What is an insider threat? 7 warning signs to watch for

Employees conducting attacks on their own employers – known as insider threats – are becoming increasingly common and costly. According to a CA report, over 50 percent of organizations suffered an insider threat-based attack in the previous 12 months, while a quarter say they are suffering attacks more frequently than in the previous year. Ninety percent of those organizations claimed to feel vulnerable to insider threats.

Insider threats can take the form of the accidental insider who inadvertently leaks information, the imposter who is really an outsider using stolen credentials, or the malicious insider to wants revenge or money. While spotting internal threats can be difficult, there are warning signs that can alert the organization of a potential incident before it occurs and data has left the boundaries of the network.

These attacks can be costly. According to Ponemon, a successful malicious insider attack costs an average of $600,000. These attacks can come in all shapes and sizes, from all classes of employees.

The insider threat – who are they, what are they stealing and why?

A key part of creating a risk profile of potential insider threats is knowing who the likely perpetrators are, what data they may be targeting, and why. This will enable you to put greater restrictions on potential threat actors and more controls on vulnerable data.

An older study from 2013 by the Centre for the Protection of National Infrastructure found insider attacks were more likely to be committed by men aged 31 to 45. Attacks were more likely to be from permanent staff than contractors or partners, and the majority of insider attacks were committed by employees who had been at the company for less than five years. A study by Carnegie Mellon University found that insiders usually act alone, but when there is collusion, whether willingly or as a result of social engineering, attacks “will have a duration that is nearly four times as long as one that is committed solely by a single insider.” 

Why do insiders attack? Usually it will be for financial gain. Either someone is offering money for certain information, or they believe they can sell it online. Sometimes the motive will be revenge for a slight against them. It may be in retaliation for receiving a warning or disciplinary action or poor performance review, being passed up for a promotion or project, disagreements around salaries of bonuses, or being laid off. Sometimes it will be for a career benefit, for example taking contact details for customers or valuable intellectual property (IP) to a new employer.

“For a lot of people, it’s about the contacts they make and how that could be useful in their new job – they see this as ‘their information’, not the company’s,” says Dr. Guy Bunker, senior vice president of products at Clearswift. “So, they will take copies of the information which could be useful: people’s names, emails, telephone numbers, information on deals done or opportunities.”

Common failures or issues that enable insider attacks to succeed include:

• Excessive access privileges
• A growing number of devices and locations with access to sensitive data – such as mobile devices and cloud-based offerings – that often exist beyond companies’ networks and are harder to track and control
• A growing use in the number of third parties touching network data
• The use external storage such as USBs
• Poor control over non-IT approved apps such as Dropbox

Poor controls around access can also be a factor. A report from Varonis found that 21 percent of all folders inside organizations are open for everyone in the company to access, while at least a third of companies have 1,000 sensitive folders open to everyone.

Given the easy access to large amounts of storage and increasingly fast internet speeds, it can be trivial for an insider to move data off-site. A Cisco study of data exfiltration from the cloud found just 750 malicious users were able to 3.9 million documents from corporate cloud systems (an average of 5,200 each) during a six-week period.

All types of data can be at risk from insider threats. The CA report found that confidential business information such as financials and customer or employee data was the most vulnerable, followed by privileged account information such as passwords, personally identifiable and health information (both of which are heavily regulated), and then the intellectual property.

Insider threat examples

Perhaps the most well-known insider attack was by Edward Snowden, a contractor who leaked thousands of documents revealing how the National Security Agency (NSA) and other intelligence agencies operate. Another famous insider, Chelsea Manning, leaked a large cache of military documents to WikiLeaks.

This year Tesla CEO Elson Musk said an insider had was found making “direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive data to unknown third parties.”

Another example from the car world is Anthony Levandowski. The Otto Motors founder reportedly stole 14,000 files from Google’s Waymo autonomous car project to start his own company. The move cost Otto’s acquirers Uber heavily, and resulted in the company giving a stake in its business over to Google.

However, not all insider threats involve such big names or hit the headlines. Stephan Jou, CTO at security analytics company Interset, saw one customer suffer a raft of insider threats. “An employee (who was on a termination list) took dozens of screenshots of proprietary source code and other IP and subsequently emailed those screenshots to their personal account,” he said. “At the same firm, a disgruntled employee emailed 500 MB of sensitive data to personal email accounts and tried to hide the data exfiltration by spreading the activity across three different personal email accounts. In a third instance, a different employee copied more than 2 GB of data onto a USB drive and emailed additional data to a personal email account.”

Dr. Giovanni Vigna, co-founder and CTO at Lastline, told CSO of an incident with a with a fashion designer where the company detected a connection to a host in China, which was unusual. After investigation, this connection was found to be part of a plan to steal proprietary designs and create knock-offs in China.

These are the warning signs that an insider might become a threat.

1. Major changes at the organization

While potential insider threats leave many digital clues, there are almost always more obvious physical warning signs before that. “It’s incredibly rare for someone just to blow up and go and steal everything, stuff all the hard-disks in their pockets and run out of there,” says Dr. Jamie Graves, vice president of product management, security analytics at ZoneFox, a behavioral analytics company acquired by Fortinet earlier this year. “Usually, there is some sort of organizational change or event that precedes an attack. The most common are if, as an organization, you go through great change– you’re going to be acquired or you’re going through redundancies.”

“If you dig into it, there’ll be a reason why in there. There could be in indicating factor, and then when you talk to people in your organization they say, ‘Oh yes, Bob, he’s coming up for redundancy, or he’s failed a review, etc.’ You need to have your ducks in a row when it comes to monitoring for that sort of [malicious] behavior,” says Graves.

