Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Is Your Organization Prepared For An Insider Threat?

Often, and for good reasons, organizations focus much of their security and defensive measures on keeping attackers and bad actors out of their network and environment. But what if the threat is coming from the inside?

It’s a growing trend that’s easy to overlook. Without knowing the telltale signs or taking proactive measures to prevent it, organizations might be leaving themselves vulnerable to a big blind spot.

We spoke to Ziv Mador, VP, Security Research at Trustwave SpiderLabs, to tell us about these insider threats and teach organizations how to identify them and prevent them.

What Are Insider Threats?

According to Ziv, a compromise resulting from human error, such as an employee clicking on a phishing link, aren’t considered insider threats. An insider threat is one that’s intentional, and they can be categorized by two different motivations.

The disgruntled employee

For whatever reason, whether job satisfaction, a recent termination, or ended contract, a disgruntled employee or third-party vendor poses a risk if they still have access to your organization’s network, certain servers or specific data. “That’s a significant threat’, says Ziv, “For example, a disgruntled developer can get source code of a product, exfiltrate it and then post it publicly or put it up for sale.”

The risk doesn’t stop there. Customer lists can get out, servers can get taken down, data can get deleted, and even if the culprit is found quickly, the damage is done. This increases the risk further, as bad actors will move as quickly as possible to hurt the company with hardly an effort made to evade detection. Even worse, employees sometimes have default access to sensitive assets and might even be familiar with your security procedures – for example, a salesperson who routinely uses a customer database as part of their job function. Because these potential insider threats will appear as if an employee is just doing their job, they might operate for significant periods of time before detection.

Dark web recruiting

As part of his work with Trustwave SpiderLabs, Ziv is able to monitor activity on the dark web to see what bad actors are up to. He and his team have discovered countless forums that often require credentials to enter, and revolve around cybercrime, credential stealing, distribution of malware, money laundering, stealing credit card information and phishing. Some of these criminal groups have been found to look for help from a company’s own employees.

For example, malicious hacker groups will recruit and promise to pay bank workers (by the hour) for certain tasks, such as increasing withdrawal limits or approving loans so hackers can cash out more money from compromised accounts. In Europe, hackers recruited government workers to help them produce certain certificates or passports and, recently, hackers in the United States were found working with mobile provider employees to help carry out SIM-jacking attacks.

How Can An Organization Defend Itself?

Due to the nature of insider threats, defense and prevention strategies require a less traditional approach. “There are two separate department efforts,” Ziv says, “one is on an HR level, because we’re dealing with humans after all, and another is by leveraging technology.”

How HR can help

HR can help educate department managers to identify unhappy and disgruntled employees, or employees who give off warning signs. They may have strong political opinions, a strong dislike of their manager or function, or they know they’ll be laid off soon. These are the kinds of details to keep an eye on to make sure you’re prepared if the employee does turn against your company.

Co-workers may also be able to sense unhappiness or detect changed behavior—there should be a process or system in place to report odd behavior or communicate the concern.

Monitoring and detection

 “At some point,” Ziv says, “a disgruntled employee will do something very different from their daily routine—they might abuse access rights or do something they’ve never done before.”

Here are some of the odd behaviors that may tip you off. They will:

  • query a customer list or database much more often than usual, or they’ll, for the first time, try to copy, change, or download the data. In some cases, their access may be denied. These events should be looked at.
  • install a remote desktop connection (for no discernible reason).
  • start browsing shadier sites or go on the dark web.
  • download exfiltration tools or blatant criminal/hacking tools.

Here’s Where Technology Can Help You Spot These Behaviors…

Ziv recommends any IDS or IPS (intrusion detection system, or intrusion prevention system) with anomaly detection features to detect if your employee is connecting remotely (and behaving oddly), threat hunting tools that will flag malicious software, and ensuring your user rights management and access controls are set so an employee doesn’t have access to any data outside of their job functions.

A database protection and monitoring tool will also detect anomalies and flag suspicious activities or requests that violate policies that should be set in the first place. Depending on your policy, this can also alert you when an employee is querying the database at odd hours or during the weekend.

Email security tools with data leak prevention features are essential too as they may be able to identify any attempts at data exfiltration. Monitor VPN connections in unusual times, from unusual locations and for unusual periods of time or connections that involve unusual copy of data. They may indicate attempts to exfiltrate data from the organization remotely or other malicious intent.

Because any given employee can damage an organization in a number of ways, there’s no one tool an organization can rely on—instead, you need several monitoring and detection tools configured properly so you’ll know if an employee decides to turn.

How An Organization Can Minimize The Risk

A security department should know how an employee can damage an organization—with their current access, what data can be exfiltrated, changed, or copied? Can they access other departments’ sensitive information? Should they? Knowing the ways and channels an employee can leverage organization can help you with purchasing and configuration decisions.

Lastly, given that this is a risk area, work with your HR department to ensure there are policies in place to prevent employees from being too unhappy in the first place. How’s the overall organizational sentiment? Is there high turnaround or a specific department with the worst job satisfaction ratings? Watch for employees who make highly negative comments about their workplace or manager. Using human judgment and finding ways to improve the quality of life for your employees goes a long way in preventing this kind of attack.

To learn more about how a detection and monitoring service can help you detect and prevent attacks from the inside and the outside, check out Trustwave Managed Detection services.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More