skip to top

Fixing the Insider Threat Investigation Gap

Traditional strategies for managing insider threats are important, but they’re likely not enough to mitigate all types of employee risk. Humans are enormously variable. Failing to account for that, lacking the right intelligence, and not understanding where your biggest vulnerabilities lie could result in costly security incidents. A detection and intelligence gathering tool that uses Internet chatter from sites on the Surface, Deep, and Dark Web is instrumental in preparing, detecting, and responding to insider threats, and helps level the playing field between cybersecurity professionals and cybercriminals.

It’s undeniable. Insider threats are costly and on the rise. According to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider-caused incidents was $8.76 million in 2017 — more than twice the $3.86 million global average cost of all breaches during the same year. The inadvertent insider, the most common form of insider threat, is responsible for 64 percent of total incidents, according to Ponemon, while criminal behavior comprises 23 percent of incidents. Inadvertent insiders include both employees who don’t respond to training and those who create errors through mistakes such as misconfigured cloud networks. With the criminal insiders, there are instances of collusion, long-term malicious behavior, and sabotage.

Types of Insiders

1. The Nonresponder

One of the riskiest groups within the employee population is made up of nonresponders to cybersecurity awareness training exercises. Nonresponders may not intend to behave negligently, but they tend to demonstrate consistent behavior that leaves them vulnerable to compromise. An investment in security awareness and training for all users has a 72% likelihood of a reduction in the business impact of phishing attacks. The business impact, evidently, is significantly restricted when users choose to opt out.

2. The Pawn

Example of a phishing email.

Simple negligence is the most common form of insider threat. Employees who fall into this category might generally exhibit secure behavior and comply with cybersecurity policies, but cause breaches due to isolated human error. In 2017, according to an X-Force report, two-thirds of breached records were caused by basic misjudgment, such as storing intellectual property on insecure personal devices or falling for phishing schemes.

Case Example: Ubiquiti Networks

On June 5th, 2015, San Jose wireless networking technology company Ubiquiti Networks discovered that they had fallen victim to a phishing scheme, costing them millions. Using both employee and executive impersonation, $46.7 million in Ubiquiti’s funds were transferred to the attacker’s bank accounts in third-party banks.

4. The Colluder

An insider seeking partners to commit an act of theft against their employer. From the Dark Web using Media Sonar software.

While insiders collaborating with malicious external threat actors is rare, professional cybercriminals actively recruit employees via the Dark Web making it a significant and notable threat. A study conducted by the Community Emergency Response Team (CERT) noted that collusion falls within the costliest category of breaches, and may take up to four times longer to detect than incidents caused by insiders acting alone.

5. The Entrepreneur

Possible insider threat looking for ideas. From the Dark Web using Media Sonar software.

More commonly, insiders exfiltrate data or commit other malicious acts against the organization with the goal of personal gains, such as a financial reward. A Gartner study found that 62 percent of insiders with malicious intent are categorized as “second streamers,” or people seeking a supplemental income. So-called “second streamers” may exhibit sophistication in remaining undetected to maximize the personal benefits of data theft. This group of individuals may exfiltrate data slowly to personal accounts to avoid detection, instead of completing large data exports which could raise flags in traditional network monitoring tools.

Case Example: Desjardins Group

Desjardins Group, Canada’s largest credit union, was compromised when members had their personal information compromised in a data breach. The incident stemmed from the “unauthorized and illegal use of internal data” by an employee who was subsequently fired. Computer systems were not breached but the names, dates of birth, social insurance numbers, addresses and phone numbers of about 2.7 million individual members were released to people outside the organization.

6. The Destroyer

Fired employee selling access to a network of corporate computers. From the Dark Web using Media Sonar software.

