Malicious Insiders: Detection & 23 Ways to Mitigate the Threat
Pathlock
November 11, 2021

Malicious Insider Definition

A malicious insider, or Turncloak, is an individual who intentionally and maliciously abuses their authorized access. Usually, malicious insiders use their credentials to steal data for personal or financial gain. This could be, for example, a former employee with a grudge against the company, or an employee trying to sell secret information to competitors. 

Insider threats have an advantage over other types of attackers because they are familiar with the vulnerabilities and the security policies and procedures of the organization, and often have elevated access to systems.

In this article:

Types of Malicious Insider Threats

Here are some examples of how malicious insiders can harm an organization.

IT Sabotage 

IT sabotage involves abusing information technology (IT) in order to direct specific harm to an individual or organization, often by bringing down systems or causing system downtime. IT sabotage attacks are performed by technically-savvy employees who know how to hide their malicious actions and how to disable the operations of the organization- typically programmers and system administrators. 

Typically, the motive driving insider threats committing IT sabotage is revenge for some sort of negative work experience or perceived slight from their employer. They often execute these attacks while about to leave the company or shortly after termination.

Data Theft 

Data theft involves stealing sensitive data or intellectual property for monetary or personal gain. Typically, current employees such as engineers, scientists, programmers, and salespeople are involved in data theft. They often attempt to steal data during a two-month window before leaving, but they may also do so after resigning.  Common types of data which are stolen include customer, employee, patient, or financial data.

The majority of these insider threats steal the data they can access during normal work activity, usually with the intention to sell the information, use it for their new job, or to start their own business. A data theft insider may act alone or collaborate with other employees. Data theft also includes corporate espionage, with insiders stealing trade secrets in order to provide a third party with a competitive advantage. 

Insider Fraud 

Insider fraud involves gaining unauthorized access or modifying the data belonging to an organization, to allow for personal financial gain. The motivation for fraud is usually personal gain, identity theft, or credit card fraud. Insider fraud attacks are typically committed by lower-level employees such as administrative assistants, data entry clerks, or customer service specialists, but they can also be committed by executives with elevated, wide ranging access. They are often motivated by greed or financial need. Sometimes, they are hired by outsiders who have a grudge with a targeted company. 

The majority of insider fraudsters perform malicious actions during normal work hours, thought some may work during unusual hours.. They often continue to act maliciously after their financial problems are solved.

Confidential Data Leakage

A fine line separates whistleblowers and malicious insiders who share confidential data with the media. The key to differentiate between the two may be their motivation. Are they earnestly interested in stopping the company from committing unlawful actions or are they motivated by ill will?

7 Common Indicators of Malicious Insiders

The following suspicious occurrences should be monitored, as they are often correlated with a malicious insider threat:

  1. Unusual logins—most user accounts have a repeating login pattern (for example, employees signing in at the start of the work day and signing out at its end). Logins occurring at strange hours, from unusual locations, logins from unknown devices, or failed login attempts, should all raise an alert.
  2. Use of unauthorized applications—each mission critical system should have clearly defined groups of authorized users, and each group should have clearly defined roles with controlled access. Any employee gaining access to unauthorized systems, or unauthorized features or data within a system, should be immediately investigated.
  3. Impossible travel—employees logging in from a location which would be impossible to travel to, given the location of their last login and time from that login.  
  4. Escalated privileges—any individual receiving additional privileges they did not previously have should be a concern, especially if they granted permissions to themselves, and not with the approval of another administrator. In addition, there should be regular audits of employees who have privileges due to previous roles and no longer require them.
  5. Excessive data downloads or uploads—security teams must have a clear idea of typical bandwidth usage of current users. When a user downloads an unusually large volume of files or records, downloads assets at unusual times, or downloads data and subsequently uploads files to an external server or storage service, this is a cause for concern.
  6. Unusual behavior—if an employee who commonly voices disagreement with superiors, is involved in constant arguments with coworkers, suddenly begins performing unusual patterns of activity within their applications, security teams should be alerted and check for other suspicious indicators.
  7. Termination or resignation—any employee leaving the company is at heightened risk of being a malicious insider. When an employee is dismissed or gives notice, security teams should monitor for suspicious activity, and look into past history over the last few months.

Learn more in our detailed guide to insider threat indicators (coming soon)

How to Prevent Malicious Insider Threats

Insider threats are difficult to detect and prevent, because malicious insiders leverage their knowledge of your organization’s structure and business processes, and existing access to corporate systems. Here are security controls you can implement in different parts of your organization to effectively mitigate the threat.

