What Is an Insider Threat?
The term “insider threat” is often used to represent the possibility for an insider to use their understanding of an organization or their credentials in order to harm the organization. An insider threat may occur due to malicious motives, complacency, or an unintentional act that can negatively affect the confidentiality, availability, and integrity of the organization, including its data, facilities, and personnel.
In addition to the above generic definition of insider threats, the Cyber and Infrastructure Security Agency (CISA) defines the term as representing the possibility that an insider will use their authorized access, knowingly or unwittingly, to cause harm to a department’s resources, mission, personnel, information, facilities, equipment, systems, or networks.
5 Insider Threat Attack Examples
Here are some real-world examples of insider attacks on prominent companies.
Trend Micro: Employee Sold Sensitive Data
While working for the company, a Trend Micro employee gained unauthorized access to a consumer database used for customer support. The database provided the employee with access to data belonging to 68,000 customers, including their names, support ticket numbers, telephone numbers, and email addresses.
The employee sold this information to a malicious third party. The malicious party used the information to conduct scam phone calls, during which scammers impersonated Trend Micro support staff. After a while, customers started complaining—only then did Trend Micro become alerted to the scam. In the end, law enforcement got involved, the employee’s account was disabled, and the employee was dismissed.
General Electric: Trade Secret Conspiracy
Two General Electric (GE) employees, who had access to the company’s proprietary computer models used for turbine calibration, stole the models, as well as business plans and pricing information.
They downloaded thousands of files from GE servers, sent them to private emails, and uploaded them to cloud services. One of the employees convinced an administrator to give him special access to sensitive data. None of this activity triggered a security alert on GE’s systems.
Using this IP, one of the employees started a company and offered a turbine calibration service, competing with GE. Initially, GE lost several deals to this new company. When they discovered their former employee was involved, they contacted the FBI. After years of investigation, in 2020 the two insiders were sent to prison and paid $1.4 million in damages to their former employer.
Twitter: Work-From-Home Employees Fall Victim to Vishing
July 2020, a high profile cybercriminal group gathered intelligence on Twitter employees working from home. The hackers called them up and pretended to be IT administrators from Twitter’s data center—an attack known as “vishing” or voice phishing. They convinced some employees to give them their account credentials, and used it to log into Twitter’s admin tools.
The attackers changed the passwords of 130 high-profile Twitter accounts, including those of Barack Obama, Joe Biden, and Kanye West, and used them in a Bitcoin scam. The attack was highly publicized and caused Twitter share prices to drop by 4%.
Microsoft: Database Leaked Due to Employee Negligence
In late 2019, a Microsoft database with 250 million customer support entries was discovered on the Internet. It was publicly accessible for a month. The database included sensitive data such as the emails, IP addresses, and geolocation of Microsoft customers and their support correspondence.
Microsoft put in place new security rules before the incident, but employees did not follow them correctly, and failed to protect the database with two-factor authentication, or even a password. There was no automated detection of the incident until it was discovered by outsiders.
Luckily for Microsoft, because the breach was identified and remediated quickly, there were no damages and no fines or penalties. However, just a few days later the California Consumer Privacy Act (CCPA) went into effect. Under the CCPA, Microsoft would have been subject to fines of millions of Dollars for the same incident.
Stradis Healthcare: Revenge-Motivated Ex-VP
In early March 2020, during the early days of COVID-19, a former VP of Finance at Stradis Healthcare was dismissed. The VP had a history of abusing internal applications, and had been disciplined several times. It might not come as a surprise, then, that three days after receiving his final paycheck, he hacked into the company’s network.
To gain access to the network, the VP used an account he had set up while being employed. He used these credentials to give himself administrator access and then started sabotaging shipments of personal protective equipment (PPE). By the end of March, he managed to edit 115,000 records and delete 2,400 records.
This revenge-motivated insider breach resulted in significant delays in the delivery of medical equipment to healthcare providers, disrupting their ability to provide response during the crucial first months of the pandemic.
How to Protect Against an Insider Attack: 4 Best Practices
Here are several practices that can help you reduce insider threat risks:
- Identify and protect critical assets—these include physical or logical assets, such as systems, facilities, people, and technology, as well as intellectual property, customer data, proprietary software, internal manufacturing processes, and schematics. Assess your critical assets to gain comprehensive understanding, so you can learn which assets to prioritize and how to best defend them.
- Enforce policies—create clearly defined organizational policies that can help you enforce company standards and prevent misunderstandings. All company stakeholders should become familiar with security procedures as well as gain a better understanding of their rights in relation to intellectual property (IP). This can help ensure they do not share any privileged content they have created.
- Increase visibility—use analytics tools (such as a SIEM) to track employee actions and correlate data from multiple sources. Furthermore, many companies use deception technology to lure an imposter or malicious insider in order to observe their actions.
- Promote culture changes—you can prevent negligence and address certain drivers of malicious behavior by educating your employees on security risks and practices in addition to working towards improving overall employee satisfaction.
- Leverage insider threat protection—several technology solutions are available that can help detect and respond to insider threats. Many of these tools are based on behavioral profiling, which can identify anomalous behavior carried out by trusted user accounts.
Related content: Read our guide to insider threat solutions
Insider Threat Protection with Pathlock
Pathlock provides a robust, cross-application solution to identifying and preventing insider threats. Security, IT, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape.
With Pathlock, customers can enjoy a complete solution to insider threat management, that can monitor user activity to prevent risk before it happens:
- Integration to 140+ applications, with a “rosetta stone” that can map user behavior and business processes across systems
- Intelligent risk scoring, showing users’ aggregate risk provile across all of their business system access
- Transactional control monitoring, to focus time and attention on key violations specifically, applying effort towards the largest concentrations of risk
- Automated, compliant provisioning into business applications, to enforce least privileged access and remove inherent access risk
- Streamlined, intelligent User Access Reviews that highlight unnecessary or unused privileges for removal or inspection
- Compliant workflows to drive risk mitigation and contain suspicious users before they inflict harm
Interested to find out more about how Pathlock is changing the future of insider threat management? Request a demo to explore the leading solution for enforcing compliance and reducing risk.