Information security professionals need to protect against many different kinds of risks. But the insider threat may be the most challenging. Because insider threats come from within the organization and are by definition trusted, they can be particularly difficult to detect and block.
An insider threat could be an employee, but it could also come from a partner, contractor, or other trusted third party that has access to non-publically available information or systems. Edward Snowden is the most high-profile example of a trusted insider, in this case a sub-contractor, exploiting his privileged access to steal millions of documents. He was an “intentional” insider threat, which is an insider who deliberately takes advantage of their access. Intentional insider threats could be disgruntled employees who want to hurt the organization, or they could be coerced, for example via blackmail, by outsiders looking to gain access.
But an insider threat could also come from an untrusted individual who gains access using false or stolen credentials so they appear to be a legitimate (i.e., trusted) user. These outsiders are usually able to get access thanks to “unintentional” insider threats – careless insiders who either are phished to unwittingly hand over their credentials or who launch malware on their trusted endpoint systems that enables outsiders to get in. This is what happened with the Office of Personnel Mangement (OPM) data breach; according to investigators, hackers likely stole credentials to get access to the network and then planted malware to create a backdoor to exfiltrate data.
In its 2015 Insider Threat Report, Vormetric found that a staggering 93% of U.S. respondents feel their organization is vulnerable to an insider attack. And when asked about who posed the biggest internal threat to corporate data, over half (55%) said privileged users. And Infosecurity Magazine reported that insiders were responsible for 43% of data breaches – and that the split between intentional and accidental leakage was 50/50. Clearly, this is a big problem that’s keeping infosec professionals up at night.
The implications of insider threats are significant. In its Managing Insider Threats report, PwC states that 39% of organizations say that insider crimes are more costly or damaging than incidents perpetrated by external adversaries. And the Vormetric survey shows that the average breach detection time isn’t measured in minutes, hours, or even days, but in months.
The first, and most obvious, reason that insider threats are so difficult to detect is that, by definition, the activity looks it’s coming from (and may, in fact, be coming from) legitimate users. But that’s not the only reason. Many security precautions focus on the perimeter and don’t have visibility into what’s going in within the network. There are a number of user-focused security tools, but these tend to concentrate on endpoints despite the fact that corporate servers and databases pose the highest risk to insider attack.
Not only are insider threats more challenging to detect than other information security attacks, they also have a different mitigation profile. While all network security and data breaches have implications for the organization as a whole, mitigation of insider threats requires the active participation of a number of functions in addition to IT and information security, including corporate security, human resources, legal, audit, etc.
A report issued by the Intelligence and National Security Alliance (INSA) Cyber Insider Threat Subcouncil – an organization that engages with the intelligence community, the DOD, CIOs, and representatives from private sector companies to examine best practices around insider threats – advises that, “a robust insider threat program integrates and analyzes technical and nontechnical indicators to provide a holistic view of an organization’s insider threat risk from individuals identified as potential threats.”
Following are some of the technical solutions organizations have available to them to detect and/or prevent insider threats.
Access control mechanisms – Access control is a broad term that encompasses a wide range of technologies and approaches to ensure that data and systems are only accessed by authorized users. This includes authorization (the process of determining what users can access, what they can do with it, and when access is allowed) and authentication (the process of making users prove they are who they claim to be). Access controls can restrict access to digital systems (for example, with passwords) or physical locations (such as with keycards). Access controls are an important security layer in every organization, but they don’t protect against unauthorized users with stolen credentials.
Encryption – Encryption doesn’t prevent data from being stolen, but it can prevent attackers from using that data, which decreases its value to would-be perpetrators. There are different types of data encryption and it’s important to understand the difference. You can encrypt data-at-rest, but be sure that the encryption keys are not stored on the same server as the data, and you can also encrypt data-in-motion.
Data loss prevention (DLP) systems – DLP systems are designed to detect potential data exfiltration, but they are limited in their effectiveness. While they are good at identifying sensitive structured data – such as social security or credit card numbers – leaving the organization, they can’t recognize many other types of data exfiltration, such as confidential intellectual property or other insider information that could have serious business, regulatory, ethical or legal repercussions.
User training – Because humans are the weakest link in the insider threat attack vector, training is an important tool, especially to help prevent unintentional insider threats. By educating users to recognize phishing attempts, malware, and other techniques hackers use to make insiders their unwitting accomplices, you can lessen the risk. Of course, people being people, you can never completely eliminate the threat of careless or unaware insider threats.
Monitoring of data-in-motion – Data can’t be used by attackers unless it leaves the network. If all other protections fail, monitoring data-in-motion can help identify a data leak in progress so you can stop it quickly, before significant damage is done. There are many approaches for monitoring data-in-motion, but the most comprehensive – and effective – is network flow monitoring. Network flow data – NetFlow, Jflow, sFlow, Cflow and IPFIX – contains valuable information about traffic traversing the network, such as IP addresses, port and protocol, exporting device, timestamps, VLAN and TCP flags, etc. Solutions that analyze this data can learn and understand the changing patterns of behavior inside your network so when any system, mobile device, or server starts behaving outside the normally expected patterns – such as hosts receiving data outside of normal thresholds or sending files at unusual times – you can quickly shut them down.
Unfortunately, there’s no way to completely prevent network security breaches, including from insider threats. So in addition to employing a range of prevention and detection tools and approaches such as those discussed above, you also need to ensure that you have comprehensive forensic capabilities so that if you do suffer an attack, you can quickly evaluate the extent of the compromise. You need to be able to answer the following questions:
Full-fidelity network flow analysis tools – in addition to helping you detect a data breach in progress – can also be invaluable in your post-breach investigations. They can provide a complete forensic history of the data-in-motion, showing you when data traveled and where it traveled to and from. Because flow data is compact but provides a great amount of detail, it’s a powerful tool for quickly answering the key questions about what happened during an insider attack.
The hard truth is that organizations can’t afford to trust their “trusted” insiders. The insider threat risk is too big and the stakes are simply too high. Every organization has sensitive and confidential data it needs to protect, which means that every organization needs to have a security infrastructure in place to protect against insider threats, detect when a breach has occurred, and investigate to determine what happened, when, and for how long.
FlowTraq monitors network flow traffic in real time and immediately detects unusual behavior and deviations from “normal” patterns that indicate insider threats and other unwanted behavior on the network so you can act fast. FlowTraq detects and alerts on insider threats, so you can begin mitigation immediately. In addition to helping you defend against insider threats and data exfiltration, FlowTraq can detect a wide range of other undesirable behavior in the network, including DDoS and brute-force attacks, scanning, and more.