Last year we saw a spate of high-profile cyber security breaches that all had one thing in common – they originated from a malicious insider. As cybersecurity professionals, its easy to become so focused on the external threats that we can often forget the threat who could be sitting right beside us (literally). It’s a pretty frightening thing to think about. If Joe Blogs didn’t get the promotion he went for, he’ll be upset… but is he upset enough to become malicious? Surely not. We put the notion of an insider threat to the back of our minds and tell ourselves that we couldn’t possibly be working with anyone who would be a big enough jerk to compromise the business’s reputation, operations or even existence. But let’s get real – Tesla, Facebook, Coca Cola… the US Government. No one’s immune, and if that’s the case, we should all assess the risk and defend accordingly. So then, what is an insider threat? What are the motivations for malicious activity? And why should organizations have a strategy to mitigate the risk that an insider threat could pose? We’ll cover all these points and more in this blog.
What is an Insider Threat?
I think one of the best definitions I’ve come across is from Daniel Costa at The Carnegie Mellon University CERT Insider Threat Center – he defines an insider threat as ‘the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.1
What are their motivations?
For starters, it’s important to remember that not all insider threats are intentional as many employees inadvertently fall victim to social engineering techniques, clicking phishing emails and giving adversaries the keys to the castle.
Malicious insiders, however, can have a number of motives – the most common of these is the promise of financial gain. A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are “second streamers,” or people seeking a supplemental income.2 This type of insider threat can be particularly dangerous as they are often more careful in how they exfiltrate data in order to avoid being caught – they’ll take it slow and play the long game in order to make the most money.
The rarest form of insider threat is insider collusion, and this typically occurs when a relationship with an organization or hacker group has been formed. Although rare, these types of threats are typically the most expensive and difficult to identify.
Finally, as seen with Tesla last year, an insider threat can be motivated by revenge. Disgruntled employees can be compelled to damage their organization.
Why we need to take Insider Threats Seriously
Last year we saw a number of high profile security breaches that occurred as a result of malicious insider threats and it’s clear that no matter how big or important an organization is, the threat is ever present and even the U.S. Government isn’t exempt. In fact, the National Counterintelligence and Security Center pointed out that over the past century, the most damaging U.S. counterintelligence failures were perpetrated by a trusted insider with ulterior motives.
They’re Difficult to Identify
Insider threats are notoriously difficult to detect as they often already have access to the network with authorized credentials and so their access does not flag on a traditional monitoring system. They also often already have access to sensitive data – even if they don’t always need it. Insider threats also often have an awareness of the existing security measures in place and how to get around them so if you combine all this with a prevalent lack of visibility into use access and data activity, identifying threat actors is incredibly challenging.
Much like a traditional threat actor – the longer they go undetected and are free to roam the network, the more damage they can do. Combine this with the fact that they aren’t raising alarms and you are talking some serious potential damage. According to Ponemon Institute, the average cost of insider threats per year for an organization is $8.76 million – the financial risk is huge and Punjab National Bank were an unfortunate example of this in 2018 as an insider confirmed that their malicious insider paved the way for $1.8 billion in fraudulent transactions.3
They Can Risk Compliance
Data protection and compliance should also be considered as often an insider threat will make the exfiltration of data their objective. Last year Coca Cola suffered an insider threat attack which saw the personal information of about 8000 of their employees leave the building. Not only this, Coca Cola also didn’t realize it had happened until law enforcement informed them of the data breach.4
They Can Cause Operational and Competitive Disaster
As seen in the case of Tesla, an insider threat can also sabotage operations and risk an organization’s competitive edge. In June 2018, it came to light that a disgruntled employee who lost out on a promotion made ‘direct code changes to the Tesla Manufacturing Operating System under false usernames and exported large amounts of highly sensitive data to unknown parties’ according to a letter addressed to employees. As Christopher Burgess noted, this is enough to do some significant damage as it can sabotage forward progress, allowing enough of a window of opportunity to allow a competitor to grab sufficient market share. 5
In conclusion, insider threats take many forms, but the very nature of them being double agents gives them to power to wreak havoc, over an extended period of time for the organizations that they attack. Organizations must evaluate the risk – how much sensitive data do employees hav access to? Does everyone need access to everything? What measures do you have in place to identify rogue behavior?