Insider threats, as the name suggests, originate with an organization’s insiders — its current or past employees, business partners, contractors, board members, officers, or third-party service providers — who use legitimate access privileges to endanger the confidentiality, integrity, or availability of the organization’s data.
Insider threats are a confluence of human behaviors, organizational issues, and technological opportunities that intersect with an organization’s default trust of the insider.
There are three broad categories of insider threats — intentional, accidental, and compromised.
Intentional (or malicious) insider threats are instigated by people who deliberately endanger the organization’s data. Their goal is personal gain, espionage, or malicious intent. They may act as a ‘lone wolf’ or partner with a hacking group or business competitor. Examples of intentional behavior include:
- Injecting a logic bomb, Trojan horse, backdoor, or malware into the organization’s system.
- Deploying a virus or malware to customer systems.
- Harvesting confidential or proprietary data.
Accidental (or careless) insider threats result when people inadvertently expose sensitive data, including credentials. Often, they are just trying to do their job in the most efficient manner possible. Examples of accidental behavior include:
- Accessing sensitive data through an unsecured WiFi connection or personal email account.
- Using a non-sanctioned SaaS application, such as cloud-based file-sharing applications (e.g., Box, Dropbox, Google Drive), to work on sensitive data while away from the office.
- Transferring data to an unsecured USB-connected device.
Compromised insider threats occur when an outside attacker takes advantage of an authorized insider’s accidental activities to either install malware or masquerade as the insider for the purpose of gaining direct access to the organization’s networks, systems, and data. Examples of compromised behavior include:
- Downloading email attachments infected with malware.
- Replying to a spoof email and providing his/her credentials.
- Losing an unlocked or unencrypted laptop or smartphone containing organizational data or credentials.
Methods of Mitigation
Mitigating the threats requires a combination of policies, procedures, positive social engineering, and technologies. Technological options include:
Identity Governance: Ensure appropriate user privileges, according to principle of least privilege based on functional unit and role. Audit for excessive, inappropriate, and unused user privileges.
Authentication: Authenticate BYOD as well as the user attempting to access organizational date.
Behavioral Analysis: Create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role; and then spotlight the riskiest users, client hosts, and servers so security teams can prioritize investigation of any anomalies.
Deception: Leverage strategically-placed hidden files to detect compromised user threats and block the infected user or endpoint if there are any write or rename actions on the deceptive files.
Detection and Blocking: Provide real-time monitoring and auditing of data usage, including the “who, what, when, where, and how” of the transaction. Review and manage user access rights to sensitive data. Alert and report on any deviations from corporate policy or behavioral baseline profile. Block user access when unusual activity is detected.
Investigation and Response: Use real-time alerts and auditing details to identify trends, patterns, and risks associated with data access. Prioritize open incidents by both severity and specific user, server, or client host. Drill deeper into a specific incident to determine data access and usage, compare with behavioral baseline profile, and then either close the incident or whitelist authorized behavior.
Learn how Imperva solutions can help you mitigate insider threats.