Insider Threats Explained

An insider threat is a cybersecurity risk that comes from within the organization — usually by a current or former employee or other person who has direct access to the company network, sensitive data and intellectual property (IP), as well as knowledge of business processes, company policies or other information that would help carry out such an attack.

Typically, when an attack is malicious in nature, an insider is financially motivated to lead or take part in such efforts. These attacks usually involve theft of data, IP or trade secrets which can be sold on the dark web, or information gathering on behalf of a hostile third party.

Defining an Insider

An insider can be any individual who has intimate knowledge of the business and how it works. Most commonly, insiders are current or former employees, though contractors, freelance employees, vendors, partners or even service providers could act as an insider if they have access to the organization’s network and systems or knowledge about them.

Why are insider threats difficult to detect?

Today, insider threats, whether malicious or negligent, are difficult to combat and even harder to detect. In fact, the Ponemon Institute estimates that the average time it takes to contain an insider threat incident is 77 days, with average costs for 30 days at $7.12 million USD.

There are two main reasons why it is difficult to detect an insider attack:

1. Most security tools and solutions are focused on identifying and preventing external threats and are not designed to detect suspicious behavior from legitimate users
2. Many inside actors are familiar with the organization’s network settings, security policies and procedures and have knowledge of vulnerabilities, gaps or other shortcomings that can be exploited

Given the extraordinary cost of containing insider threats, as well as the reputational harm they may cause, companies should develop a robust insider threat program that is specifically designed to address this critical risk.

Types of Insider Threats

Insider threats generally fall into two main categories:

1. Malicious insider threat
2. Negligent insider threat

Malicious Insider Threats

A malicious insider threat is a planned event, usually involving a disgruntled or compromised current or former employee who will target the company either for personal financial gain or a means of enacting vengeance. These incidents are usually linked to broader criminal or illicit activity, such as fraud, espionage, or data or IP theft. A malicious insider can either work alone or in conjunction with a cybercriminal, cyber terrorist group, foreign government agency or other hostile entity.

Malicious insider threats commonly involve:

• Sharing, selling, modifying or deleting confidential data or sensitive information
• Misusing system access or login credentials
• Altering the IT environment to allow others to enter or dwell undetected

Negligent Insider Threats

A negligent insider threat is one that occurs due to human error, carelessness or manipulation. Since these threats do not involve people acting in bad faith, virtually anyone can serve as a negligent insider if they inadvertently share sensitive data, use weak passwords, lose a device, fail to secure an endpoint or fall victim to a social engineering attack.

Negligent insider incidents are usually part of a larger cyberattack, which may involve malware, ransomware or other attack vectors.

Technical Indicators of Insider Threats

Traditional security applications do not adequately detect malicious insider threats, in part, because they were not designed to do so. In many cases they are calibrated according to rules and thresholds and based on pattern matching. These safeguards can be circumvented by those with intimate knowledge of the company’s security settings, policies and procedures.

A modern insider threat detection system incorporates artificial intelligence (AI) and analytics to establish a baseline of activity for all users and devices by drawing different data from across the enterprise. The most robust solutions use this data to assign customized risk scores for each user and device, which provides additional context to the cybersecurity team as they review alerts within the system. The insider threat detection system will proactively identify anomalous activity which could indicate illicit activity from an insider.

Anomalies may include:

• Accessing the network, systems and assets at unusual times, which could indicate asset misuse or that a user’s credentials has been compromised
• Unexpected and unexplained spikes in network traffic, which can be a sign of a user downloading or copying data
• Requesting access to applications, data or documents that are not required for one’s role
• Accessing a certain combination of documents or data which, taken together, could indicate nefarious activity
• Using personal devices, such as laptops, cell phones and USB drives, without approval from IT

In addition to behavior anomalies, organizations can also look for network indicators, which may be the sign of an insider threat or other type of cyberattack. Insider threat indicators may include:

• The presence of backdoors within the network, which could allow remote access to unauthorized users
• Hardware or software downloads that were not approved, installed or monitored by IT or the security team, which could put the device at risk
• Manually disabling security tools and settings

Who is at risk of insider threats?

By definition, any organization with an “insider” can be the victim of an insider threat. Because most cybersecurity tools and solutions are typically focused on threats originating outside the organization and inside actors may be familiar with the company’s security procedures and system vulnerabilities, it can be more difficult to protect the enterprise from an insider threat than other attack types.

