Insider Threats: Who, What, Why, How
Employees conducting attacks on their own employees – known as insider threats – are becoming increasingly common and costly. According to a CA report, over 50% of organizations suffered an insider threat-based attack in the previous 12 months, while 25% say they are suffering attacks more frequently than in the previous year. 90% of those organizations claimed to feel vulnerable to insider threats.
Insider threats can take the form of the accidental insider who inadvertently leaks information, the imposter who is really an outsider using stolen credentials, or the malicious insider to wants revenge or money. While spotting internal threats can be difficult, there are warning signs that can alert the organization of a potential incident before it occurs and data has left the boundaries of the network.
These attacks can be costly. According to Ponemon, a successful malicious insider attack costs an average of $600,000. These attacks can come in all shapes and sizes, from all classes of employees.
A key part of creating a risk profile of potential insider threats is knowing who the likely perpetrators are, what data they may be targeting and why. This will enable your company to put greater restrictions on potential threat actors and more controls on vulnerable data.
An older study from 2013 by the Centre for the Protection of National Infrastructure found insider attacks were more likely to be committed by men aged 31 to 45. Attacks were more likely to be from permanent staff than contractors or partners, and the majority of insider attacks were committed by employees who had been at the company for less than 5 years. A study by Carnegie Mellon University found that insiders usually act alone, but when there is collusion, whether willingly or as a result of social engineering, attacks will be almost 4 times longer than those committed by a single insider.
Why do insiders attack? The usual reason is financial gain. Either someone is offering money for certain information, or they believe they can sell it online. Sometimes the motive will be revenge for a slight against them. It may be in retaliation for receiving a warning or disciplinary action or poor performance review, being passed up for a promotion or project, disagreements around salaries of bonuses, or being laid off. Sometimes it will be for a career benefit, for example taking contact details for customers or valuable intellectual property (IP) to a new employer.
“For a lot of people, it’s about the contacts they make and how that could be useful in their new job – they see this as ‘their information’, not the company’s,” says Dr. Guy Bunker, senior vice president of products at Clearswift. “So, they will take copies of the information which could be useful: people’s names, emails, telephone numbers, information on deals done or opportunities.”
Common failures or issues that enable insider attacks to succeed include:
- Excessive access privileges
- A growing number of devices and locations with access to sensitive data – such as mobile devices and cloud-based offerings – that often exist beyond companies’ networks and are harder to track and control
- Growing use in the number of third parties with access to network data
- The use of external storage such as USBs
- Poor control over non-IT approved apps such as Dropbox.
Poor controls around access can also be a factor. A report from Varonis found that 21% of all folders inside organizations are open for everyone in the company to access, while at least a third of companies have 1,000 sensitive folders open to everyone.
Given the easy access to large amounts of storage and increasingly fast internet speeds, it can be trivial for an insider to move data off-site. A Cisco study of data exfiltration from the cloud found just 750 malicious users were able to 3.9 million documents from corporate cloud systems (an average of 5,200 each) during a 6-week period.
Therefore, it stands to reason that all types of data can be at risk from insider threats. The CA report found that confidential business information such as financials and customer or employee data was the most vulnerable, followed by privileged account information such as passwords, personally identifiable and health information (both of which are heavily regulated), and then the intellectual property.
Examples of notable insider threats
Perhaps the most well-known insider attack was by Edward Snowden, a contractor who leaked thousands of documents revealing how the National Security Agency (NSA) and other intelligence agencies operate. Another famous insider, Chelsea Manning, leaked a large cache of military documents to WikiLeaks.
Another example is Anthony Levandowski. The Otto Motors founder reportedly stole 14,000 files from Google’s Waymo autonomous car project to start his own company. The move cost Otto’s acquirers Uber heavily and resulted in the company giving a stake in its business over to Google.
However, not all insider threats involve such big names or hit the headlines. Stephan Jou, CTO at security analytics company Interset, saw one customer suffer a raft of insider threats.
“An employee (who was on a termination list) took dozens of screenshots of proprietary source code and other IP and subsequently emailed those screenshots to their personal account,” he said. “At the same firm, a disgruntled employee emailed 500MB of sensitive data to personal email accounts and tried to hide the data exfiltration by spreading the activity across three different personal email accounts. In a third instance, a different employee copied more than 2GB of data onto a USB drive and emailed additional data to a personal email account.”
Furthermore, Dr. Giovanni Vigna, co-founder and CTO at Lastline, spoke of an incident with a fashion designer where the company detected a connection to a host in China, which was unusual. After investigation, this connection was found to be part of a plan to steal proprietary designs and create knock-offs in China.