Insider threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team. Detecting and identifying potential insider threats requires both human and technological elements.

An organization’s own personnel is an invaluable resource to observe behaviors of concern, as are those who are close to the individual including family, friends, and co-workers. People within the organization may usually understand an individual’s life events and related stressors and may be able to put concerning behaviors into context. Vulnerabilities can also be detected through technologies employed in combination with human sensors to detect and prevent insider threats.

Insider Characteristics

A report from the Carnegie Mellon University Software Engineering Institute’s conducted on incidents that occurred across the critical infrastructure sectors between 2012 and 2020 were studied and revealed that most of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.
• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• 77% of insiders were full-time employees of the affected organizations, either before or during the incidents. 8% worked part-time, and an additional 8% had been hired as contractors or consultants. 4% of the insiders worked as temporary employees, and one 2% were hired as subcontractors.
• 86% of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional 4% worked in service positions, both of whom worked as customer service representatives.

Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.

• The insiders ranged in age from 17 to 60 years (mean age ~ 32 years) and represented a variety of racial and ethnic backgrounds.
• 96% of the insiders were male.
• 49% were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.
• 30% of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/fraud related theft offenses (11%).

Insider Threat Warning Signs

Insider threats that result in data breaches can cause significant damages to both the reputation and bottom line of an organization. It is therefore vitally important to know if your organization is at risk. Here are 8 signs or types of insider threat that could signal that you may be the next victim of a pesky insider threat.

• Employees about to Leave your organization

Employees that hands in their leave notice, are on gardening leave or have just been fired, are good candidate to data security. If the parting is on rocky terms, then a leaving employee may be tempted to abuse their privileges for personal gain, or to hurt the company.

The best way to tackle this threat is through interdepartmental communication. The relevant department should immediately inform both HR and the IT/Security team that this user is leaving. The IT/Security team can then take immediate and appropriate steps to revoke the employee’s access to sensitive data.

• Employees Accessing Sensitive Data

If you have systems in place to monitor permission and access to sensitive data within your organization (and you should as a best practice) you will be aware of which of your users currently have access and when these permissions change.

As a rule of thumb, best practice requires organizations to limit access to sensitive data as much as possible. Employees with elevated permissions right to sensitive data need to be monitored closely, even if they are administrators or C-Level executives. Anyone who is accessing sensitive data is a potential threat, even if they would never intentionally harm the organization.

• Organizational Changes

There are periods in an organization’s lifecycle that open doors to insider threats. For instance, your business is undergoing major changes (acquisitions, redundancies, structural changes). In these circumstances, special attention should be put on insider threat detection and prevention.

Users may intentionally use the confusion and chaotic nature of major organizational changes to undertake malicious activities. Similarly, something like a major structural change could lead to users having excessive permissions to sensitive data; drastically increasing the risk of an insider threat.

• Privilege Escalation

 It can be challenging for a regular user to harm an organization because their access rights are usually limited. Challenging, but not impossible. Without proper access management, a trusted user can gain enough privileges to access — and abuse — protected resources. Another way to escalate access privileges is by exploiting vulnerabilities and configuration errors in security software. These actions can point to privilege escalation: 

1. Frequent and unnecessary access requests
2. Unusual interest in data and projects that a user can’t access
3. Lateral movement in the network
4. Installing unauthorized software and administrative tool

• Unusual Outbound Traffic

IT Business Edge places unusual outbound traffic patterns among the most telltale signs that something is awry. This high volume of traffic can result from criminals using your applications to communicate externally. It may also indicate the transfer of data. Monitoring traffic patterns on a regular basis can be a crucial way to quickly detect suspicious activities.

• Employee Behaving Strangely

If an employee intent to become a premeditated, malicious insider threat then there may well be physical warning signs. Perhaps he / she is visibly unhappy at work, complaining about financial troubles, acting in an unprofessional manner, or suddenly working unusual hours (such as at the weekend or very late at night).

If you spot a user that is very openly behaving in a strange way or being derogatory towards the organization, chances of them being the cause of a data breach improve drastically. It is always a good idea to keep an eye on what these users are getting up to as far as your data is concerned.

• Increased Failed File Reads on your System

High numbers of failed file reads are an indication that a user is attempting to access data they don’t have the necessary permissions. In some cases, a user could be trying to gain access to a file that contains valuable data to copy, move or modify.

Ideally, your organization should have systems capable of setting threshold alerts to notify you whenever many failed file reads occur over a short period of time. You should also be able to detect when a user attempts to access a file for the first time.

• Critical File Changes

Upon gaining entrance to an organization’s network, cybercriminals may modify, change, delete, or replace critical system files to prolong detection. These changes may be applied very quickly. Verizon reports that most data breaches are completed in “minutes” or less. Unless your organization is actively monitoring critical system files for negative changes, these clear signs of data breach can go undetected for long periods of time.

There can be important number of changes to critical files daily, particularly for large organizations or companies with complex IT infrastructures. Having the ability to distinguish between normal changes and changes indicative of a data breach in progress is crucial. Your organization needs the technical ability or expertise to distinguish between positive, neutral, and negative changes in real-time.

Summary

In summary, although insiders in this report tended to be former technical employees, there is no demographic “profile” of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security awareness training needs to encourage employees to identify malicious insiders by behavior, not by stereotypical characteristics.

For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also, of concern are attempts to gain other employees’ passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship.