5 Insider Threat Indicators and How to Detect Them
Pathlock
November 10, 2021

What Are Insider Threat Indicators?

An insider threat is an employee, business partner, or third party otherwise affiliated with an organization who abuses their privileges to cause damage to the organization. Insider threats can target the confidentiality of sensitive data (as in data exfiltration) or harm the integrity or availability of the organization’s information systems (as in sabotage).

Insider threat is a severe and growing threat in organizations of all sizes. There are clear warning signs of an insider threat, such as unusual login behavior, unauthorized access to applications, abnormal employee behavior, and privilege escalation. Your organization must implement an insider threat program to identify these insider threat indicators and respond before a malicious insider can carry out an attack.

Related content: Read our comprehensive guide on creating an insider threat detection program

In this article:

  • Potential Motives of Internal Attackers
    • What Are Insider Threat Risk Characteristics?
  • What Are Some Potential Insider Threat Indicators
    • Unusual Login Behavior
    • Unauthorized Use of Applications (or Repeated Attempts)
    • Privilege Escalation
    • Excessive Downloads
    • Anomalous Employee Behavior
  • Insider Threat Detection
  • Insider Threat Protection with Pathlock

Potential Motives of Internal Attackers

Insider threats are often classified by their motives. The motives that drive insiders to do harm to a company can include:

  • Revenge—insiders who feel they were done wrong by the organization may attempt to breach its systems and do as much damage as possible. 
  • Espionage—in large or high profile organizations, individuals may be contacted by competitors or hostile nation states, and recruited as agents to conduct espionage. 
  • Profit—in many cases, a malicious insider is motivated by a financial opportunity. They may attempt to directly steal from the organization, exfiltrate data that may have monetary value, or deploy malware in exchange for a ransom.
  • Negligence—while not exactly a motive, many insider threats are caused by failure of employees to comply with security policies or performing accidental actions that can open a door for threats. 
  • Compromised accounts—in many cases, insider threats are not the employees themselves, but attackers impersonating the employee via a compromised user account.

What Are Insider Threat Risk Characteristics?

The National Cybersecurity and Communications Integration Center (NCCIC) built a model with five characteristics that can explain an insider’s motivation to attack the organization they are part of. 

An insider who possesses one or more of these characteristics is more likely to become an insider threat:

  1. Deterrence theory—insiders can attack if the potential benefits will outweigh the expected costs.
  2. Social bonds—insiders can attack if they have weak bonds with others at the organization.
  3. Social learning—insiders can attack if they have friends or associates with criminal or antisocial behavior, learn and internalize this behavior.
  4. Planned behavior—insiders can attack if they have a favorable attitude towards crime, and insufficient norms or self-control to restrict unwanted behavior. 
  5. Situational prevention—insiders can attack if they have both internal motives, and they see an opportunity for an attack to succeed in their current situation.

Top 5 Insider Threat Indicators

The following suspicious behaviors may indicate that a potential malicious insider threat is operating within your organization.

Unusual Login Behavior

Standard user logins usually occur in patterns that repeat on a daily basis. Any login that deviates from the baseline pattern may indicate an insider threat is trying to hack into your systems. Here are several examples:

  • Login attempts from (usually unusual) remote locations, or from unusual or unrecognized devices
  • Login attempts that occur during odd hours (after working hours, on the weekends or holidays)
  • Login attempts that seem require impossible travel (eg. user logs in from New York, then 1 hour later logs in from Singapore from the same account)
  • Authentication logs that start filling up with a huge number of unexplained failed “admin” or “test” username attempts

In general, you should investigate any user behavior that seems to deviate from the standard, and ensure there is an explanation for any unexpected behavior.

Unauthorized Use of Applications (or Repeated Attempts)

The majority of organizations utilize a large number of mission-critical systems, including customer relationship management (CRM) systems, enterprise resource planning (ERP) systems, financial management applications, and more. 

To ensure security and visibility, most companies employ a least privileged access methodology. Often, this means understanding which users require access and defining strict roles to grant access only to necessary resources. Then, when unauthorized access and usage attempts occur, you can spot these incidents and prevent them before a breach occurs.

Privilege Escalation

High levels of system access provide users with access to sensitive information that must remain contained within the organization. However, a trusted individual with administrative rights can grant privileges to other users. If you see an increase in the number of users with this type of escalated access, this may indicate that they are moving unencumbered across your servers, looking for data to sell on the dark web. 

Excessive Downloads

The majority of organizations can assess their cloud infrastructure or on-premises network and determine a data downloading pattern as well as their standard bandwidth usage. You can create a baseline for each department. 

For example, you may find that your HR saves large payroll or employee data files on a regular basis, and that your sales team often downloads large marketing files. All of these constitute normal behavior. However, if you see a sudden peak in data downloads that cannot be explained by any of the baselines, this might indicate that an insider threat is operating within your network. 

Anomalous Employee Behavior

Unusual employee behavior can serve as a key insider threat indicator. Here is what to watch out for as a leading indicator for an insider threat event:

  • An employee who normally gets along with other employees starts behaving differently
  • Unexplained poor performance and disinterest in work
  • Disagreements with superiors or coworkers over policies
  • Unexplained financial gain or financial distress
  • Unexpected resignation

Insider Threat Detection

Insider threat detection often requires the combined efforts of both technological and human resources. Here is how your insider threat detection strategy may look like.

The human element

Employees usually gain a good understanding of each other’s behavior. They are positioned to gain awareness of and insight into stressors, behaviors, and predispositions of any insider possibly considering malicious acts. Here are key aspects that can help you while observing human behavior:

  • Consider their point of view—individuals have their own points of view and modes of behavior. When listening, try to understand the employee’s point of view, and do not assume that they will behave like you would in a given situation. For example, you may ask for help when you need it, but they might not be inclined to do so.
  • Keep an eye on their body language—people may disclose their true intentions through non-verbal communication. Observe their body language to determine what they are not saying.

The technological element

User and entity behavior analytics (UEBA) systems are designed to monitor the behavior of users. A user may be an employee, a vendor, a contractor, or any staff member with access to company IT assets. An IT asset may be a server, application, account or proprietary data. 

UEBA processes information to assess a specific activity or behavior that may result in a cyber attack. These systems do not just track devices and events. UEBA systems powered by machine learning can create a baseline of standard user behavior and then monitor insider threat indicators. 

Related content: Read our guide to insider threat solutions

Insider Threat Protection with Pathlock

Pathlock provides a robust, cross-application solution to identifying and preventing insider threats.  Security, IT, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape. 

With Pathlock, customers can enjoy a complete solution to insider threat management, that can monitor user activity to prevent risk before it happens:

  • Integration with 140+ applications, with a “rosetta stone” that maps user behavior, permissions, and business processes across disparate systems
  • Intelligent risk scoring, showing users’ aggregate risk profile across all of their business system access
  • Transactional control monitoring, to focus time and attention on key violations specifically, applying effort towards the largest concentrations of risk
  • Automated, compliant provisioning into business applications, to enforce least privileged access and remove inherent access risk
  • Streamlined, intelligent User Access Reviews that highlight unnecessary or unused privileges for removal or inspection
  • Compliant workflows to drive risk mitigation and contain suspicious users before they inflict harm, including integration to SIEM platforms like Splunk, QRadar, and LogRhythm

Interested to find out more about how Pathlock is changing the future of insider threat management?  Request a demo to explore the leading solution for enforcing compliance and reducing risk.