Recognising and combating insider threat

When looking for the insider threat, don't assume you will find a Snowden or Manning in your midst - you may find instead that someone in a trusted position has become an unwitting helper for an outside threat, says Dr Eric Cole

Dr Eric Cole, fellow, SANS
Dr Eric Cole, fellow, SANS

When many people think of an ‘insider threat' the notion of an Edward Snowden or a Bradley Manning may spring to mind. Yet working with organisations around the world for the last two decades, the reality is that Bob in accounting or Jane in Logistics are just as likely to be, often unwittingly, insider threat actors. The difference between a deliberate insider and a member of staff (ie accidental insider) that has been duped into compromising security is significant in intent but often leads to the same unfortunate outcome.  In many cases the accidental insider is more damaging to an organisation.  

Fortunately, the malicious insider is a much smaller group compared to accidental insiders which are employees targeted with social engineering designed to tempt them to do something that allows an external attacker to breach a security control. The most common method is still via email that has some form of attachment or link although users are generally more wary of generic attacks like the infamous “I Love You” malware.

However, attacks that mix seemingly official internal communication and personal information gleaned from social networking websites are still remarkably effective. Another trend that surfaces is that seniority is no guarantee of immunity. In many ways, senior staff are less likely to ask a colleague or seek permission from a manager before clicking on something that seems legitimate.

For these situations, awareness is vital but practical controls that scan every link and attachment that passes through and seemingly within the corporate perimeter is essential.  The more challenging inside threat is the truly disgruntled or dishonest employee or contractor.  Unfortunately, fewer organisations build in controls to mitigate these types of threats. These processes often happen as a direct result of an incident, like a home-owner buying a burglar alarm after the break-in, yet simple statistics suggest that within organisations of a certain size, there will be a few people that are likely to harbour a criminal intent that may manifest if there appears to be few controls in place to deter such actions.

Organisations can take some simple steps to mitigate the risk. The most important and effective is to enforce better controls on who has access to which systems and data sets. In many organisations, once access is provided to a system it is very rarely revoked which is at odds with the rest of society. Passports expire, driving licences expire yet many organisations fail to regularly assess or even set a time limit for access, which would be a sensible first step.

Data portability is also an issue. The ability to take laptops and make copies of datasets on a portable device like USB sticks is inherently riskier and controls that stop certain assets from travelling via these methods are another valuable precaution.  Yet restricting portability means that organisations need to enact safer ways of employees gaining access to data that is needed for productivity and thus remove the need to put sensitive data onto removable media. Denying access and impeding working efficiency leads to honest yet resourceful workers finding ways to circumvent controls that bring security risks in the name of just trying to get the job done.

Irrespective of what any vendor says, there isn't a simple application like encryption or security analytics that offers a 'fire-and-forget' solution to the risks posed by insider threat. For an IT manager trying to understand and combating the threat, a good starting point is to use the existing content scanning and filtering technologies to look deeper into the attachments and links that are circulating around the organisations. Another tactic is to implement a hunting programme to actively seek out potential attacks or activity that may suggest unsafe staff practices or even malicious intent.

Although budgets are often assigned on a yearly basis, it must be assumed that risks don't follow this neat yearly timetable. This means that assessments, controls and awareness must be conducted on a continual basis. Although insider threat is a challenging concern, it is not insurmountable providing that organisations accept the possibility and are prepared to put effort and resource into limiting its likelihood.

Contributed by Dr Eric Cole, fellow, SANS