Related content: Read our guide to insider threat solutions which can help you implement many of these controls automatically

Technical Controls

  1. Eliminate removable storage—a common attack vector for malicious insider is exfiltrating data using removable storage. Eliminate or severely restrict its use.
  2. Control BYOD—personal devices such as smartphones should not be allowed to connect to the corporate network, or should be severely restricted.  Personal devices are often a vector for offloading or sharing sensitive information.
  3. Control outbound emails and files—systems should be in place to monitor outgoing emails and block emails with sensitive keywords or unusual attachments. Any transfer of data to external cloud storage should be blocked.
  4. Backups—it is common for malicious insiders to sabotage corporate systems by deleting data. Maintaining regular backups on a remote site can help mitigate this.
  5. Multi-factor authentication—using multiple authentication methods, such as passwords, biometric verification and security tokens, make it more difficult for insiders to gain unauthorized access to systems.

Access Controls

  1. Restrict access—ensure staff only have the access they need for their current job. Critical transactions should be monitored and logged with a full audit trail.
  2. Use unique identities—every member of staff should use a unique identity to login to services, without sharing accounts between users. 
  3. Revoke access when no longer needed—as soon as employees change role or leave the organization, access to systems should be revoked
  4. Change shared passwords—when employees leave, change any shared password in the environment, including wifi passwords, alarm codes, bank account codes, etc.

Auditing and Logging

  1. Investigate logging capabilities—ensure all critical or high-risk systems have adequate logging with a full audit trail.
  2. Assign responsibility for auditing—logs are useless if no-one is watching them. Ensure someone from security or IT is responsible for monitoring logs of all critical systems. Inform staff about audit process and frequency, to deter malicious activity.
  3. Unique identities—just like in access controls, having unique logins for each individual person is critical to effective logging.
  4. Due diligence for software—evaluate existing and new software and cloud services to see they have appropriate controls for important transactions.

Foster a Positive Work Environment

  1. Focus on staff happiness—strive to create a work environment that values employees, provides positive reinforcement, and rewards integrity. Happy employees are more likely to align with the values of your company and less likely to be an insider threat.
  2. Encourage collaboration—when employees work together in teams, there is less room for a “lone wolf” mode of operation which is typical for malicious insiders. Suspicious activity can also be detected earlier by other members of the malicious insider’s team.
  3. Staff welfare—be aware of issues affecting the welfare of staff, such as emotional, financial, or family-related distress. Helping employees in times of trouble can prevent desperate individuals from resorting to illicit activity.

Personnel Integrity Verification

  1. Personnel security—ensure that all employees go through background checks and pre-employment checks. Prepare a dispute process in case details are found to be incorrect. Background check processes can also be outsourced to a specialist firm.
  2. Verify identity—ensure new employees are who they say they are, by requiring official identity documents and ensuring they are authentic.
  3. Ongoing checks—at least once a year, perform a repeat check on employees to see their situation has not changed—for example, that their police record is still clean.
  4. IT staff—pay special attention to IT staff, because they have extensive access to corporate systems and can tamper with logs or audit trails.

Security Awareness Education

  1. Document and train staff on business processes—ensure staff have clearly documented processes, and train them on your risk mitigation processes, why they are important, and the consequences to the business if they are not followed.
  2. Make employees responsible—pass responsibility for cybersecurity to employees. Explain that without their cooperation and vigilance, it is not possible to mitigate cyber threats that can harm the organization.
  3. Continually educate about security best practices—don’t assume employees will remember best practices. Continually refresh practices like strong passwords, keeping passwords secure, locking rooms and devices, and protecting sensitive data.

Insider Threat Protection with Pathlock

Pathlock provides a robust, cross-application solution to identifying and preventing insider threats.  Security, IT, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape. 

With Pathlock, customers can enjoy a complete solution to insider threat management, that can monitor user activity to prevent risk before it happens:

  • Integration to 140+ applications, with a “rosetta stone” that can map user behavior and business processes across systems
  • Intelligent risk scoring, showing users’ aggregate risk provile across all of their business system access
  • Transactional control monitoring, to focus time and attention on key violations specifically, applying effort towards the largest concentrations of risk
  • Automated, compliant provisioning into business applications, to enforce least privileged access and remove inherent access risk
  • Streamlined, intelligent User Access Reviews that highlight unnecessary or unused privileges for removal or inspection
  • Compliant workflows to drive risk mitigation and contain suspicious users before they inflict harm

Interested to find out more about how Pathlock is changing the future of insider threat management?  Request a demo to explore the leading solution for enforcing compliance and reducing risk.