Data Loss Prevention

How to Recognize and Defend Against Malicious Insider Threats

Share with your network!

Insider threats arise from careless users, users with compromised credentials, or users who seek to cause harm intentionally. The latter type of user—the malicious insider—can be the most daunting for security teams to manage. It requires them to analyze a user’s behavior and determine whether they have bad intentions.  

Although less frequent, malicious insiders are costly. The average cost of a data breach by a malicious insider is the highest of any attack vector at $4.9 million, which is 9.6% higher than the global average. Unlike accidental misuse by well-meaning insiders, malicious insiders make a conscious choice to do something that they know they shouldn’t. Typically, they do it for personal gain or damage to the company. What’s more, trusted insiders can do the most significant damage since they often know the weak points in the organization and how to exploit them.  

So, how can you recognize a malicious insider threat and keep your business and data safe? Your starting point is to understand what motivates malicious insiders.  

Understanding the malicious insider 

The most defining characteristic of a malicious insider is their intent to cause harm. There are various reasons and external factors that can motivate them to act. Here are a few examples: 

  • Business changes like mergers and acquisitions, and divestitures 
  • Fear of job loss 
  • Financial stress 
  • Resentment due to job changes or conflict with a supervisor 
  • Poor job performance 

If you know what can inspire malicious insiders to act, you can better understand who a high-risk insider in your company might be.  

This insight shows why you need a cross-functional team—rather than just a cybersecurity team—to deal with employee-facing situations. Human resources (HR), legal and management need to be involved. An expanded team can help you spot risk factors and intervene in delicate situations before they become full-blown insider incidents. Likewise, once an incident occurs, a cross-functional team may be needed for a thorough investigation. 

Proofpoint Insider Threat Management (ITM) helps teams from different areas of your business collaborate. Reports of user activity are easy to export and consume. These user risk reports detail user interactions with data and other behaviors, helping provide contextual insight with a timeline of activities and detailed metadata.    

Early indicators of insider threats 

Once you know what commonly motivates malicious insiders, you need to know how to recognize behaviors to watch out for. Here are some examples of insider threat indicators: 

  • Hiding information  
  • Performing unauthorized admin tasks 
  • Bypassing security controls 
  • Creating a backdoor 
  • Exfiltrating data 
  • Installing a TOR browser 
  • Running malicious software 
  • Downloading unauthorized software 
  • Accessing source code during irregular hours 
  • Performing acts of IT sabotage 

Keep in mind that one of these behaviors alone doesn’t mean that a user is malicious. Rather, it is the combination of multiple behavioral indicators, which you need to analyze holistically, over time and in the context of other factors. That is how you begin to paint a picture of a malicious insider and their intentions. 

Proofpoint has developed a library of use cases and indicators that are most associated with insider threats. When you monitor these indicators, it can help to reduce your risk of insider threats. The library includes more than 150 out-of-the-box rules based on CERT Institute guidelines and behavior-based research. With the threat library, you can get up and running quickly while watching for common behaviors.  

Forensic evidence for investigations 

When you have careless users, you need to address their behavior quickly. The following straightforward actions usually do the trick: 

However, incidents caused by a malicious insider need to be investigated. Security teams may escalate the investigation to HR, legal and other departments. In severe cases, the incident may result in a lawsuit.  

Whenever you need to confront a malicious insider, you should have irrefutable evidence. One Proofpoint customer who experienced an employee taking sensitive data elaborated on this fact: “If you’re going to accuse someone of stealing files from your company, you don’t get to be wrong…. Visibility is in the best interest of every single user in the company…. [Proofpoint] allows us to walk through what exactly a user was doing.” 

Proofpoint ITM delivers detailed metadata and screenshots to provide the evidence you need when investigating an incident. With visibility into what a user was doing before, during and after an incident, security teams gain insight into the user’s intentions and motivations. That insight is critical to determining the best response.  

What’s more, clear, irrefutable evidence of malicious behavior helps the HR, legal, privacy and management teams make an informed decision about the next steps. User data can be kept anonymous to protect employee privacy and prevent any bias.  

Next steps 

Proofpoint ITM helps detect and prevent malicious activity before it can damage your business. It provides you with context for user behavior, which gives you greater insight into whether users are careless or malicious. This helps you better protect your intellectual property and “crown jewels” from malicious insider activity. And it can help you avoid brand damage and financial losses, too. 

Find out more about Proofpoint ITM and how to defend against insider threats. If you want to learn more about protecting your sensitive data, download our e-book Getting Started with DLP and ITM