Know your insider threats, and how to counter them

Insider threats, or rather, insider threat actors, take many forms. Most people probably think of an insider threat actor as being a disgruntled employee, hell-bent on damaging their employer as payback for whatever wrong they believe they have suffered.

Disgruntled employees are certainly a problem but to mount effective protection against insider threats, it’s important to understand all the different motivations that can drive an insider to attack their employer. And malicious intent is not the only insider threat: users who are negligent about security and those unwitting compromised are also a danger.

Malicious insiders

Not all disgruntled employees have the skills to be a threat, but they can be co-opted by external threat actors and enabled to cause damage such as launching a ransomware attack. In a survey of 100 IT and security executives on how hackers were approaching employees, undertaken by Pulse and Hitachi ID in late 2021 and early 2022, 65% reported that they themselves, or one of their employees, had been approached to help launch a ransomware attack. That figure has risen substantially over recent surveys, likely because of the changed working environment created by the pandemic.

The State of Network Security 2021 report by Barracuda found that 86% of Australian respondents said their organisation has been the victim of a security breach once in the last year.  Indeed, companies with staff working predominantly from home had a significantly higher network security breach rate (93%), compared to companies with staff working predominantly in the office (67%).  A full 72% of those surveyed said their organisation has been the victim of at least one ransomware attack in the last year.

Today many people reveal much about their lives and their feelings on social media. Those expressing dissatisfaction with their employer or work environment make easy targets for criminals to co-opt into their activities and provide with the tools needed to mount an attack.

Resentment is not the only motivation for an insider attack: naked ambition can also be a motivator. An employee might steal information or inflict damage to harm another employee in the hope it will advance their own career.

And the motivation could be as simple as money: industrial espionage. An employee could steal proprietary information to sell to another company or do so at the behest of a competitor.

Negligent insiders

Any insider who fails to follow security protocols and practices can become a threat. There are many reasons why they might do so: deliberate negligence (many security protocols are seen as standing in the way of getting work done); occasional inadvertent lapses; inadequate training.

Compromised insiders

Compromised insiders are those who have unwittingly enabled an attack, most often by falling for a phishing exercise, and then either downloaded malware or revealed their log-on credentials.

Once an attacker as compromised an insider they can take their time to exploit the access gained. They can add the compromised device to a botnet and then use it to mount a DDoS attack, or use it to mine cryptocurrency.

However they most frequently use this compromised device to explore the corporate network behind it, moving laterally to other devices and other accounts, gathering more credentials until they gain sufficient access to steal valuable data, launch a ransom attack or sabotage critical systems.

How to combat insider threats

There are many steps organisations can take to counter insider threats, either stopping them at source, or detecting and blocking those that do breach cyber defences.

Keep employees happy

It will never be possible to keep ever employ happy all the time, but should be the aim of every organisation, regardless of security issues. This means having first rate HR practices to ensure promotions and pay rise decisions are fair and reasonable. It means having clear and honest communications from leaders to subordinates at every level of the organisation. Every employee that does not become disgruntled is one less potential threat.

HR and IT must work together

IT is rarely in a position to identify a disgruntled employee, until that employ vents their displeasure on the IT systems. HR is much better placed. Therefore HR and IT should meet regularly so IT can be briefed on any employees they need to keep an eye on, perhaps even implementing more restrictive access requirements. HR should routinely tell IT about any employees who have transgressed and been disciplined or passed over for a promotion.

While IT cannot detect employee displeasure per se, it can detect activity that might precede an insider attack, for example, an employee logging in or entering the premises at abnormal times or accessing data not relevant to their role. It should then identify these individuals to HR for further monitoring.

Training is paramount

Security awareness training has progressed by leaps and bounds in recent years in parallel with the rise in phishing and other deceptions. Once it was a case of getting employees to watch a video and sit some sort of test once or twice a year.

Today’s security awareness programs are much more sophisticated. They simulate phishing attempts to determine employees’ susceptibility and identify those most needing training. They include focussed and personised training that targets the weaknesses identified in those employees.

Aside from these approaches, gamification has become a popular tool to build and maintain a high level of cyber vigilance among staff. Organisations stage monthly or quarterly games where simulated phishing emails are sent to staff and prizes are awarded to those who detect and report them.

Such exercises can motivate the most cynical employees and help to maintain a high level of threat awareness across the workforce.

Trust, but not really

The adage ‘trust but verify’ is widely used but makes no sense: it really means ‘don’t trust, verify instead’.

The bar for trusting has been progressively raised: from simple passwords to single sign-on (SSO), role-based permissions, and multi-factor authentication (MFA), but ultimately these are all trust-based access controls. Once the applicant has passed these hurdles, they are trusted: trusted with access to sensitive information and vital applications.

If an attacker has managed to gain access to the required credentials they are free to wreak havoc. Or if a legitimate user is compromised after they have passed the access hurdles, they become a danger.

Today’s Zero Trust Network Access (ZTNA) solutions eliminate any need for trust. They replace trust with constant surveillance, checking multiple aspects of the behaviour of every logged-in user such as their IP address, their geo-location, the rates and amounts of data traffic they are generating, the time of day they are active, and many other parameters. Some of these behaviours can be flagged as inherently suspicious, others because they represent significant deviations from what is normal for that user.

In conclusion

There is no way to eliminate insider threats completely, but the steps outlined above will greatly reduce their incidence and enable an organisation to a much better job of detecting and countering threats.

Mark Lukie
Mark Lukie is a Sales Engineer Manager for Asia Pacific and Japan at Barracuda Networks. He has 20 years’ IT industry experience with deep skills in networking, cybersecurity, backup/disaster recovery, public cloud platforms and systems integration. Mark has been with Barracuda for more than nine years and has extensive knowledge on the company’s entire solution portfolio, including security, application delivery and data protection solutions. He is a member of the Barracuda Global Cloud Security Team, which focuses on security solutions for public cloud platforms such as Microsoft Azure, Amazon Web Services, VMware vCloud Air and Google Cloud Platform. Mark’s qualifications include: Microsoft Certified Systems Engineer/Administrator (MCSE/MCSA), Certified Novel Administrator (CNA), Barracuda Application Delivery & Security Expert (ADSX) and Barracuda Certified Technician & Expert for NextGen Firewalls.