Insider Threats

Organizations considering cybersecurity programs to increase their resiliency to cyberattacks must focus as much on defending against threats from inside the organization as they do in guarding against external threats. Insider threat is defined as the potential for an individual who has or had authorized access to an organization’s assets to use that access in a way that could negatively affect the organization. This definition includes both intentional and unintentional insider threats, as well as workplace violence. Although every organization is at risk of falling victim to insider threats, specific industries that acquire and store highly sensitive data could also incur significant fines and reputational damage if that data is exposed or inappropriately handled. The industries and sectors at an increased risk of insider threats include government, healthcare, information technology, and financial services.

Insiders are current or former employees, contractors, business partners, or vendors who have legitimate access to organizational resources, including personnel, facilities, information, equipment, networks, and systems. They typically have elevated levels of access, are familiar with the location of sensitive data, and are aware of the vulnerabilities and security policies and procedures of an organization. According to the Verizon 2022 Data Breach Investigations Report, insider data breaches most often occur via privilege misuse, with financial gain as the leading motive. Insiders can exfiltrate data for personal gain or accidentally leak sensitive data. They can also use the data to discover their organization’s activities and disclose secrets to a competitor or help other countries build similar programs. Because insiders have legitimate access, it can be challenging to distinguish between a user’s typical activity and potentially anomalous activity even with sophisticated detection systems.

Types of Insider Threats

Insider threats can result in violence, espionage, sabotage, theft, and cyber operations. Specifically, cyber operations are digital threats related to technology, virtual reality, computers, devices, or the internet. Common types of insider threats include:

Malicious: Insiders who knowingly and intentionally steal, disclose, or destroy company data or IT systems for financial gain or to commit corporate espionage or sabotage. The motivation is personal gain or harming the organization for personal benefit, and they are typically influenced by anger, greed, revenge, or external entities instructing them to act maliciously.

• Examples:
  • planning or executing social engineering attacks
  • spoofing and illegally impersonating other people
  • tampering with, modifying, or destroying data
  • launching malware to disrupt systems and networks
  • exfiltrating valuable, sensitive, or proprietary data for financial incentive, competitive edge, or to hold a grudge
  • harassing associates
  • perpetrating violence
  • sabotaging equipment

Negligent: Insiders who carelessly expose an organization to threats. They are generally familiar with security or IT policies but choose to ignore them.

• Examples:
  • falling victim to a social engineering attack
  • sending emails containing sensitive information to the wrong person
  • sending emails with company data to personal accounts
  • ignoring messages to install new updates and security patches
  • using pirated software that might contain malware
  • misplacing or losing a work device or portable storage device containing sensitive information
  • leaving a computer open, unlocked, or unattended
  • allowing someone to shoulder surf while viewing sensitive information

Accidental: Insiders who mistakenly cause an unintended risk to an organization.

• Examples:
  • falling victim to a social engineering attack
  • providing account credentials to an unauthorized entity
  • unintentional aiding and abetting

Technical indicators of insider threats include logging into the network at unusual times, accessing unusual resources or attempting to access other devices or servers containing sensitive data, changing passwords for unauthorized accounts, unauthorized disabling of anti-virus tools and firewall settings, installing unauthorized software or malware, and transferring too much data across the network.

Real Examples of Insider Threats

Perhaps one of the best-known examples of insider threats is Edward Snowden, who was a system administrator—a privileged user and the ultimate insider—for the US government’s National Security Agency through defense contractor Booz Allen Hamilton. He stole and shared millions of classified documents with the press, which were later made public, in an attempt to reveal the scope of the US government’s intelligence apparatus. He stated that he wanted to change the way the intelligence agencies operated.

In 2010, the United States brought its first economic espionage case to trial when Dongfan "Greg" Chung was charged and sentenced to more than 15 years in prison. Originally from China, he became a naturalized US citizen and worked for Boeing and Rockwell International as a stress analyst with a high-level security clearance. Chung is accused of spying for the Chinese government for over 30 years. When Chung’s home was searched, investigators found documents related to booster rocket fueling systems and other Boeing-developed aerospace and defense technologies, including those for radar and communications on the US space shuttle. In a separate case, Xudong "William" Yao was charged for the theft of sensitive trade secrets. Yao downloaded over 3,000 electronic files within his first two weeks of employment and, within six months, procured a position with a Chinese company specializing in automotive telematics.

In October, three men were charged with money laundering and aggravated identity theft after conducting a business email compromise (BEC) scheme. The accused began the cyber operation by phishing for employee credentials and dropping malware in order to infiltrate the corporate networks of small and large US and global companies. They accessed email servers and email accounts, intercepted communications, sent fraudulent emails with invoices requesting payment, and diverted the payment to bank accounts under their control.

Other real-world examples of insider threats include exfiltrating data after being fired or furloughed, selling company data for financial gain, stealing trade secrets, exposing customer records, stealing hard drives containing human resources data, leaking customer data, accepting a bribe by a foreign national, and leaking data due to accidentally misconfigured access privileges. These examples of insider threats collectively highlight the critical need to properly vet employees and delegate to the least privileges needed to perform assigned tasks to help prevent data and intellectual property theft, espionage, and sabotage.

Recommendations

Organizations must adopt an approach to protect against insider threats, including security policies, technologies, and employee education. Additionally, know the organization’s people, identify its assets, prioritize risks, and establish the proven operational approach to detect and identify, assess, and manage cybersecurity incidents. Although the IT security department is mostly responsible for protecting an organization’s sensitive information, it is ultimately up to everyone within the organization to do their part to protect the organization and its assets.

