A Quick Guide to Preventing, Detecting & Responding to Insider Threats
By Dr. Christine Izuakor - May 02, 2019
A quick guide to preventing, detecting & responding to Insider Threats
One day, a contractor working for an internet service provider decided to sabotage the company by disabling internet connectivity for all customers. Unfortunately, the employee's attack was successful, and the disruption lasted three weeks. This attack cost the company tens of thousands in remediation costs and left many customers struggling to navigate a world without the internet. Insider Threats come in many different shapes and sizes and have the potential to not only impact companies financially, but companies often take a brand and reputation hit. With an average price tag of $238,000 and many incidents spiking into the millions of dollars, being able to prevent these types of attacks is paramount to every organization's cybersecurity strategy. An added challenge when it comes to Insider Threats is that, due to the nature of these events and internal knowledge of the attackers, it’s often difficult to detect these attacks. The culprits usually know enough to cover their tracks. This making managing Insider Threats a challenging effort.
The key to adequately addressing inevitable Insider Threats within organizations is to have a robust strategy to prevent, detect, and respond to such incidents.
How to prevent Insider Threats
- Know your assets. To protect your company from a threat, you must understand it. Start by identifying what your most valuable assets are, who has access to them, what credible threats put them at risk, and how they are protected. Remember that your people are assets as well and this process applies to them too.
- Hire good people. While this sounds like common sense, it’s proven to be a challenge for some corporations. One of the most proactive ways to reduce Insider Threats is to be very particular about whom you are hiring. Evaluate whether their morals and values align with the way your company operates, conduct background checks, and ensure you aren't opening your company up to threats by hiring high-risk individuals.
- Teach employees what not to do. Insider threats are not always malicious in nature. Often, threats stem from careless employees. Implement a training and awareness program that educates employees on cyber security best practices.
- Create policies and standards. Having clear expectations in the form of policies, standards, and guidelines can help eliminate gray areas that employees may be unsure about. Make moral dilemmas and decisions more straightforward for employees by providing documented guidance they can reference.
- Implement layered technological defenses. Standard cyber security functions such as network firewalls and adequate identity and access management can ensure that employees don’t have unauthorized access to sensitive information. Apply the concept of least privilege everywhere.
- Integrate segregation of duties in processes. Ensure that roles and responsibilities have minimal overlap and that there are no conflicts of interest. Implement checks and balances systems where multiple employees or teams are involved in validating activities and transactions in high-risk areas.
- Don’t forget Third parties. Thirty-five percent of Insider Threats in the federal government, one of the most highly vetted domains, were third parties. In the finance sector, this jumps to almost 40%. Third parties should be a part of your Insider Threat conversations, and you should apply access limitations and other protection mechanisms to avoid accidents or malicious insider attacks from exposing your company to risks.
- Learn from history. There are thousands of Insider Threat attacks on record and tons of lessons learned have been captured from these. Learning from successful attacks, how they were detected, and how impacted companies responded can help inform the strategy of any organization looking to avoid a similar fate.
Detecting insider threats
Insider Threats tend to take longer to detect than external attacks often increasing the price tag and the impact of these attacks. Adequate detection tools are necessary to contain the incident as quickly as possible and minimize the impact. User and entity behavior analytics (UEBA) can help in this space. The fundamental operating principle of UEBA is to capture a baseline of what average user and organizational behavior look like. Once you have this view, you can begin to compare this to current activity and alert on events that deviate too far from the baseline. Furthermore, UEBA can correlate mass amounts of information and add intelligent context to the logs for high accuracy on what’s considered a viable threat. Having quality logs is critical to accomplish this.
Detection of Insider Threats can also be achieved with the help of vigilant employees. Often, there are notable changes in employee behavior that may prompt monitoring or analysis. For example, an employee may start working odd hours, express frustration with pay and stressful financial struggles, show signs of greed and more. Other employees should have a way to safely report this kind of behavior to the appropriate management in the company who can further investigate.
Responding to Insider Threats
Once you find that something is off, what do you do?
- At the technology level, you can use UEBA based tools to trigger Data Loss Prevention functions and autonomous action. From dynamic firewall configuration to dynamic revocation of access to sensitive resources, further loss can be prevented by setting up tools to block or react to certain anomalies.
- Trigger an employee investigation and digital forensic analysis process to understand the scope of the threat.
- Depending on the incident you may need to find and close back doors to contain the incident. If you find that data has been lost you may need to activate your incident response or breach response process.
- Consider the legal implications of the matter and whether legal action is required against the individual in question. This process will likely require close collaboration with legal, HR, and other teams.
- If termination is warranted, have a standard procedure for offboarding this type of individual. Ensure all access is revoked and there are no back doors to prevent further impact or retaliation. Employees who have been terminated and still had access to the system are a common source of Insider Threat incidents.
ConclusionHaving a robust Insider Threat prevention, detection and response program is critical to maintaining security within any organization. Advanced tools, such as Veriato Cerebral, bundle these capabilities in a single solution to support all three components of your Insider Threat strategy.