NTT Security analysts took a deep dive into the types of insider threats – a topic often overlooked across all industries – and the challenges in identifying and mitigating them.
In previous posts, I explored what accidental and negligent insider threats look like and how organizations can mitigate the effects of such threats. But there is another – perhaps more serious insider threat – that mustn’t be ignored. And that’s the malicious insider threat.
According to data from our GTIC team, one in four insider breaches have been related to overtly hostile activity – an inside attacker stealing corporate resources or information. The data is based on incident response engagements NTT Security has been involved with since the beginning of 2016, so it paints a pretty accurate picture of this hidden threat.
However, guarding against a malicious insider is probably the most challenging aspect of an insider threat mitigation program, as these threat actors are going out of their way to steal or destroy company data.
Let’s take Alan, a project manager, as an example. He has just passed his fourth anniversary, but he is angry because the executive leadership recently cut 75% of the budget for a project he is responsible for seeing through to completion. Alan knows the project’s success is now virtually impossible, so he begins planning his exit.
Alan begins with copying as much proprietary information as possible and dropping it into a draft folder in his personal email account. Alan will use this information in the future to leverage his position with a future employer.
But that’s not enough for Alan. Alan is now a disgruntled employee, believing that his employer is setting him up for failure. As a project manager, his company’s IT department allows him access to nearly every folder on the company’s network drive.
Alan opens files from available HR folders, then copies and pastes personally identifiable information (names, addresses etc) into a cloud-based spreadsheet service, then waits for the perfect time (probably soon after he leaves the company) when he will anonymously “leak” that data to Pastebin, a website where users can store public-facing text online.
Alan is his organization’s worst nightmare. He has motive, means, and authorized access to as much data as he wants to leak – and this leak will cost the company much more than it saved by cutting the budget for his project.
Alan is not alone in his plan to take proprietary company information with him to his next job. In fact, one study found that around 15% of employees have taken “business critical information” with them when moving to a new company, and nearly 60% of those plan to use the information in their next job.
While raising awareness throughout the organization about insider threats can often reduce the risks associated with accidental or negligent insider threats, combatting malicious insiders presents a much more difficult challenge. There are, however, some steps organizations can take to evaluate and mitigate their risk.
- Enforce “need-to-know” and a role-based identity and authentication process.
- Establish a segregated internal network architecture with internal filtering and security controls to help enforce controlled access to internal resources.
- A variety of open source risk documents are available to help organizations evaluate their risk in different areas, though it is often best to have a trained third-party risk professional perform these tasks.
- Another method is to use the International Security Forum’s Information Risk Assessment Methodology 2 (IRAM2 23) process, which uses numerous threat attributes, such as capability, motivation and intent, to evaluate your organization’s risk level. The IRAM2 can assist you in determining your risk from outside factors too.
For more information on the malicious insider threat, or other types of insider threats that could be lurking in your business, download our Q3 ‘17 Threat Intelligence Report.