat

 

A malicious employee in the right position, unfortunately, has a great deal of opportunity to harm an organization. 

 

Say a company has a disgruntled IT person. This individual can design systems in a way not aligned with recognized industry practices, implement unpermitted systems, e.g., proxy servers, reduce the logging capabilities of the software, and implement Toggles that can skip security checks. It’s always smart to keep an ear open for people who persistently petition to use “niche” software that in fact, might be problematical.

 

Other reasons to keep an eye on someone is if the person requests information that is outside their job role or logs into the system at unexpected times. Then, there are those who involuntarily and voluntarily leave the firm. A fired or laid-off person might wish to exact revenge. The same can be said of a dissatisfied employee; listen for people complaining or expressing a desire to hurt the company. 

 

The actions that an insider might take can be quite broad. The person could:

  • Gain unauthorized access to organizational resources 
  • Install malware/backdoors on organization systems and assets
  • Extract of information, trade secrets, and propriety information 
  • Disseminate and disclose the organization’s sensitive information
  • Delete sensitive organizational information
  • Unauthorized modification of documentation, systems, and assets. 

 

Innocent Insiders

 

The last words an IT or security team member wants to hear from someone is, “Oops, I didn’t mean to do that,” referring to opening an unexpected PDF that did, in fact, harbor malware.

 

But it happens.

 

Innocent Insiders, also known as the Well-Intentioned Misguided Person (WIMP), present an entirely different problem than those trying to do damage.

 

In many cases, we can describe innocent insiders as individuals who show an interest in solving complex issues or are striving to become good corporate citizens. In their attempt to contribute to the organization’s success, they often share files without having the necessary permission or provide access to certain systems/resources by sharing passwords.

 

Sometimes, these people, either through a lack of knowledge or again by trying to be helpful, engage in some wildly unconventional activities.

 

For example, an employee from the IT department assists an employee from the marketing department to gain access to IT source code. In another case, it could be evading network security measures such as changing internet security settings or uploading files to unapproved applications e.g., Dropbox. 

 

When looked at from an innocent insider’s perspective, both requests appear benign, but if those making the request have malicious intent, then this seemingly polite activity can result in a major security breach for the organization.

 

Insider-Threats_MDRNeed help keeping an eye on your security status? Click the above image to get started with Trustwave Managed Detection and Response (MDR).

 

Software Development Life Cycle (SDLC) Insider Threats

 

This variety of insider threat goes several levels deeper than average and, once again, can be done either intentionally or by accident. 

 

Vulnerabilities can be either unintentionally and deliberately introduced at various stages of the software development life cycle, including requirements definition, design, implementation, deployment, and maintenance. Recognizing these vulnerabilities allows business leaders to adopt effective practices for their mitigation.

During the development process, insiders can tamper with or compromise sensitive information within the organization.

 

This activity can include stealing or leaking an organization’s intellectual and proprietary assets, and this can be accomplished at the time of development, but we have also seen insiders placing backdoors and vulnerabilities within the software application.

 

An unintentional threat might include poor coding that makes it easy for an attacker to gain access or not building in key security protocols during development, again making the software an easy target once deployed.

 

There are a few key methods to mitigate insider threats within the SDLC:

Separation of duties - Ensuring that not only one individual has the ‘keys’ to the organization’s assets. 

 

Peer review - The work done by a colleague needs to be reviewed to guarantee it meets detailed standards and does not contain critical vulnerabilities.

 

Passwords - Using different and unique passwords for the development of the program. 

 

Backup - In a breach, a lack of backups can compromise business continuity.

 

Conclusion

 

Insider threats pose a substantial risk to organizations, often going unnoticed until they wreak havoc from within. 

 

Identifying insider threats is challenging, as perpetrators often possess intricate knowledge of the organization’s infrastructure and security measures. Malicious insiders may engage in activities like unauthorized access, malware installation, information extraction, and data dissemination. On the flip side, the innocent insiders, while well-intentioned, can inadvertently compromise security by sharing files or providing access without proper authorization. Their actions, though seemingly benign, can result in serious security breaches.

 

In today’s dynamic threat landscape, recognizing and addressing insider threats is essential to safeguarding an organization’s assets and maintaining business continuity. Vigilance and proactive security measures are paramount in the ongoing battle against these elusive threats.

Latest Trustwave Blogs

Understanding Your Network's Security Posture: Vulnerability Scans, Penetration Tests, and Beyond

Organizations of all sizes need to be proactive in identifying and mitigating vulnerabilities in their networks. To help organizations better understand the value and process of a vulnerability scan,...

Read More

Email Security Must Remain a Priority in the Wake of the LabHost Takedown and BEC Operator’s Conviction

Two positive steps were taken last month to limit the damage caused by phishing and Business Email Compromise (BEC) attacks when a joint action by UK and EU law enforcement agencies compromised the...

Read More

Defining the Threat Created by the Convergence of IT and OT in Critical Infrastructure

Critical infrastructure facilities operated by the private and public sectors face a complex and continuously growing web of security threats that are compounded by the increasing convergence of...

Read More