Request a demo
January 21, 2022

Insider Threat: Types, Examples, Detection, and Prevention

Mike Puterbaugh Mike Puterbaugh

Insider Threat Definition

An insider threat is a security threat from within the organization being targeted or attacked, typically by an officer or employee of an organization with privileged access. An insider threat can also be a board member, former employee, or anyone who at one point had access to confidential or proprietary information at an organization. Insider threats may also be people who have access to IT assets like databases, servers, or networks.

Organizations cannot prevent most insider threats with conventional security measures alone. Traditional security techniques focus on protecting unauthorized access from outside the organization’s boundaries, or safeguarding against conventional hacking approaches, in which the hacker does not already have access to a company’s systems. They cannot cover situations where the threat comes from an trusted insider account.

In this article:

  • Insider Threat Types
    • Negligent Workers
    • Departing Employees
    • Security Evaders
    • Malicious Insiders
    • Inside Agents
    • Third-Party Partners
  • Insider Threat Examples
    • Trend Micro: Employee Sold Customer Data
    • Twitter: Work-From-Home Vishing Scam
    • Microsoft: Database Leaked Due to Negligence
  • Insider Threat Indicators
  • Insider Threat Prevention
    • Deterrence
    • Detection of Insider Threats
    • Analysis and Post Breach Forensics
    • Insider Threat Program
  • Implementing an Insider Threat Program
    • Interpret Event Data with a SIEM Solution
    • Restrict Access with Privileged Access Management (PAM)
    • Maintain Vigilance
  • Insider Threat Management with Pathlock

Insider Threat Types

Negligent Workers

Many organizations use insider threat management methods to deal with insiders with malicious motives. However, negligence is more prevalent. Research shows that a majority of data breaches that involve an insider are unintentional.

These sorts of insider threats do something that unintentionally put the organization in harm’s way. For instance, an employee could leave an unencrypted laptop or mobile device unattended, exposing sensitive information to malicious parties. Such insider threats are not the result of malice, but still put the organization at risk.

Departing Employees

Employees leaving an organization, both voluntarily and involuntarily, are an additional common insider threat organizations face. The biggest threat is information theft, specifically with employees in their notice period after dismissal, or involuntary departing employees.

All intellectual property or organizational information used by or created by an employee belongs to the organization. But in many cases, employees believe their work is their own property. In multiple surveys, employees reported that it is common for employees to take their previous work to their next role at another company. This type of information theft could significantly compromise an organization’s competitiveness.

Security Evaders

Organizations create security controls and policies to help safeguard the organization, its information, and its employees. However, often these rules are seen as a hindrance or inconvenient to employee efficiency.

Consequently, employees could use methods to work their way around security, aiming to make their lives simpler. For instance, restrictions on information sharing might be side-stepped by saving data files to an external cloud service. However, such workarounds can ruin an organization’s ability to control and monitor its information, and leave sensitive information vulnerable to compromise.

Malicious Insiders

The United States Computer Emergency Readiness Team (CERT) refers to a malicious insider as someone in an organization who is a former or current employee, contractor, or trustworthy business associate who abuses their authorized access to sensitive data in a way that impacts the organization.

Malicious insiders are more difficult to isolate than external attackers, because they have authorized access to an organization’s information, and spend most of their time carrying out ordinary work tasks. It can take a long time to identify insider threats—according to a Ponemon Institute report, the average time to identify an insider-threat related incident is 77 days. The longer the attacker is working without detection, the more damage may be caused by their activity.

Inside Agents

Inside agents are insiders that function on the part of an external team to carry out an attack or breach. Such insiders might be malicious, deceived via social engineering, or coerced via blackmail or bribery. This type of insider threat is especially harmful, because it grants an outside team the privileges and knowledge of an insider.

Third-Party Partners

Typically, you have limited control over the cybersecurity practices of third-party providers. You can audit their security measures during your vendor selection process, but this doesn’t ensure the safety of your sensitive information once you’ve granted them access. It is best to limit the sensitive information and systems that can be accessed by third parties.

A vast majority of organizations grant their suppliers, partners, vendors, access to their systems and networks. Many such third parties have privileged or administrative access to these systems. These external teams can cause the same harm, and present the same risks, as an organization’s employees with the same access.

Insider Threat Examples

Trend Micro: Employee Sold Customer Data

A Trend Micro employee gained illicit access to a support database containing data about 68,000 customers. The employee sold the database to cybercriminals, who used it to perform voice phishing (vishing) attacks against Trend Micro customers, impersonating support staff. The company discovered the scam, alerted law enforcement, and dismissed the employee.

Twitter: Work-From-Home Vishing Scam

A major hacker group collected information about Twitter employees working remotely. They called these employees impersonating Twitter IT administrators and convinced some to give them account credentials. Using the credentials they received, the attackers changed passwords on over 100 high-profile Twitter accounts, including US President Joe Biden’s account, and used them to conduct a Bitcoin scam. Twitter’s share price dropped by 4%.

Microsoft: Database Leaked Due to Negligence

In 2019, Microsoft employees failed to follow security policies, leaving a support database accessible to the Internet with no authentication. The database had 250 million entries, including names, geolocations, email addresses, and sensitive support correspondence.

The database was exposed for a month, but was discovered and locked down before damage occurred. However, according to the new CCPA regulation, enacted only a few days later, Microsoft would have paid a fine of several million Dollars.

