Who’s the Insider Threat ?

Security professionals have long wrestled with properly identifying rogue employees bent on crippling a company. This was once evident in identifying stolen proprietary or classified paper documents for personal or professional gains – or some were just plain focused on outright revenge and destruction. Now ‘everything’ is cyber related, yes everything, and thus cyber security meets with physical security, human resources (HR) and company management teams. This lateral cooperation is a must in properly securing any company. Our Virtual Trust Officer (vTO) program is an example of providing the guidance for businesses to set an integrated security plan.[1]

Most businesses continue to struggle in identifying and detecting early indicators that could suggest an insider is plotting to steal data or carry out other cyberattacks. The Ponemon Institute and cybersecurity company DTEX Systems suggests that over half (50%+) of companies find it impossible or very difficult to prevent insider attacks. Impossible? No. Very Difficult? Yes.

Businesses without a solid integrated security strategy are missing many cyber indicators that show something is wrong. Much of these risks and vulnerabilities rest on a lack of communication and basic understanding of internal security. The cyber clues often missed include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data.[2] But you have to be looking for clues, in order to stop a threat.

Insider threats can come in several forms, ranging from employees who plan to take confidential data when they leave for another job, to those who are actively working with cyber criminals, potentially even to lay the foundations for a ransomware attack.

In many cases, an insider preparing to carry out a cyber-attack will often follow a set pattern of activities including reconnaissance, circumvention, aggregation, obfuscation and exfiltration; all of which could suggest something is very wrong. If any management member in cyber, physical security, HR or the C-Suite believes something is suspicious, it most likely is and must be investigated. Yet businesses continue to struggle with proper detection of cyber indicators by an employee in each of these stages because of a lack of effective monitoring: plans, controls and cyber practices.

"The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception," said the chairman of Ponemon Institute.

Many security professionals are already familiar with Lockheed Martin's Cyber Kill Chain and the MITRE ATT&CK Framework, both of which describe the various stages of an attack and the tactics utilized by an external adversary, he said. But since human behavior is more nuanced than machine behavior, insider attacks follow a slightly different path and, therefore, require modern approaches to combat.

Just a third of businesses believe they are effective at preventing data from being leaked from the organization. According to shared research, one of the key reasons insider threats are not being detected is because of confusion around who is responsible for controlling and mitigating risks. While 15% of those surveyed suggested that the CIO, CISO or head of the business is responsible, 15% suggested that nobody has ultimate responsibility in this space – meaning that managing and detecting the risks and threats can fall between the cracks.

There are several factors that make detecting cybersecurity risks – including insider threats – difficult. Over half of businesses cite lack of in-house expertise in dealing with threats, while just under half say there's a lack of budget, and the shift to remote working has also made it harder to mitigate cybersecurity risks.

According to Ponemon and DTEX, the best way for companies to improve their ability to detect insider threats is to improve the security posture of the business, as well as designating a clear authority for controlling and mitigating this risk, one that can properly investigate activities that could suggest a potential insider attack.

"Our findings indicate that in order to fully understand any insider incident, visibility into the nuance and sequence of human behavior is pivotal," said the chief customer officer at DTEX Systems. "Organizations need to take a human approach to understanding and detecting insider threats, as human elements are at the heart of these risks," he added.

vTO Program (Virtual Trust Program) - One unhappy employee can ruin your day, your reputation, and cost millions of dollars in losses. Government agencies, companies and organizations of any size are all at risk. Red Sky Alliance has designed a virtual Trust Officer (vTO) Program. Trust in your employees is one of the keys to corporate success. The vTO can perform government designed background checks, interview your employees, perform a variety of sensitive internal cyber investigations, and help set a proactive preventative insider threat program. The program is designed to protect your company, employees and families from insider threats. Often companies have organizational structures which often do not include the Human Resource (HR) functions within the cyber security or physical security operations. These organizational structures promote only “Stovepipe” information flow to the C-Suite level decision making. By doing so, this can deter crucial collaboration to proactively identify potential insider threats. Companies and organizations must be proactive in identifying insider threats focuses on trying to stop negligence in IT operations, or to observe signs of nefarious financial or subversive cyber motivations/actions.

Red Sky Alliance has former law enforcement professionals on staff who can counsel your department directors on how best to address this growing program. If you feel you already have had an incident, please contact us for a confidential briefing. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: