What Is an Insider Threat?

In this video, we’re going to be talking about, what is an insider threat?

Now, an insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates who have inside information concerning the organization security practises, data, and computer systems. Now, I like this description a lot, and this is from Wikipedia. What I would also add is these users tend to have some sort of network-level access, some sort of login email account, logging into the network, whatnot. Now, this is essentially what an insider threat is. Now, an insider threat can be a deliberate malicious act or it could be an unwitting participant. So not all insider threats are people looking to do harm to the network.

It could be someone that really doesn’t know that they’re doing some sort of harm. So according to the Verizon report in 2019, let’s take a look at how serious this is. So 57% of database breaches involved an insider threat within an organization. 20% of security incidents and 15% of data breaches were due to misuse of privileges. 61% of internal actors are not in the position with a high level of access or stature. In 4% of insider and privilege misused, breaches were uncovered using fraud detection. So these are pretty big numbers, especially considering these are attacks within your own network.

It’s not, per se, a person from the outside, they do some scanning reconnaissance, and they exploit a vulnerability on your network. These are people working within your organization.

So a malicious insider is a current employee or, again, a contractor. It’s generally someone who’s upset and wants to harm your network or company. This also could be someone that’s doing this for monetary purposes or other reasons. It could be hacktivism or some other reason. But the bottom line is they know what they’re doing, and they’re trying to do something that they shouldn’t be, on your network. It could be a current employee who allows access to an outsider for money, revenge, or other reasons. And recently, we saw this with Twitter. Allegedly, an employee was on a forum. They were giving out access to anyone that would pay.

Malicious hackers paid them I think it was $2,000, and they gained access to a lot of high-level Twitter accounts. Also, current employees who choose to do mischief. Again, it might be something not necessarily harmful to the network, but it could be something mischievous - maybe changing of the website, putting some sort of hacktivism, hacking activism, banner, or a mark on the web page, or something like that, or posting as someone else, whatnot.

It could also be an employ who can range from a custodian to an intern, to management, again, a contractor. These all can be malicious insiders. It could also be employee who quit or was terminated and does damage to the company or network. They use either their account to delete data before they leave - we’ve actually seen this before. That’s happened, where an employee, they were let go. That employee said, well, could I have a couple of minutes to clean out my desk? And instead of actually clearing out their desk, they actually logged in their account and started deleting out years’ worth of data.

Also, a person that was terminated or quit, may also use an old account that’s still active and continue to log into the network after they’re terminated, after they leave. These are all examples of a malicious insider.

An unwitting insider, I would say would be a current employee, doesn’t know that they’re doing something that is harmful to the workplace or network. This employee may be tricked, again, a victim of social engineering, such as clicking a bad link or enticed to take action, again, that’s not necessarily good for them or good for their organization. It could also be an employee who simply let someone tailgate past a security checkpoint, an employee who plugs in a USB drive that they happen to find. And they plug it into the computer, plug it into the network, and it has a virus. They don’t know it has something harmful in there. They’re just curious.

They plug it in, and a payload gets dropped on the network. That was an unwitting action. It could also be an individual on the network team who forgets to deactivate an account or leaves unnecessary accounts left on the network that a malicious hacker may use later. It also can be misconfiguration of a server, a misconfiguration of user rights, giving people too many rights that they really don’t need, and thus, causing a problem. This would be an unwitting insider attack. It’s people that do things that actually harm the network, but they’re not cognizant that they’re actually doing harm. So how do we mitigate these types of attacks? Well, audit your accounts. Monitoring active accounts is important.

You’ve got to be sure what account - if the accounts are there, should they still be active? You should also take a look at user rights - making sure that people have enough rights do what they need to do, but not so much that they really don’t need that. Disable accounts - accounts need to be disabled quickly and as soon as it needs to be done. You also may consider automation to handle this. User training - training users to identify a social engineering attack and how they may be an unwitting insider attacker, could actually help the organization quite a bit.

Restricting accounts, again, restricting your accounts to only have as much rights as they need to do their day-to-day work will help quite a bit. But also, you need to be cognizant of what they really need to do and what they don’t need to do. And that’s going to be a little bit of a balance there, too. Monitoring - network monitoring tools can help keep awareness of what’s going on in your network. So this was about insider attacks. The next video we’re going to be talking about, why employee training is important, and also go over some tips. Thank you for watching. I’ll see you in the next video.