What is an insider threat?
Insider threats arise when current or former employees exploit access to their organisation’s systems or data for financial, political, or personal gain. As most enterprise security teams typically focus on mitigating external attacks, many organisations lack visibility into threats posed by malicious insiders.
Countering attacks from insiders requires vigilance and time, which makes planning for and focusing on combating insider threats more difficult. It is in this context that insider threats are problematic and dangerous.
What forms can insider threats take?
Insider threats can take many forms including intellectual property theft, insider recruitment, employee verification and insider trading, all of which have differing risks for the organisation. All however need to be effectively managed and the risks mitigated as much as possible.
Intellectual Property Theft
Companies that maintain proprietary access to intellectual property (IP) may be particularly susceptible to insider threats. The high black-market value and ample demand for IP on the Deep and Dark Web means that for malicious insiders with access to valuable company information, selling such access can provide a quick and profitable return. But, as most companies lack visibility into the forums and marketplaces where IP is bought and sold, insider threats often go undetected until the damage has been done.
One notable example of this occurred when an analyst identified a post on an elite cybercrime forum offering the sale of source code from unreleased software owned by a multinational tech company. Analysis subsequently determined the actor was a company employee and this intelligence enabled the company to safeguard the source code and get rid of the rogue employee. Examples similar to this one are more common than we may think, often driven by financial gain. Intellectual property theft has huge monetary value.
Insider Recruitment
As organisations across all sectors continue to implement stricter security measures, more threat actors are recognising that some criminal schemes may only be possible with the cooperation of insiders. In order to recruit insiders, threat actors typically post advertisements to various Deep and Dark Web forums. Visibility into these forums enables organisations to proactively detect and address threats posed by insider recruitment.
An example of an insider recruitment threat would look something like this. A threat actor posts to a Dark Web forum regarding an early-stage plan for an account takeover operation (ATO) in an attempt to recruit an insider from a large bank. The actor claims to have access to a high-balance account holder’s credit report, which contains information that would enable an insider to change the account holder’s listed address to that of a drop address and subsequently cash-out the account. To mitigate this and safeguard the compromised account the bank would need to strengthen user-access controls and monitor employee activity to prevent an insider threat from arising.
Employee Verification
While most organisations conduct background checks on prospective employees, many high-risk indicators are not visible via traditional pre-screening procedures. Indeed, more threat actors operating on the Deep and Dark Web are seeking employment as a means of accessing sensitive corporate data and deploying malicious schemes targeting their employers.
In one situation, intelligence revealed previously-unknown ties between a Fortune 500 retailer’s prospective employee and a threat actor known for recruiting insiders on the Deep and Dark Web to steal corporate data for use in extortion schemes. We quickly alerted the retailer of these ties, which prompted them to deny the individual’s employment application and implement intelligence-led measures to reinforce the security of their sensitive data.
Insider Trading
Threat actors interested in insider trading often seek access to confidential information pertaining to, for example, market insights, M&A activity, product launches, or corporate restructuring. In addition to leveraging this information to engage in insider trading schemes directly, some insiders may simply opt to sell it on the Deep and Dark Web to others interested in such schemes.
Analysts monitoring a Dark Web marketplace recently observed a threat actor seeking “financial industry staff” to supply “non-public investment information” in support of insider trading.
Shortly thereafter, the actor’s request elicited an affirmative response from an individual who claimed to be employed by a U.S. investment bank. Extensive analysis of the suspected insider confirmed the validity of their claims and subsequently identified both the investment bank and the individual in question. This intelligence enabled the bank to safeguard their corporate data and remove the employee.
What can be done to stop insider threats?
As highlighted above, an extensive understanding of the Dark and Deep web is a key tool in the armoury against insider threats. The Deep and Dark web provides a marketplace – even after the closure of notorious sites such as AlphaBay and Hansa – for the monetisation of crimes that constitute insider threats. Many security teams, focused and relentlessly pressured by having to deal with external threats, may lack the time and/or expertise to effectively plan for, detect and stop insider threats. This is why expertise and additional support is so vital in this area.
Recognising that insider threats do exist and need planning for is the first step to protecting the organisation. The next step is to think, can it be handled internally or does additional support and expertise need to be brought in? Processes starting all the way from recruitment through to the end of an employee’s time at a company need to be in place.
As the threat from employee verification highlights, not everyone will be who they say they are. There will always be the possibility of someone applying for a role simply to access valuable data. Locking down and effectively monitoring systems when an employee leaves a company is equally important, as this period is a prime time for the theft of data, especially if the employee is leaving in acrimonious circumstances or for a role at a competitor.
The theft of IP, access to other valuable data and the potential to benefit from privileged information financially are all drivers for insider threats. Other drivers may be political or personal. This is why it is vital to evaluate insider threats as part of a strategic cyber defence plan. Knowledge and visibility will give defenders the upper hand against the attackers, which is as vital if you are tackling DDoS and ransomware as it is insider threats. All have the potential to cause substantial damage.