Intentional insider threats from current employees, contractors, business partners, and vendors may put an organization at greater risk, as the exfiltration of data may occur slowly over time and without notice. Organizations should consider the following steps to secure confidential data and protect systems and networks:

1. Security Policy: Have a clear and accessible security policy in place that establishes consistent standards for what is and is not permitted within the organization. Incorporate security policy review and acknowledgement into the onboarding process for all new employees and ensure that current employees review the policy regularly. All employees should be immediately notified of any changes made to the policy.
2. Nondisclosure Agreement (NDA): Ensure the organization has a clear and documented NDA and all employees receive a copy and sign an acknowledgement form upon receipt. Include what departing employees can and cannot take when leaving the organization.
3. Provide Awareness Training and Establish a Reporting Process: Provide training to employees about identifying potential insider threat activity and how to report it to management or the organization’s security team.
4. Apply the Principle of Least Privilege: Control and regularly audit who has access to what data and outline the specifics in a written policy that is given to and acknowledged by every employee, contractor, business partner, and vendor.
5. Use Encryption: Make sure all data that is taken offsite is encrypted to reduce the likelihood unauthorized parties could access it in the event of loss or theft.
6. Restrict the Use of Removable Media: Since media such as USB drives, CD-ROMs, and memory cards are some of the easiest and most popular ways of removing and transporting data, it may be worth removing or disabling USB ports, CD/DVD writers, and memory card slots if they are not needed to perform critical job functions.
7. Monitor Endpoint Activity: Endpoints are a common launch point for insider attacks. This certainly emphasizes the importance of having robust endpoint security solutions and policies in place.
8. Monitor Outbound Network Traffic: In addition to monitoring firewalls for malicious inbound traffic, it is crucial to monitor and control outbound traffic by setting content rules and blocking certain ports and outbound protocols, like those used by file-sharing applications.
9. Block Access to File-Sharing Websites: File-sharing websites are accessed from a browser through ports 80 and 443. It is more convenient to block access to these individual sites than the ports. A good starter list can be found here, but make sure to keep up with new and active online file-sharing services.
10. Prevent the Use of Tor, Anonymizers, and Proxies: Prevent employees from using the organization’s systems and networks to browse the internet anonymously by not allowing them administrator privileges and by blocking access to online proxy services.
11. Monitor and Protect Wireless Devices: Implement a data protection solution for all mobile devices that connect to the organization’s network or contain and handle sensitive data. For instance, make sure that devices are password protected and can be remotely wiped by the IT administrator if the device is lost or stolen.
12. Use Data Loss Prevention (DLP) Software: Consider adopting one of the various DLP software solutions available to protect and monitor the transmission of sensitive data while enforcing security policy compliance.
13. Watch for Early Warning Indicators: Detecting abnormal behaviors of people operating within the organization can help prevent data theft. Possible indicators include:

• Suddenly working excessively late hours
• Working unscheduled on weekends or during other shifts
• Remotely accessing the network during off-hours
• Never taking a vacation
• Accessing parts of a system or network that are unnecessary for the person’s job
• Exporting large amounts of data to external drives or via email to a personal account
• Deleting items or activities en masse to attempt to cover one’s digital tracks
• Switching screens away from current computer activity when approached by others
• Continuously exhibiting signs of anger or hostility toward coworkers, the job, or the organization
• Suddenly complaining about financial difficulties or legal troubles
• Possessing knowledge of confidential company information before it is made public

Departing Employees

When employees resign or are fired or laid off, proper offboarding protocols and processes may be forgotten. Privileged accounts may remain enabled, employees may retain company-issued devices, and passwords may not be changed. These security gaps give former employees the opportunity to steal intellectual property, plant malware, or commit other unauthorized actions. The following is a list of steps organizations can take in securing confidential data and protecting systems and networks from departing employees:

Exit Interview: If an employee gives a traditional two-week notice upon resignation and does not appear hostile when doing so, be sure to conduct a thorough exit interview to discuss document retention and technology return policies, as well as a review of current account access and what can be expected as they prepare for departure. It is also advisable to include a member of the IT security team in the meeting to ensure they are aware of any active accounts and company-issued devices still in use by the employee.

Employee Removal: In the event the employee is terminated, gives a resignation notice that is effective immediately, or shows signs of hostility when resigning, they should be removed from the premises as quickly and safely as possible. Especially in the case of termination, it is imperative that the employee not be notified in advance in order to prevent digital tampering or data theft that could negatively impact the organization. Security or management should ensure that the employee does not leave with any data that violates company policy. Make sure to collect all work-issued items, such as:

• Laptop/desktop/tablet computers
• Devices, including mobile phones or digital cameras
• USB thumb drives or external hard drives
• GPS/navigation systems
• Company credit cards

Immediately Limit Physical and Electronic Access: Before the employee permanently leaves the premises, make sure to immediately deactivate, disable, or delete the following for physical and network security:

• Building and parking lot access cards
• Security codes
• ID authentication tokens
• Email accounts
• Network accounts (local and remote access)
• Voicemail account

Change PINs and passwords: Ensure PINs and passwords are changed to any previously accessed organization-managed accounts, such as root/administrator access, social media pages, website administration, bank accounts, etc.

Resources

New Jersey Statewide Information Security Manual

Cybersecurity and Infrastructure Security Agency (CISA) Insider Risk Self-Assessment Tool

CISA Insider Risk Mitigation Program Evaluation (IRMPE): Assessment Instrument

CISA Insider Threat Mitigation

Carnegie Mellon University Software Engineering Institute Common Sense Guide to Mitigating Insider Threats