The final category of criminal insiders is made up of disgruntled employees who commit deliberate sabotage or intellectual property theft. These are among the costliest risk to an organization. A Gartner study found that 29 percent of employees stole information after quitting or being fired with the goal of future gains, while 9 percent were motivated by simple sabotage. Disgruntled employees can fit many behavioral sub-patterns. Some frustrated employees may start digging for information access without specific goals. Other employees may have very specific data intent from the moment they give two weeks’ notice and set out to sell trade secrets to competitors.

Case Example: Tesla

Another high-profile incident of recent times involves a disgruntled employee at Tesla, who, it is alleged, abused internal privileges to perform industrial sabotage by making changes to software systems controlling the manufacturing process. This prompted a public legal dispute and claims of whistleblowing, which had a damaging effect on the company’s reputation.

The Insider Script

The Stages of a Network Breach

Insider attacks are unique in that, in most cases, access is already granted. Whether by inadvertently granting access to an imposter or by taking advantage of that access themselves, they are in a unique position to commit acts of sabotage and theft before anyone even notices something is wrong. On average, companies take about 197 days to identify and 69 days to contain a breach according to IBM. By then, however, it might already be too late.

Prepare, Detect & Respond

The human element generates some of the biggest security threats, and insider threats are highly variable. No single approach is fully effective and cybersecurity software falls short where insiders are concerned. Awareness training will help mitigate some threats, but it does not account for Colluders, Entrepreneurs, or Destroyers looking for revenge. Better data protection, behavioral analytics, and risk scoring will have some impact, but what happens when hackers adapt?

Investigate Before A Breach

One factor making insider threat crime so costly is that organizations focus on defensive measures while cybercriminals devote their resources to research and discovery of new offensive measures. Strategies and technologies based on previous cyber attacks are not yielding the desired results. Cybersecurity professionals need to safeguard against all known vulnerabilities, whereas cybercriminals need only exploit a single vulnerability, known or unknown. It’s not a level playing field and organizations are incurring costs as a result. Hacker intelligence has an important role to play in closing the gap between cybersecurity professionals and cybercriminals.

As we’ve pointed already, hackers spend a lot of time innovating new ways to circumvent protections put in place by cybersecurity professionals. On the Dark Web, there are multiple websites and forums devoted to discussing common vulnerabilities and attack tactics. Most of what you read on blogs on the Surface Web will already be old news. The Dark Web is where conversations are still fresh, where cybersecurity professionals can locate and gather valuable hacker intelligence data to better understand how insiders are recruited, where insiders go to offer system access, and the methods used to exfiltrate data. Media Sonar software lets you do exactly this. Cybersecurity professionals can access the Dark Web with zero risks to computers or networks. It is also easier to obtain intelligence across multiple hidden data sources – Media Sonar software lets you search them all at once. We have discovered that better hacker intelligence helps close the knowledge gap between cybercriminals and cybersecurity professionals, as well as provide actionable directives about where vulnerabilities might exist.

Detect After a Breach

In many of the biggest data breaches in recent history where insiders are involved, the individual or group in question are able to exfiltrate the data long before anyone is even aware. Capital One, for example, recently fell victim to a data breach perpetrated by an insider employed by a third-party vendor. The company was only made aware of the breach when another third party contacted them to advise their private and proprietary code had been shared on GitHub.

In these cases where access, discovery, and exfiltration can occur under the radar, detection is paramount for identifying cases of leaked data and intellectual property. Automatic searches using Media Sonar software across a range of sites like GitHub, pastebins, news and blogs, and not to mention the Dark Web, can help cybersecurity professionals keep an eye on Internet chatter related to their business. Spotting the breach before it becomes a big media story can have a huge impact on the overall cost of the breach and the long-term reputation of the company.

Media Sonar software, trusted by law enforcement for over 6 years to combat a range of physical and cybercrimes, provides cybersecurity professionals with the ability to detect and investigate threat actors including insiders, attack tactics, and potentially spot instances of breached data online. Our software helps cybersecurity professionals expand their role within the organization and levels the playing field between them and cybercriminals, insider or imposter.

Related Posts