Insider Threats Are on the Rise


Posted on by Robert Ackerman

Roughly a year-and-a-half ago, electric car maker Tesla became the victim of a botched ransomware attack. It wasn’t ordinary. Rather, a Russian national was ultimately accused by the U.S. Department of Justice of offering $1 million to an employee to install malware on Tesla’s systems, setting the stage for the assault.

The Russian, Egor Kriuchkov, allegedly met with this employee multiple times for dinner, drinks, and persuasion. The worker’s objective would be to install a thumb drive into the Tesla network to siphon off company data, which then would supposedly be held for ransom for $4 million.

This event never occurred because the worker told Telsa about the proposition early on and was linked up with the FBI, which later arrested the culprit.

This incident was an attempt at an insider attack, which notwithstanding far more hoopla about outsider attacks, is a common occurrence. Most insider attacks aren’t nearly as cloak-and-dagger as the Tesla episode. Whether the breach involves malicious or accidental misuse of data by insiders, attackers often get the job done at the expense of their corporate victims.

The latest biennial global report of insider threats by the Ponemon Institute, which surveyed more than 1,000 IT and IT security practitioners whose organizations had experienced at least one material insider event, said the frequency and costs associated with insider threats dramatically increased in all three major categories. These are careless or negligent employees and contractors, malicious insiders, and cybercriminal credential theft.

According to the report, the number of incidents increased by 44 percent in just two years and cost an average of $15.4 million to fix, up 34 percent from 2020. The time to contain an insider incident also increased from the last study to an average of 85 days, up from 77 days. The negligent insider, it turns out, is the root cause of most incidents, representing 56 percent of all insider attacks. Malicious or criminal insiders were responsible for 26 percent of incidents.

Another recent and similar report about insider attacks conducted by security firm DTEX Systems and MITRE found that insider attacks increased even more than Ponemon uncovered. The companies said the most common victims were the technology and critical infrastructure industries and government agencies.

Insider attacks tend to be a bigger threat than outsider attacks. Insiders can do more serious harm than external hackers because they have easier access to systems and a much greater window of opportunity. It’s also hard to detect them because they often look like everybody else in the network.

Two major reasons companies are failing to prevent or at least detect employee negligence are a lack of budget and insufficient monitoring technology. The work-from-home trend has also been an issue because home networks aren’t as secure as corporate offices.

Traditional defense and detection systems are largely ineffective in detecting and surfacing insider threats. These systems are primarily looking for signatures of known attack methods. By contrast, workers inside the perimeter already have legitimate access to these systems, giving malicious actors the opportunity to steal information or disrupt business as usual.

To better contain insider threats, companies need to adopt technologies that can stem the tide, such as user activity monitoring tools. One such tool safeguards against attempts to crack a password by automatically detecting and responding to an anomalous logon failure. A more advanced technologyuser and entity behavior analytics (UEBA)—takes note of the normal conduct of users and flags behavioral instances well beyond the norm, such as someone who starts downloading far more files.

Even heightened use of these technologies won’t offset the fact that rank-and-file employees too often fail to adhere to protective cybersecurity policies. For example, recent research and interviews of 330 remote workers by the University of Central Florida found that two-thirds of employees admit to failing to adhere to cybersecurity policies at their company at least once every 10 workdays.

Here are some tips to prevent or at least mitigate insider threats:

+ Look out for potential threats during the hiring process. Use screening processes designed to assess the honesty of potential hires. These should include criminal background checks and look for misrepresentations on resumes.

+ Adopt a robust insider policy. Among other things, create strong passwords and require that they be changed every 90 days. Also, require two-factor authentication. This and other aspects of the policy must apply to all levels of the organization, including senior management, and policy violations should incur penalties.

+ Encourage employees to report unusual or prohibited technologies. One example might be the discovery of a portable hard drive in an office in which employees typically access data and software via the network.

+ Adopt rigorous subcontracting processes. If a supplier’s risk of failure or a breach is smaller than yours, it may not adopt the required controls. Seek out partners and suppliers with the same risk appetite and similar cultures.

The bottom line in detecting insider threats is that organizations need to implement a different approach and set of tools from those used to detect outsider threats. A combination of identity attributes, user behavior analysis, and widespread observation can be used to surface anomalous activity. If this sparks programmed alerts, which it should, that’s a big step forward.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Human Element

insider threats risk management

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs