Tag Archives: insider threats

Insider Threats: A CISO’s Guide

pencils in a line and a red pencil higher

Insider threats are a real and growing problem. According to the recent Verizon DBIR, insiders are complicit in 28% of data breaches in 2017. Broken down by vertical, insiders are responsible for 54% of data breaches in the Healthcare industry and 34% in the Public Administration. Hacking (48%) and malware (30%) were the top 2 tactics used to steal data, while human error (17%) and privilege misuse (12%) made the cut as well.

insider threat statistic

What does it all mean? Insiders have capabilities and privileges that can be abused by either themselves or bad actors to steal important data – making a CISO’s job to identify and build a defense against all of those attack vectors even more complicated.

What is an Insider Threat?

An insider threat is a security incident that originates within the targeted organization. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner or board member.

Anyone who has insider knowledge and/or access to the organization’s confidential data, IT, or network resources should be considered a potential insider threat.

Types of Insider Threats

So who are the possible actors in an insider threat?

First, we have the Turncloak: This is an insider who is maliciously stealing data. In most cases, it’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials, but is abusing their access for fun or profit. We’ve seen all sorts of motives that drive this type of behavior: some as sinister as selling secrets to foreign governments, others as simple as taking a few documents over to a competitor upon resignation.

Next, we have the Pawn: This is just a normal employee – a do-gooder who makes a mistake that is exploited by a bad guy: whether it’s a lost laptop or mistakenly emailing a sensitive document to the wrong person.

Finally, we have the Impostor: Whereas the Turncloak is a legitimate insider gone rogue, the Imposter is really an outsider who has acquired an insider’s credentials. They’re on your network posing as a legitimate employee. Their goal is to find the biggest treasure trove of information to which their “host” has access and exfiltrate it without being noticed.

Common Behavioral Indicators of an Insider Threat

How do you identify an insider threat? There are common behaviors that suggest an insider threat – whether digitally or in person. These indicators are important for CISO’s, security officers, and their teams to monitor, track, and analyze in order to identify potential insider threats.

behavioral indicators of an insider threat

Digital Warning Signs 

  • Downloading or accessing substantial amounts of data
  • Accessing sensitive data not associated with their job function
  • Accessing data that is outside of their behavioral profile
  • Multiple requests for access to resources not associated with their job function
  • Using unauthorized storage devices (e.g., USB drives or floppy disks)
  • Network crawling and searches for sensitive data
  • Data hoarding, copying files from sensitive folders
  • Emailing sensitive data outside the organization

Human Warning Signs 

  • Attempts to bypass security
  • Frequently in the office during off hours
  • Displays disgruntled behavior toward co-workers
  • Violation of corporate policies
  • Discussions of resigning or new opportunities

While the human behavioral warnings can be an indication of potential issues, having digital forensics and analytics is one of the most powerful ways to protect against insider threats. User Behavior Analytics (UBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.

Fighting Insider Threats

A data breach of 10 million records costs an organization around $3 million – and as the old adage says, “an ounce of prevention is worth a pound of cure”.

Because insiders are already inside, you can’t rely on traditional perimeter security measures to protect your company. Furthermore, since it’s an insider – who is primarily responsible for dealing with the situation? Is it IT, or HR, is it a legal issue? Or is it all 3 and the CISO’s team? Creating and socializing a policy to act on potential insider threats needs to come from the top of the organization.

The key to account for and remediate insider threats is to have the right approach – and the right solutions in place to detect and protect against insider threats.

Steps for an Insider Threat Defense Plan:

  1. Monitor files, emails, and activity on your core data sources
  2. Identify and discover where your sensitive files live
  3. Determine who has access to that data and who should have access to that data
  4. Implement and maintain a least privilege model through your infrastructure
    1. Eliminate Global Access Group
    2. Put data owners in charge of managing permissions for their data and expire temporary access quickly
  5. Apply security analytics to alert on abnormal behaviors including:
    1. Attempts to access sensitive data that isn’t part of normal job function
    2. Attempts to gain access permissions to sensitive data outside of normal processes
    3. Increased file activity in sensitive folders
    4. Attempts to change system logs or delete large volumes of data
    5. Large amounts of data emailed out of the company, outside of normal job function
  6. Socialize and train your employees to adapt a data security mindset