Insider Threat Indicators

The following indicators can help your organization detect and respond to suspected insider threats:

  • Unusual logins—security staff must be aware of repeating login patterns. It is important to keep track of employee working hours at different departments, to identify logins that occur at unusual hours or from unusual locations. Multiple failed login attempts should also raise suspicion.
  • Attempted use of unauthorized applications—any attempt by an employee to access a system unrelated to their job function should raise suspicion. For example, security teams should detect and respond to an engineer trying to access a CRM system or a salesperson trying to access a finance system.
  • Escalated privileges—any attempt by employees to increase their own privileges, or an attempt by one employee to grant privileges to another, should undergo careful review. Security teams must determine who approved the privilege escalation and whether it is reasonable.
  • Downloading or uploading data—security should investigate any user on the corporate network who downloads or uploads large volumes of data. For example, when users upload several GB of data to a cloud service or download files from a company server to a local device, they could be exfiltrating company data.
  • Unusual employee behavior—any change in employee behavior, especially in key roles like finance and IT administration, requires a closer look. For example, security or HR should look into employees exhibiting antisocial behavior, challenging superiors, being overly absent from work, or working more than usual.

Related content: Read our guide to insider threat indicators (coming soon)

Insider Threat Management and Prevention

Deterrence

Deterrence involves making sure you have strong encryption in place, robust access controls, and frequent and consistent alerting to discourage and deter insider threats. Insiders who know that information and systems are well protected and monitored will be less inclined to carry out attacks.

Detection of Insider Threats

Detection involves actively overseeing what users are doing and achieving visibility into suspicious network connected behaviors. You can achieve this with a combination of network detection and security analytics technology. User and Entity Behavioral Analytics (UEBA) is commonly used to identify anomalous behavior that might indicate insider threats.

Analysis and Post Breach Forensics

Post-breach forensics analysis is a key component of reacting to and stopping future insider breaches. If an attack does take place, you have to handle it effectively. Handling the attack involves examining what happened in the environment, viewing and analyzing what is taking place in real-time.

Insider Threat Program

Any organization should have an insider threat program. The nature of your organization will determine the type of technologies you need and the number of individuals needed to carry out the program. The organization must decide what level of observation is required to meet its aims.

Once the leadership group decides, create a steering committee that includes HR, legal, IT, and any other relevant departments. This committee creates the structure, develops the plan, defines the budget and required technologies.

Education is also a critical part of an insider threat program. Educate your employees about the approach, promote awareness and develop the culture. Employees should know what to look out for and how to report suspicious behavior.

Related content: Read our guide to insider threat management (coming soon)

Implementing an Insider Threat Program

Here are a few best practices that can help you implement a successful insider threat program.

Interpret Event Data with a SIEM Solution

You can use a security information and event management (SIEM) solution to normalize, aggregate, and interpret the extensive data feeds produced by your cybersecurity monitoring solutions. It is critical to ensure that all resources (applications, networks, storage, etc.) are connected to the SIEM to connect the dots as insiders traverse across various company resources.

SIEMs can identify invalid login attempts, modifications to system values and user profiles, modified or deleted objects, and intrusion detection. The solution can filter out the general ‘noise’ within the data, detecting abnormal events and alerting on important issues. Your team can then assess the incidents and react quickly.

Related content: Read our guide to insider threat solutions

Restrict Access with Privileged Access Management (PAM)

Implementing an in-depth approach to user privileges and access rights will pay off immensely in the long run. Most employees only need access to a small number of network applications and locations. Even these categories should be organized and updated according to an individual’s role and job-specific requirement changes.

Generally speaking, users should only be given permanent access to exactly what they need to carry out their jobs daily (however, you must try to avoid making work processes too cumbersome). To achieve this outcome, you will need a privileged access management solution, to allow you to temporarily elevate privileges to carry out special tasks or requirements. PAM solutions help you implement the principle of least privilege, by allowing you to assign the lowest level of privileges needed to safeguard against exposure, and only elevating privileges temporarily as needed..

Maintain Vigilance

Malicious insider threats are a reality for any organization. Therefore, you must remain vigilant about what’s happening throughout your network—track unusual behavior, investigate abnormal behavior, and react to tips about an employee’s unusual behavior.

You must put the appropriate cybersecurity processes and tools in place to help you monitor your environment and improve your security posture. However, possibly the most important part of insider threat prevention is to trust your intuition as a security expert, letting it guide you when something doesn’t feel right.

Related content: Read our guide to insider threat program (coming soon)

Insider Threat Management with Pathlock

Pathlock Control is a comprehensive insider threat management solution that can detect, automatically react to, and proactively prevent insider threats within your most critical business applications. It seamlessly integrates with more than 140 systems including SAP, Oracle, and Workday to monitor all user activity and stop any unauthorized attempts to access, modify, or delete sensitive data.

Critical business applications are often overlooked aspects of the enterprise application infrastructure. Over 77% of financial transactions touch an SAP system, which drives incredible costs for downtime. Downtime in an SAP system can cost over $1,000,000 per hour, and insider threat and sabotage can be a major driver of application outages.

Pathlock utilizes deep User and Entity Behavior Analytics (UEBA) to proactively detect potential insider threats. These algorithms, trained on real-life behavior patterns, can identify suspicious activity that, while not posing any immediate threats, might have detrimental consequences in the future. Whenever an incident like this escalates, Pathlock immediately revokes all permissions from the bad actor until the security team steps in for a review.

Table of contents