After chasing and capturing cyber-criminals and spies for nearly three decades, one fact holds true, “Access rules the landscape. Every attacker wants it. Every employee has it.” Differentiating between legitimate access by malicious insiders and access enablement for state-sponsored, criminal and ideologically motivated actors can be challenging even for seasoned professionals.
Today, Mandiant records more cases than ever in which malicious insiders compromised mission-critical systems, exposed confidential data or extorted their employers. Such incidents can cause significant financial damage and reputational risk. Organizations not only have their own data but the data of customers and suppliers they are entrusted to protect. Organizations should focus on protecting their critical data, assets and crown jewels at a minimum. Unfortunately, most organizations and industries are unaware of the latest malicious insider threat trends:
- Malicious insiders are increasingly working in teams or groups.
- Ransomware groups recruit malicious insiders to enable access.
- Economic and workplace environments are significantly driving malicious insider behaviors.
Most organizations do not have an established insider threat program or leverage intelligence to reduce insider threat risk. To mitigate risk, insider threat programs should focus on three core elements: access, data and awareness.
Access is vital in malicious insider threat cases, so organizations must protect all environments and assets within their networks with multifactor authentication (MFA) and access controls. Each user, developer and administrator should be given only the rights they absolutely need for their daily work. Keep the number of employees allowed to create new accounts in on-premises and cloud environments to a minimum. Access and privilege audits should occur routinely.
Also, implement network segmentation. By separating network areas through security controls, an attacker has less opportunity to pivot to a separate environment and – potentially – elevate privileges. Organizations should additionally limit unnecessary traffic between highly sensitive and less trusted environments. All systems that do not need to be publicly accessible should be separated from public access. Ensure secure offboarding. When an employee leaves the company, organizations should immediately lock down their network access. All SSH keys, PEM files and passwords to which the person had access should be changed for all environments. MFA should also be disabled immediately.
Data, in this context, can be files, folders, intellectual property, sensitive information and more. Data resides on thin clients, laptops, desktops, servers, thick clients, mobile devices, printers and the cloud. Does your organization know where all its data is and where it goes? Not understanding this can lead to a breach, resulting in data loss, financial losses, reputation impacts and litigation risk.
“Most organizations do not have an established insider threat program or leverage intelligence to reduce insider threat risk”
Ensure all folders and files have appropriate access controls. Leverage purposefully designed insider threat tools to support data loss prevention efforts and visibility into data movements, including copies, modifications and destruction.
To effectively diagnose insider attacks, businesses need to combine technology with vigilance and a commitment to educating employees about the dangers of insider and insider-enabled threats. Organizations should commit to regular insider threat awareness training for their board of directors, c-suite and employees. Additionally, they should invest in a dedicated insider threat data loss prevention solution paired with a separate endpoint detection and response (EDR) solution.
Many organizations try to repurpose technologies not intentionally designed to detect insider threats. An insider threat data loss prevention solution detects malicious behavior for those with legitimate access, sounds the alarm and can block actions. These technologies protect from within, the other 180 degrees. Companies should send log data and event aggregation to a SIEM (security information and event management). This helps ensure the authenticity of logs and prevents an attacker from deleting or manipulating them.
Access, data and awareness are key to minimizing malicious insider threat risk. Outside specialists can review existing capabilities to maximize the use of current investments and accelerate or create insider threat programs based upon years of cataloguing best practices across industries.
Insider threat security as a service removes bias from analysis and identifies suppression of alerts and events, allowing the organization to focus on investigations. Regular intelligence-informed security assessments make it possible to uncover weaknesses and continuously improve security measures. This provides companies with an intelligence-informed individual roadmap for effectively protecting themselves against malicious insider attacks and their impacts.
I’ll leave you with three other points to consider:
- Insider threat-focused solutions should follow the data and protect from within.
- Insider threat investigations should be predicated by evidence to refute profiling and withstand legal scrutiny.
- Intelligence-informed insider threat programs add visibility and reduce risk.