It’s equally important to have a response plan in place in order to respond to a potential data breach:

  1. Identify threat and take action
    1. Disable and/or logout the user when suspicious activity or behavior is detected
    2. Determine what users and files have been affected
  2. Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
  3. Remediate
    1. Restore deleted data if necessary
    2. Remove any additional access rights used by the insider
    3. Scan and remove any malware used during the attack
    4. Re-enable any circumvented security measures
  4. Investigate and perform forensics on the security incident
  5. Alert Compliance and Regulatory Agencies as needed

The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavior.

The Varonis Data Security Platform identifies who has access to your data, classifies your sensitive data, alerts your teams to potential threats, and helps maintain a least privilege model. With the proper resources, CISO/CIO can gain visibility of highest risk users and gather the intelligence needed to avoid insider threats.

Is Your Biggest Security Threat Already Inside Your Organization?

Are insiders compromising your security

The person in the cubicle next to you could be your company’s biggest security threat.

The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains.

We focus in outsider threats because they’re both terrifying and thrilling, and because they’re familiar. They often have a clear-cut storyline, one that we’ve seen before. But the hyper-focus on cyberattacks caused by outside parties can lead organizations to ignore a major cybersecurity threat: insiders already in the organization.

We’ve seen these threats before too: attacks of dramatic espionage from Snowden, Reality Winner and Gregory Chung — but insider threats aren’t always so obvious, and they pose a risk for organizations that don’t operate in the national security space. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches.

They’re dangerous for a number of reasons, including because of how much they vary: from rogue employees bent on personal gain or professional revenge to careless staffers without proper cybersecurity training, insider threats can come from almost anyone, making them a prime concern for businesses. Check out our full infographic to learn more about the motives and methods behind these types of threats.

Insider threats cybersecurity

Are you doing everything you can to prevent insider threats?

If you’re granting unnecessary internal permissions, lack an auditing system for high-risk people or sensitive data, or aren’t paying close attention to possible behavioral indicators of malicious activity, your organization is at risk. You’re more vulnerable than you think — assess your risk today to see what you can do to ward off threats that come from the inside.

Infographic sources:
U.S. Department of Homeland Security | 2018 Insider Threat Report | Digital Guardian | MetaCompliance | ITProPortal | IT Governance | Wired

[Infographic] From Bad Report Cards to Insider Data Theft

[Infographic] From Bad Report Cards to Insider Data Theft

We’ve all read the news recently about employees and contractors selling internal customer data records or stealing corporate intellectual property. But insiders breaking bad have been with us as long as we’ve had computers and disgruntled humans who understand IT systems.

You may not know it, but academic researchers have also been studying the psychological insides of insiders.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has an entire group devoted to insider threats. Based on looking at real cases, these academics have come up with, to our minds, a very convincing model of what drives insiders.

In short, it’s their belief that the root causes lie beyond just a raise or promotion denied, but rather in earlier traumas, likely starting in childhood.

For instance, it is thought that children who, during a famous psych experiment, immediately ate the marshmallow (instead of waiting for two marshmallows) had issues with parental and other authority figures that would later show up through impulsive behaviors. Or perhaps for a certain kind of child, not getting into the genius program for advanced 4-year-olds can have devastating consequences later!

We’ve turned the complex CERT multi-stage insider model into this more accessible infographic. Check out the original CERT paper (or read our incredibly informative series) to learn more.

 

Reality Leah Winner and the Age of Insider Threats

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

Image credit: http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.

The Enemy Within: A Free Security Training Course by Troy Hunt

The Enemy Within: A Free Security Training Course by Troy Hunt

It takes a very long time to discover a threat on your network according to the Verizon DBIR:

breach-discovery

Which is mind-boggling given the most devastating breaches often start with an insider—either an employee or an attacker that gets inside using an insider’s credentials. Target, OPM, Panama Papers, Wikileaks. The list goes on and on.

The truth is that many organizations are behind the curve when it comes to understanding and defending against insider threats.

