Insider Threat Management

Coachable Moments: Recognising Insider Threat Indicators

Share with your network!

(Updated on 10/30/2020)

Insider threat indicators can help an organisation understand the intent and motivations of a user, often before their activity escalates to the point of becoming an insider threat. Providing real-time coaching for employees (or, in more serious cases, escalating a recurring employee issue to HR) can potentially help curb data loss from insider threat.

Let’s look at some of the key insider threat indicators for both malicious and unintentional insider threats, along with actions the cybersecurity team can take to prevent incidents from occurring.

Recognising Potential Insider Threat Indicators

It doesn’t take much for an employee or third-party vendor to go from a trusted worker to a malicious insider threat. For example, someone may be under financial or family stress, which might lead them to steal sensitive corporate data. Or, if someone receives what they believe to be an unjustified poor performance review, they could look to retaliate on the organisation.

Some of the motives of insiders such as fear, greed, or revenge remain true across the board. Regular communication with the HR and legal teams can help keep the cybersecurity team informed about any employees that may be insider threat risks.

Once malicious insiders decide to make a move, they’ll look to take stealthy actions on the system to exfiltrate data, open doors for easier access, or shut down or destroy systems altogether. They’ll often combine smaller actions to avoid detection.

Physical insider threat indicators visual

Here are just a few examples of potential insider threat indicators to watch out for with your threat management software:

  • Escalating Privileges or Sharing Access

    In an insider threat scenario, the cybersecurity team may begin to detect that privileged users are regularly escalating their own privileges, or granting themselves access to otherwise restricted areas of the network. In many cases, insiders log into systems with a low-end user account to search for exploitable programming errors or design flaws in the system that can be used to escalate their privileges and gain more access. If these insider threats successfully exploit these vulnerabilities, they can create new system users, access files, authorise network activity, and change system settings - ultimately opening an organisation up to additional risk.

  • Abusing Root-Level Commands

    Admins (a.k.a Privileged Users) can abuse root-level permissions they’ve received for one purpose to perform unrelated and nefarious activities that are very difficult to detect. One behaviour to watch, for example, is breaking out of an intended file to execute a destructive command, while using a root-level permission.

  • Using Unauthorised Applications Repeatedly

    While a one-time use of an unauthorised application may not be of any concern, repeated use of out-of-policy applications (after a user has received warning notifications and coaching) may indicate a suspicious pattern that’s prime for data exfiltration.

    For example, cloud storage, social media, or file-sharing sites are common conduits through which users look to steal corporate data.

  • Exploiting physical media, such as printers or USBs

    If employees are printing a lot of documents at odd hours or using USB drives to move sensitive files, these may be insider threat behavioural indicators of suspicious activity.

Coachable moment: If the cybersecurity team detects user activities that seem suspicious, the first step is to ask users about the context behind their actions, reminding them of the cybersecurity policy, and advising them on how to remain within policy in the future. If there’s a good explanation for the activity, that may be the last warning needed to prevent a potential incident from occurring.

If suspicious activities persist after a clear warning, collect a trail of evidence through a insider threat management solution and present it to HR immediately. Chances are, there may be some deeper issues with this employee that need to be formally addressed by the organisation.

Recognising Unintentional Insider Threat Indicators

Weak passwords on stickynotes

Even though malicious insider threats capture the majority of the headlines, the reality is that two out of three insider threat incidents are caused by employee or contractor negligence.

The good news is, accidental insider threat incidents can be prevented by deploying the right cybersecurity policies combined with regular coaching of cybersecurity best-practices.

Here are some of the most common user mistakes to be aware of:

  • Weak Passwords

    One of the top causes for user error is poor cybersecurity hygiene, such as weak passwords. In a recent credential theft incident, for example, a hacker was able to gain access to Sprint’s internal staff portal using two weak, easy-to-guess passwords.

  • Poor Application Security

    In many cases, application security best-practices are ignored, such as employing multi-factor authentication, leaving a corporate system open to attack.

  • Gone Phishing

    As hackers’ social engineering techniques get more and more sophisticated, insiders are falling for phishing attacks that expose their organisations’ sensitive data.

Coachable moment: Provide training sessions on general cybersecurity best-practices; it’s crucial to help employees gain a baseline understanding of safe application and internet use at work.

In as many cases as possible, try to remove the potential for user error from the equation by requiring the use of a password manager or single-sign on technology. In addition, applications like Google Authenticator can help make two-factor authentication easier on users.

If a mistake does happen, the goal should be to try to be productive rather than punitive with users, explaining why their actions opened up a vulnerability in the system so that they can learn. If users feel like they’re in a safe space, they’ll be more likely to report a potential misstep to the security team before it spirals out of control. (Thus strengthening overall organisational cybersecurity!)

Finally, in-the-moment coaching, such as notifications that alert employees about out-of-policy application use, can prevent users from taking missteps that might escalate to costly insider threats. The cybersecurity or IT team may also choose to run practice drills, such as randomised, faux phishing attacks, to show employees what not to do when they get an email from an unknown sender (and train them to identify suspicious communications).

Don’t Miss a Coachable Moment

If you like this post, you may like others in our Coachable Moments series, including the latest on working with third-party contractors. As always, feel free to let us know what topic you’d like to see in the future on Twitter @Proofpoint.