In particular, organizations that possess large amounts of customer data, IP or trade secrets can be the prime target for data breaches and theft that originate with an insider threat. At the same time, some insider threats — particularly those who collaborate with external actors — are linked to espionage or other information gathering practices which can be used by nation states, foreign governments, or other third parties to compromise the victim, extort the company or damage its reputation.

Some industries that are more susceptible to insider threats include:

• Financial services organizations, such as banks, credit unions, credit card issuers and lenders
• Insurance companies
• Telecommunications providers
• Energy and utility providers
• Manufacturing companies
• Pharmaceutical companies
• Healthcare institutions and hospitals
• Government agencies and high-ranking officials

It is important to note that in addition to the actual cost of a data breach from an insider threat, such an event may also involve fines and other penalties from government agencies or other watchdog groups if the business did not take sufficient steps to protect consumer, employee or patient data.

How to prevent and stop an insider threat?

Because traditional security measures typically do not monitor insider actions, organizations must take special steps to protect themselves from this risk.

Protecting Against Negligent Insider Threats

At the enterprise level, protecting against negligent insider attacks will be similar to protecting against malware, ransomware or other cyber threats. Follow these best practices to help keep your operations secure:

1. Train all employees on cybersecurity best practices.

Employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi and being on constant lookout for phishing — on all of their devices. Provide comprehensive and regular security awareness training sessions to ensure they understand the evolving threat landscape and are taking the necessary steps to protect themselves and the company from insider threats and other cyber risks.

2. Keep the operating system and other software patched and up to date.

Hackers are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known vulnerabilities.

3. Continuously monitor the environment for malicious activity and indicators of attack (IOAs).

Enable an endpoint detection and response (EDR) system to monitor all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods.

4. Integrate threat intelligence into the security strategy.

Monitor systems in real time and keep up with the latest threat intelligence to improve network security and detect an attack quickly, understand how best to respond and prevent it from spreading.

Preventing Malicious Insider Threats

Since CrowdStrike estimates that a full 80% of all breaches use compromised identities, one of the most critical steps organizations can take to protect against malicious insider attacks is to improve identity security.

How Identity Security Can Help Prevent Insider Threats

Identity security is a comprehensive solution that protects all types of identities within the enterprise — human or machine, on-premises or hybrid, regular or privileged — to detect and prevent identity-driven breaches, especially when adversaries, including insiders, manage to bypass endpoint security measures.

Because any account, be it an IT administrator, employee, remote worker, third-party vendor, or even customer, can become privileged and produce a digital attack path for adversaries, organizations must be able to authenticate every identity and authorize each request to maintain security and prevent a wide range of digital threats, including insider threats, ransomware and supply chain attacks.

Key steps to improving identity security include:

1. Secure the Active Directory (AD)

Enable full, real-time visibility into the AD, both on-premises and in the cloud, and identify shadow administrators, stale accounts, shared credentials and other AD attack paths.

Harden AD security and reduce risks by monitoring authentication traffic and user behavior and enforce robust security policies to proactively detect anomalies.

Enable continuous monitoring for credential weakness, access deviations and password compromises with dynamic risk scores for every user and service account.

2. Extend multifactor authentication (MFA) security

Protect unmanaged endpoints with risk-based conditional access and extend MFA protection to legacy applications and tools using proprietary analytics on user behavior and authentication traffic.

Enforce consistent risk-based policies to automatically block, allow, audit or step up authentication for every identity.

3. Create a baseline of user activity

Centralize user activity and behavior across all relevant data logs, including access, authentication and endpoint.

Leverage this data to create a baseline of activity for each individual user, user group, function, title and device that can help identify unusual or suspicious activity.

Assign a customized risk score to each user and endpoint to provide additional context to the cybersecurity team.

4. Leverage behavior analytics and AI to identify threats

Leverage analytics and AI-enabled tools to monitor behavior for users and devices in real time.

Cross reference alerts with the risk score to provide additional context into the event and prioritize response efforts.

Eliminating Insider Threats with the CrowdStrike Falcon® Platform

The CrowdStrike Falcon® platform provides real-time, continuous visibility and security for all users across the organization and their assets. CrowdStrike helps customers establish a comprehensive security strategy, including identity and access management (IAM) integration, Zero Trust principles and AD hygiene unlike any other solution on the market. Our differentiators include: IAM Integration, robust AD security, Zero Trust NIST compliance, risk assessment, and open API-first platform.

For more information on how CrowdStrike helps protect organizations from insider threats, view our recent webinar, Hunting for the Insider Threat or request a demo of our CrowdStrike Falcon® Identity Protection capabilities.