So when we were tossing around topic ideas with Troy, it quickly became clear what our next video course should focus on.

I’m happy to announce the third course in our free, CPE-eligible security training series—The Enemy Within: Understanding Insider Threats.



Get all the videos now



What’s inside?

The course is broken into 8 video modules totaling over an hour worth of entertaining material covering where insider threats originate from, how they exfiltrate data, and how to stop them.

More free content

While you’re at it, grab the previous two courses in the series:

About Troy

Troy is a Microsoft Regional Director, most Valuable Professional and top-rated international speaker on online security, regularly delivering the number one rated talk at events across the globe. He’s also the author of 26 online Pluralsight courses which frequently feature at the top of the charts. Troy’s site, HaveIBeenPwned.com, is one of the world’s most popular data breach verification sites.

Interesting Deloitte Research on Insider Threats

Interesting Deloitte Research on Insider Threats

We’re excited that Deloitte, the international auditing and consulting firm, has been raising the alarms on insider threats. They have some content in the CIO section of the Wall Street Journal that’s worth your time.

Take a look at this infographic they put together based on their own research. There are two key data points to note in the graphic: 92% of insider threat cases were preceded by a negative work event, and 51% of employees involved in insider threat had a history of IT security violations.

The infographic also lists some of the common precursors that disgruntled employees will start to exhibit before the actual incident. These include expense report abuse, change in job performance, and most interestingly (for us), unusual email activity and access level abuses.

Thank you Deloitte for bringing this to the attention of our corporate elite.

In the Varonis IOS blog, we’ve also been pointing out some of the interesting behavior patterns of insiders. We know from Carnegie Mellon’s CERT research, for example, that insiders will rehearse their data heist and probe defenses.

Of course, this means that if you have a baseline of their online behaviors, you can use UBA technology to spot their trial runs and then stop them before they go further.

Deloitte’s Adnan Amjad and Michael Gelles have some great advice on how to set up an insider threat program. Stakeholder buy-in, training, and auditing are part of their 9 point threat mitigation program.

Their program also includes behavior analysis and analytics. Amjad and Gelles note insiders exhibit observable behaviors that can be detected once you “build baselines of normal behavior to help identify anomalies”.

Amjad and Gelles, by the way, cite the aforementioned CMU CERT studies in supporting their behavior monitoring recommendations.

We approve!

Overall, it’s great to see that some of the very encouraging research and positive prognosis about insider threats is getting more attention: it’s a problem that can be directly addressed and mitigated.

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External At...

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External Attacks

Today we’re excited to share another interesting customer success story out of the UK. Union Bank UK PLC needed better visibility into the different types of sensitive data its employees were storing and accessing across its file systems. Regulatory requirements necessitated that the bank’s IT department regularly audit and report on who was accessing sensitive data, when and where, but they had no way of doing so efficiently. Also, with malware and ransomware on the rise, the bank needed a solution that could quickly alert the IT staff to unusual file access behavior such as rapid encryption of files stored on its servers.

The search led Union Bank’s IT team to our DatAdvantage and DatAlert solutions. Union Bank’s IT team is now alerted in real-time to any breach of its file systems, and they’re able to put control over file access in the hands of data owners, eliminating much of the burden previously placed on their team. They are also able to keep an eye on access privileges and ensure that no one is getting access to data that they do not need.

  • DatAdvantage makes it easy to see and report on who can access, and who does access data in the bank’s Windows, Exchange, and Active Directory environments by tracking and monitoring file activity.
  • Union Bank can intelligently identify who owns which data, and can alert on unusual activity through DatAlert, which uses user behavior analytics to spot insider threats like abusive administrators, ransomware, compromised accounts, and rogue employees.
  • Keeping files secure when employees leave the company was another important capability identified by Union Bank. Varonis allows the bank to monitor and baseline employees’ access profiles and detect if files are unusually accessed prior to their departure.