2. Personality and behavioral changes

Personality and behavioral changes will be the first sign of a potential insider threat. Perhaps they are clearly and vocally unhappy at work or lacking motivation, or talking about money troubles, or openly disagreeing with superiors in the office. Working longer hours, over the weekend, or increasingly from home or remote locations could also be indicators.

Openly speaking ill of the company or talking about hunting for new jobs – whether in the office, in company chat systems, or on social media – should be noted as a warning sign. “If you use LinkedIn Recruiter, you can see if your employees are searching for new roles when they opt in to the option of ‘Looking for New Opportunities’,” says Tom Huckle, lead cyber security consultant and head of training and development at cyber security training firm Crucial Academy. “If you do not have access to this, other tell-tale signs could include them engaging with suspicious parties [on social media] through likes and comments.”

3. Employees leaving the company

Those leaving the company – whether by their own volition or not – are likely thinking about taking data with them. Most IP theft by insiders happens within 30 days of leaving an employee leaving an organization. It’s also worth noting that those with a history of ignoring security protocol need closer monitoring. Another Deloitte study found half of employees known to have been involved in insider attacks had previous history of violating IT security policies.

4. Insiders accessing large amounts of data

If the behavioral warning signs are missed, there will be digital clues that someone may be considering a malicious act, as well as clear warnings that an insider is conducting an attack. “Insiders no longer have to photocopy, photograph, or remove large swaths of physical documents from an office space,” says Tom Tahany, intelligence analyst at Blackstone Consultancy. “Rather, the downloading of several terabytes of data from an online reservoir can be done within minutes from a remote location and distributed rapidly.”

This accessing and download of large amounts of data is less of a warning sign than a smoking gun that you are suffering an insider threat. Usually before we reach the actual exfiltration there will be digital warnings that something may be about to happen.

5. Unauthorized insider attempts to access servers and data

Many insiders will go through a reconnaissance stage first, where they explore what data and systems they have access to. “Warning signs include attempts by authorized users to access servers or data they shouldn’t be, authorized users accessing or requesting access to information that is unrelated to their roles or job duties, and theft of authorized user credentials,” says Carolyn Crandall, chief deception officer at Attivo Networks.

“Whether the activity is from an authorized employee just poking around where they shouldn’t be out of curiosity, an authorized employee with malicious intentions accessing servers or data to cause damage or steal information, or an external attacker that has obtained valid credentials of an authorized user, if any of these activities are detected it is cause for alarm,” says Crandall.

6. Authorized but unusual insider access to servers and data

Other clues may include accessing areas of the network or files they have the required permissions for but would never normally access during their day-to-day functions, modifying large numbers of files in a short period of time, staying later or arriving earlier than they have previously or accessing systems remotely at weekends, or repeatedly trying (and failing) to access areas they do not have permission for. Establishing normal behaviors and flagging abnormal is important in these situations.

7. Attempts to move data offsite

Then the final stage is the actual attempts at exfiltrating data. These include any large downloading to external storage such as a USB stick, large uploads to personal cloud apps such as Dropbox when your company doesn’t use that service, or large numbers of attachment-heavy emails sent outside the company.

While USBs remain a viable option for removing large data sets and leaving less of a digital footprint, remote late-night downloads are not uncommon. Cisco’s cloud data exfiltration study found 62 percent of suspicious downloads occurred outside of normal work hours, with 40 percent taking place on weekends. While gigabytes or terabytes of data are a smoking gun for suspicious activity it’s worth remembering sensitive information can be contained in a small amount of data.

“A credit card is 12 digits from 0 to 9, easily stored in 6 bytes,” says Jeff Williams, CTO and co-founder at Contrast Security. “That means 100,000 credit cards fits into 60KB, a million is only .6 megabytes. You could easily hide that data in a picture or document and nobody would ever detect it.”

Maintaining employee trust

However, it’s important to remember there should be an element of trust between the business and its employees. One anomalous action does not necessarily make one guilty; an employee may only need to access a certain file or folder once a month or even once a quarter, for example, and regularly accusing employees of malicious actions could impact morale. A deadline for a project may be coming up, causing people to work more hours or over the weekend.

“One of these warning signs alone may not be indicative of a malicious internal actor,” says Nathan Little, lead investigator and partner of Gillware Digital Forensics. “But when you diligently monitor these warning signs simultaneously, the patterns and behaviors become more apparent.”

Visibility and monitoring are key

While no single technology is likely to completely protect against insider threats, a combination of technologies such as data loss prevention (DLP), encryption at rest, identity and access management (IAM), behavioral analytics, tailored log and event management, and maybe even honeypot files will reduce the chance of data making it beyond your network. “It’s essential for organizations to implement robust, well-known reporting procedures for potential insider threats, and parallel human-side defenses with technical ones,” says Justin Sherman, cybersecurity policy fellow at U.S. think tank New America. “Employees should be accessing what they need in order to effectively function in their job, and that’s about it.”

Prevention is better than the cure, however, and one of the best ways to prevent data escaping your network is to create risk profiles on the people who may be a risk within your organization. Cooperation, collaboration and communication between departments is key to an effective insider threat management program.

“There’s always going to be a dislocation between what HR know about individuals and telling,” says Matt Lock, director of sales engineers at Varonis. “You need to get HR to start thinking about how they can tell security that there is this person leaving, or we have a round of redundancies coming up. And if this is the case, then you can add this extra level of risk to these particular users and groups by putting them into a watch list.”

“It’s also important a SOC analyst can go back to a manager and fire off an email to individuals within the company to get confirmation that this is something that they shouldn’t be doing, or something that should put them on the radar because they may be looking to steal information,” Lock adds.