How do you identify an attacker who is supposed to be accessing sensitive data as part of their job role? Although they are notoriously difficult to identify there are, nonetheless, tell-tale signs that indicate the presence of a stealthy inside attacker. Matt Lock, Technical Director at Varonis explores the top warning signs – both digital and behavioural – that should serve as a red flag.
Organisations spend vast amounts of money each year on cybersecurity measures and solutions to prevent external threat actors breaking into their networks. But what about the threats from within the business? The 2019 Verizon Data Breach Investigation Report found that around one third (34%) of data breaches involved an insider, whether through malice or negligence. The report is a reminder that organisations can’t ignore what may be hiding in plain sight; the insiders who have access to their most important and sensitive data assets.
Mitigating this threat is notoriously difficult, but it can be achieved by understanding the tell-tale warning signs and using multiple data points to determine unusual behaviour. CISOs need to be aware that insider threats are caused not only by existing employees, but also consultants, partners or former employees.
The perpetrators fall into two distinct camps: those who maliciously seek to steal data – the ‘turncloaks’ – and those who unknowingly enable a data breach by accident or negligence – the ‘pawns’. Whether a turncloak or pawn, there are both behavioural and digital warning signs that someone at the organisation has become a threat.
Digital warning signs
The digital clues that someone might pose a threat are connected to that person’s use of data, especially if they are doing anything that is not part of their normal job role. For example, if they’re searching for and accessing data that they shouldn’t be or making repeated requests to access sensitive data. It could be that they are looking through, or downloading, vast amounts of sensitive information not related to their job role.
There could be perfectly innocent explanations for each of these. It may be that, unknown to the IT security team, the user’s job role has changed. Another digital sign that could have a reasonable explanation is that the user is copying large amounts of data on to an unauthorised storage device or emailing it outside the network. They could simply need to work on these files at home, however an organisation cannot be too careful and these all need to be investigated. Also, while these actions might not be malicious, they could, in themselves, cause a security breach.
Behavioural warning signs
How the user behaves in real life can also be a clear sign that they are leaking information to the outside world. Red flags are usually linked to unusual working patterns or noticeable changes in an employee’s conduct. For example, although it’s now commonplace for employees to log on at the weekend or late at night, if work patterns suddenly begin to change, it could point to covert activity when linked with other information.
Signs could also include attempts to bypass security and corporate policies and social elements such as bad behaviour or disagreements with colleagues, or even talk about resigning.
Of course, these signs of dissatisfaction at work aren’t evidence in themselves and, while outward behavioural clues could point to a potential issue, the most effective way of determining malicious behaviour, with certainty, is through digital analytics.
A co-ordinated approach
Many of the tell-tale behaviours of an insider threat can have perfectly innocuous explanations in isolation. But if looked at together, they can build a picture of someone who is trying to defraud or take down a business. As such, organisations need a co-ordinated approach to monitoring, so that they can put the pieces together and spot the threat.
Continual monitoring of permissions, access and activity is necessary for spotting any unusual behaviours. This can be augmented through behaviour analytics, a technique which automatically analyses behaviour across multiple platforms and alerts an IT security team to potential threats, through comparisons to a normal behavioural profile.
These profiles are built up through the collection of information from various data points, such as how regularly a user accesses the data and what they do with it – for example, do they just read it, change it or move it? This can offer a more accurate indicator of malicious intent than threshold-based alerts, which notify the IT security team every time someone exceeds a pre-set limit, such as moving a certain number of files from one location to another.
No organisation wants to think that it cannot trust its employees yet putting measures in place that can mitigate the insider threat is common sense. By actively monitoring for suspicious behaviour and framing this in context to build a profile of what’s normal – and what’s not – organisations can keep the risk posed by a malicious insider to a minimum.
Click below to share this article