David Pennant, an IT Manager at Union Bank told us, “Before Varonis we had no real view of what was happening on the file servers or changes happening on a day-to-day basis. We can’t afford to spend a large amount of time sifting through logs – we need to stay focused on day-to-day tasks and therefore needed a more efficient approach. It was obvious straight away that Varonis could give us the automated, efficient approach we were looking for. Thanks to Varonis, IT now has better insight into the bank’s data, and that of course reduces security risk, which is something which you can’t always put a price on.”

Varonis Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.  Learn more here.

Inside the World of Insider Threats, Part I: Motivation

Inside the World of Insider Threats, Part I: Motivation

As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in some way involved in the Sony meltdown—see Did North Korea Really Attack Sony? from Schneier. The larger point is that the Sony breach opens the door to a public discussion on a specific topic—malicious insiders —one which many companies have been very reluctant to discuss or comment.

Let’s put Sony in the undecided category for now while we wait for more information, and instead focus on lessons from actual verified insider cases.

Great idea, but where do we find these case files?

Thankfully, Carnegie Mellon University’s Computer Emergency Response Team (CERT) has been collecting insider incident data from the US Secret Service and their own consulting practice. Over the years, they’ve amassed a hefty database of 700 well-documented insider incidents that they’ve been actively analyzing as part of their research. One conclusion worth pointing out is that the underlying motivations differ between internal and external attackers. It’s still important to keep in mind, though, that the same IT controls stopping insiders also stop outsiders!

Motivated

Since CMU CERT is a research organization, it has its own unified theories on insider data crime, which you can, if you’d like, read more about in these serious academic papers. However, as anyone who’s ever read any mysteries or watched crime shows knows, it always boils down to a question of means, motive and opportunity in establishing guilt.

Motives are especially interesting to explore in the world of insider data theft—what are the reasons that trusted employees break bad?

The folks at CMU CERT have looked into this question. Of the 700 cases, they analyzed a smaller set of only those that actually went to trial. Based on this subset, they came up with four motivation categories (see the graphic):insider-threat

  • theft for financial gain
  • theft for business advantage (IP theft)
  • IT sabotage
  • and a miscellaneous with various and sometimes unclear motives.

Stealing for money is the most obvious motive ─ though it covers less than half the cases. The CERT team discovered that this type of fraud was more likely done by lower level, non-technical employees, usually in cooperation with outsiders.

These were employees typically with financial problems who were using their authorization level as a data entry operator or customer support rep to modify credit histories, adjust benefits, or create false login credentials— all for a fee.

According to CERT, their activities were eventually spotted through an examination of log activity, particularly system change and file access logs. However, there was often a very long delay between the actual crime and its detection.

Sabotage!

With the Sony breach on everyone’s mind, we know that non-financially motivated theft can be just as devastating as those driven by dollar signs. What’s interesting about the IT sabotage category is that it’s committed as an act of revenge by the proverbial “disgruntled employee”.

The source of the disgruntlement? The CMU CERT researchers note that the triggering event can be “termination, disputes with the employer, new supervisors, transfers or demotions, and dissatisfaction with salary increases or bonuses”.

Not surprisingly, IT sabotage is committed by technically oriented employees—mostly males—who have figured out how to take over someone else’s credentials. Effectively, these are tech savvy dudes who steal the passwords of other users and then throw the virtual monkey wrench into the IT machinery. This might involve writing a script or program to delete massive amounts of data, or even setting up a backdoor account to launch an attack much later.

The saboteurs were ultimately identified through the monitoring of remote access logs, file access logs, database logs, application logs, and email logs. But the CERT folks points out that since these are more sophisticated thieves than the financially motivated data robbers, they’re good at hiding their tracks by deleting or modifying the log files themselves.

Motivation and Environment

There’s more to motivation than I can fit into this post. The CERT team has come up with some provocative ideas about how environmental factors—perceived risk in getting caught, corporate culture—can shape motivation. There may even be precursor events that point to employees who are data thieves in the making.

We’re getting into “Majority Report”-like precrime territory, but there’s evidence to suggest that the insiders test and probe the company defenses long before the actual attack.

We’ll be taking up this and other topics in my next post in this insider threat series.

Want to learn more about insider threats?  Sign up for our Jan. 28 webinar!

Image credit: Evaneleven