Insider Threat Management

Three Indicators Your Privileged Users May Be Insider Threats

(Updated 10/19/2020) Your privileged users, or super admins, can have access to troves of sensitive and confidential data. This ranges from intellectual property, to payroll, to HR information and more. Whether malicious or unintentional, privileged user account abuse is one of the top causes of insider threat incidents, with 55% of organizations claiming that privileged users posed the biggest insider security risk.

How do you tell if a trusted, privileged user is going to be guilty of data exfiltration? Here are some key insider threat indicators to watch out for in your organization:

1. Escalating Privileges or Giving Access to Untrusted Users

Usually, privileged users have access to a certain subset of data or information that they need to do their jobs effectively. Following the principle of least privilege, these users have some sort of time limitation or role-based segmentation of access control.

However, in an insider threat scenario, you may begin to detect that these users are regularly escalating their own privileges or granting themselves access to otherwise restricted areas of the network.

In many cases this is done by logging into systems with a low-end user account to search for exploitable programming errors or design flaws in the system that can be used to escalate their privileges and gain more access. If these insider threats successfully exploit these vulnerabilities, they can create new system users, access files, authorize network activity, and change system settings. (Yikes.)

Takeaway: Keep an eye out, for example, for the authorization of otherwise untrusted users. Once your insiders (and potentially, related outside threat actors) are in that deep, sensitive data can easily be exfiltrated, an entire network can be hijacked, or worse.

2. Abusing Root-Level Commands

Many organizations tend to restrict admin access to the systems, because of the high risk associated with admins logging in as the root user (or changing identity to root after logging in during a session). Instead, sudo is used to grant administrators root-level permissions to execute particular commands and scripts, when needed. This allows admin users to do their jobs without needing to know the root password or gain full root permissions.

There are, however, significant risks with the sudo approach. Admins can abuse the root-level permissions they have received for one purpose: to perform unrelated and nefarious activities that are very difficult to detect.

Takeaway: One behavior to watch, for example, is breaking out of an intended file to execute a destructive command, while using a sudo permission.

3. General Negligence With Administrative Credentials

Considering that 2 out of 3 insider threat incidents are caused by employee or contractor negligence, mistakes can sometimes be even more costly than the rarer malicious insider use cases.

Privileged users, in particular, can become major risks if they start to become negligent with general security hygiene, such as password management. For example, neglecting to regularly change administrative passwords or sharing admin credentials through insecure systems may increase the risk of a breach.

In addition, many organizations fall victim to accidentally committing their administrative credentials to code using repositories such as GitHub. This is like the infamous Code Spaces AWS security breach of 2014, which caused the company to close its doors.

Takeaway: Using secrets management systems to rotate administrative credentials could help reduce some of this margin for error.

How User Activity Monitoring Can Detect Privileged Insider Threats

Proofpoint Insider Threat Management is a user activity-based insider threat management solution that can help detect suspicious user activity, giving security teams much-needed visibility.

Whether users are escalating privileges, exploiting them, or generally being negligent, it’s important to know exactly what your super admins are doing with their privileged permissions. Likewise, it is also important to be able to obtain visibility into users with lesser permissions, to determine if their access or activity changes over time.

In the event of an insider threat incident, security teams can review detailed user activity logs and video playback for fast root cause analysis and forensics investigation.

To learn more about Proofpoint Insider Threat Management, why not try it for free?

Subscribe to the Proofpoint Blog