There are three types of insider threat actors:
๐จ๐ป๐ถ๐ป๐๐ฒ๐ป๐๐ถ๐ผ๐ป๐ฎ๐น โ A user that is negligent, perhaps lacks the security awareness training or accidentally hard-codes a password.
๐ ๐ฎ๐น๐ถ๐ฐ๐ถ๐ผ๐๐ โ A user that intentionally performs a malicious act, this could be a current employee or contractor, a third-party vendor, or trusted entity.
๐๐ผ๐บ๐ฝ๐ฟ๐ผ๐บ๐ถ๐๐ฒ๐ฑ โ This is when an actor has gained access to an employeeโs (contractor, trusted entity) account and uses it to carry out the attack.
There are several types of insider threat attack vectors, privilege abuse/misuse, data mishandling, and other errors. About 80% of attacks are due to privilege misuse or using privileged access in an inappropriate way. That may sound like it was intentional, but it doesnโt have to be. Think about a data engineer that uses an administrative account to move data in a test environment. The engineer mistakenly moves sensitive data to a public S3 bucket and doesnโt realize it. If the engineer had used a โtestโ account, there is a possibility that the engineer would have encountered an error and noticed before the breach occurred.
A staggering 56% of insider threats are due to employee negligence and could have been prevented, and the average cost is about $7.2M. To make matters worse, organizations that took longer than 90 days to contain the incident had costs of about $18M.
Letโs look at indicators of compromise for insider threat, how can we identify it? Unfortunately, there isnโt a magic tool and there is no single indicator, build your hypothesis and hunt. Keep in mind, there are only a small sampling:
๐จ๐ป๐๐๐๐ฎ๐น ๐น๐ผ๐ด๐ถ๐ป ๐ฎ๐ฐ๐๐ถ๐๐ถ๐๐ โ There may be several attempts by a user that doesnโt normally access a certain network share or other resource, suddenly their use increases. Maybe a user starts attempting access to a resource they donโt have authorization to use.
๐๐ป๐๐๐ฎ๐น๐น๐ถ๐ป๐ด ๐ป๐ฒ๐ ๐๐ผ๐ผ๐น๐ ๐ผ๐ฟ ๐ฎ๐ฏ๐๐๐ถ๐ป๐ด ๐ฐ๐๐ฟ๐ฟ๐ฒ๐ป๐ ๐๐ผ๐ผ๐น๐ โ Suddenly a database administrator installs Windows Subsystem for Linux (WSL), which on its own wouldnโt be too alarming. But an alert is raised showing a download of Kali WSL over top. Suppose an end user starts invoking MSHTA.exe with PowerShell.
๐๐ผ๐ฝ๐๐ถ๐ป๐ด, ๐ฑ๐ผ๐๐ป๐น๐ผ๐ฎ๐ฑ๐ถ๐ป๐ด, ๐ผ๐ฟ ๐ฑ๐ฎ๐๐ฎ ๐บ๐ผ๐๐ฒ๐บ๐ฒ๐ป๐ โ A user begins copying sensitive data to a newly created network share or their endpoint device.
There are several ways insider threat can be reduced, but never completely mitigated. A robust security awareness program, secure coding awareness, RBAC, network and endpoint security solutions, and several more.
This blog was only meant to get you thinking about insider threat and what you can do to help prevent it. Remember to stay safe and keep hacking!