Identifying overt indicators is integral to recognizing potential threat actions
With the upswing in cyberattacks from malicious individuals or groups attempting to exploit corporate vulnerabilities and sensitive information, organizations tend to overlook another major threat: their employees. Show
This article offers answers to questions like what are some potential insider threat indicators, why is it important to identify potential insider threat indicators, and what are the ways to combat them to maintain your organization’s cybersecurity posture. What are insider threats?Contrary to popular belief, insider threats are not limited to threats that arise within an organization's immediate perimeter. Apart from current employees, these threats can be launched by former employees, third-party vendors, consultants, or others who have profound knowledge of the organization's systems. The motive behind insider attacks may differ in each case; potential motives include revenge, financial gain, and espionage, and perpetrators may of course have no motive at all but instead carry out the attack by accident. Although it is incredibly daunting to think of current or former employees as potential malicious sources, insider threats are becoming increasingly common and should never be neglected. Common indicators for identifying insider threatsSpotting indicators of insider threats can go a long way in thwarting such attacks. The following are some key indicators of an insider attack. Unusual loginsWatch out for any employees who work a typical nine-to-five but start logging in at odd times. They might try working outside the usual hours of their group without any real reason to do so. Strange access requestsLook for malicious insiders trying to access unauthorized files or systems that they generally would not need for their day-to-day tasks. Employees trying to access information that is unrelated to their job function is often an early sign of an insider attack. Escalation of privilegesAn impending threat actor may try to escalate their privileges to gain further access to sensitive information that, if leaked, could be detrimental to the organization. Sometimes a trusted administrator with heightened access to systems may grant permissions to employees who should not have them. Use of prohibited storage mediaIn an attempt to steal sensitive data, employees with direct access to systems within the network may do so with the help of external drives, discs, etc. This can also be in the form of unwarranted emails to recipients outside the organization. Your IT team should keep track of what data is downloaded or copied from your organization’s on-premises or cloud infrastructure. If large files are being copied from strange locations that cannot be explained, something is likely amiss. Sudden resignationInsiders trying to sabotage the organization may do so while deciding to quit. They do not have much to lose since they are leaving the company. Look into their activity for the past 90 days and figure out if they have done anything wrong. Mitigating insider threatsInsider threats may be on the rise, but with a proper strategy in place, it’s easy to thwart them. By regularly exercising the following tips, your organization can stay one step ahead of potential threats.
Check out Log360, a comprehensive SIEM solution that helps you steer clear of insider attacks. Click the icons to navigate. Successful insider threat programs proactively use a mitigation approach of detect and identify, assess, and manage to protect their organization. The foundation of the program’s success is the detection and identification of observable, concerning behaviors or activities. Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team. I. Threat DetectionDetecting and identifying potential insider threats requires both human and technological elements. An organization’s own personnel are an invaluable resource to observe behaviors of concern, as are those who are close to an individual, such as family, friends, and co-workers. People within the organization will often understand an individual’s life events and related stressors, and may be able to put concerning behaviors into context.
II. Threat IndicatorsInsider threat programs help organizations detect and identify individuals who may become insider threats by categorizing potential risk indicators. These indicators are observable and reportable behaviors that indicate individuals who are potentially at a greater risk of becoming a threat.
III. Progression of an Insider toward a Malicious IncidentWhile virtually every person will experience stressful events, most do so without resorting to disruptive or destructive acts. For those insiders that turn to malicious activity, researchers have found that the acts are rarely spontaneous; instead, they are usually the result of a deliberate decision to act. Researchers of insider threats describe an evolution from trusted insider to insider threat as a critical pathway. On this road, the subject’s personal predispositions and background, which make them susceptible to the temptation of a malicious act, interact with their personal stressors and the organizational environment. Together, these factors move the insider down a pathway toward a malicious incident. Moving from ideation to action involves the following steps shown on the pathway above to a malicious incident.
Learn more about the progression of an insider toward a malicious incident from the white paper, Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall. (External PDF, File Size 362KB) IV. Detecting and Identifying Insider Threats ResourcesCISA Interagency Security Committee’s Violence in the Federal Workplace: A Guide for Prevention and Response and Appendicies, provides guidance on how agencies can develop a workplace violence program capable of preparing for, preventing, and responding to incidents of workplace violence. Carnegie Mellon University Software Engineering Institute's Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors literature can help organizations fully understand the insider threat. (External PDF, File Size 165.01 KB) Carnegie Mellon University Engineering Institute’s technical report An Insider Threat Indicator Ontology provides an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated. (External PDF, File Size 5.67 MB) The FBI's Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks is a practical guide on assessing and managing the threat of targeted violence. (External PDF, File size 1675 KB) The NATO Cooperative Cyber Defence Center of Excellence Insider Threat Detection Study focuses on the threat to information security posed by insiders. (External PDF, File Size 1.09MB) The USSS’s National Threat Assessment Center provides an analysis of Mass Attacks in Public Spaces that identifies stressors that may motivate perpetrators to commit an attack. (External PDF, File Size 3.04MB) What are some potential threat indicators?Indicators: Increasing Insider Threat Awareness. Unusual logins. ... . Use or repeated attempted use of unauthorized applications. ... . An increase in escalated privileges. ... . Excessive downloading of data. ... . Unusual employee behavior. ... . Make sense of event data with a SIEM solution.. What are the 4 threat indicators?They include: classified information; proprietary information; intellectual property; trade secrets; personnel security.
Why is identifying potential insider threats important?Why is it important to identify potential insider threats? Failing to detect insider threats can lead to data loss and system downtime. As a result, companies can face steep costs, including fines, lawsuits, incident mitigation work and reputation damage.
What are security threat indicators?Threat Indicators. Insider threat programs help organizations detect and identify individuals who may become insider threats by categorizing potential risk indicators. These indicators are observable and reportable behaviors that indicate individuals who are potentially at a greater risk of becoming a threat.
|