A look back at Insider Threat Month: advice from industry experts.

September was National Insider Threat Awareness month. As September comes to a close, we’ve rounded up some commentary from cybersecurity and IT experts on insider threats.

The importance of having a security program.

Raffael Marty, EVP and GM Cybersecurity at ConnectWise, gives his thoughts on preventing and stopping insider crime: "To effectively prevent and stop insider crime, organizations need to have a comprehensive security program in place that focuses on both preparedness and visibility. Preparedness means having a plan in place for the day something happens. It should cover the playbooks for how to react in case of relevant organizational events and security relevant incidents - from what to do when an employee leaves the organization, to the specific procedures enacted in the event of an electronic threat such as ransomware or denial of service attack. Visibility, on the other hand, means being able to identify and effectively react to potential adverse actions. Monitoring devices can help organizations achieve greater visibility, but that’s only the first step. Visibility also expands into understanding what employees are doing and how they are interacting with an organization’s sensitive data. Lastly, and perhaps most importantly, organizations must make sure employees are trained on cybersecurity issues like phishing, which is still one of the main initial vectors of attacks. That’s why Insider Threat Awareness Month is so important for organizations of every size, despite the fact that the topic comes up most often in the context of larger organizations.”

Data as downfall.

Amit Shaked, CEO and co-founder at Laminar, offers some insight on cloud data security: “An organization’s data is its greatest asset, but also its biggest potential downfall. With the cloud allowing data to be spread around to various places data protection teams may not even be tracking, it opened companies up to even more risk than ever before by creating what is known as ‘shadow data.’ Shadow data refers to an organization’s data that is not copied, backed up or housed in a data store that is not governed, under the same security structure, nor kept up to date. This data is a big target for insider threat incidents because if it is exfiltrated, it goes under the radar of traditional data protection tools. 

“According to recent research, more than half of organizations don’t have a public cloud data security tool in place to monitor for insider threats and data exfiltration, and more than a third can’t tell whether an internal employee has ever accidentally or maliciously accessed sensitive data. The key to preventing insider threat incidents in these environments and preventing malicious, accidental or compromised insiders from taking advantage of shadow data is using a cloud-native data security platform that uses the dual approach of visibility and protection. Doing so allows data security teams to know for certain which data stores are valuable targets to both inside and outside adversaries and ensure proper controls, which allows for the quicker discovery of data leakage.” 

Renata Budko, Head of Product at Traceable gives insight into API security technology: “National Insider Threat Awareness Month helps demonstrate why it is so crucial to protect against, identify, and reduce the harm caused by insider threats. Whether there are internal and external bad actors committing ransomware or other forms of dangerous malware attacks, insider threats are a significant problem that needs to be addressed with a 306-degree perspective. This is important as the cost of these attacks are not just calculated in terms of ransomware payments, but also includes the nearly unfathomable cost of operations disruption, lost sales, legal costs, legal penalties, insurance rate increases, and/or a decline in customer confidence.

“A new shift has occurred within the software development industry whereas APIs are presenting new attack surfaces and therefore new opportunities for hackers. A way to protect against these insider threats is through API security technology that identifies APIs, assesses API risk posture, prevents API assaults, and offers deep analytics for threat hunting and forensic investigation. With distributed tracing and machine learning models for API security across the full development lifecycle, organizations may be more secure and resilient by using visual representations to analyze user and API patterns, identify anomalies, and stop API assaults.”

Surya Varanasi, CTO at StorCentric speaks about backup data: “This September 2022 marks the fourth annual National Insider Threat Awareness month. It aims to shine a spotlight on the critical importance of defending against, detecting and mitigating damages from insider threats. Indeed ransomware and other types of malicious malware attacks are not only perpetrated by external cybercriminals, but internal bad actors as well. And, the expense is not only measured in ransomware payments, but also the almost incalculable cost of operations downtime, lost revenue, legal fees, regulations compliance penalties, a rise in insurance premiums, and/or a loss of customer trust. 

“The need to backup data has become ubiquitous. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand the need to protect backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted.

“What is required is an Unbreakable Backup solution that is able to create an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Additionally, the Unbreakable Backup solution should include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. Ideally, it should also deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. In deployment of such a solution, recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover — and redirect their time and attention to activities that more directly impact the organization’s bottom-line objectives.”

Brian Dunagan, vice president of engineering at Retrospect, talks about backup data, but with anomaly detection:

“During National Insider Threat Awareness month we are reminded of the multitude of reasons a sound data backup strategy and proven solutions are critical. Given today’s economic and geopolitical climate it is a given that at some point virtually all organizations will suffer a successful cyber-attack be it from internal or external forces. Given this inevitability, it makes sense that the end customers I speak with, whether they are from private, public, or government organizations, are putting an increasing focus on their ability to detect and recover as quickly, cost-effectively and painlessly as possible. 

“A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes. 

“Certainly, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way.”

Neil Jones, director of cybersecurity evangelism at Egnyte, discusses the threat of data leakage: “While cyberattacks are hardly a new phenomenon, they have grown in sophistication in recent years, leaving many organizations vulnerable. However, while vigilant organizations have stepped up their protection measures, many risk overlooking an important contributor to cyber attacks: insider threats. 

“Accounting for roughly 22% of security incidents, insider threats come from those within an organization, such as employees or business associates. While not always malicious, insider threats can be even more devastating than external attacks, because authenticated insiders are able to gain access to a much wider playing field than the average cyber-attacker. 

“Common contributors to insider attacks are employee turnover, poor data governance controls and user negligence. Examples can include the following: a current employee accidentally sharing confidential information with a third party, an ex-employee downloading files to take to their new job at a competitor, or a former business associate sharing privileged company insights publicly to embarrass the organization. Ransomware gangs also sometimes work with company employees directly to facilitate attacks. Whatever the cause, the impact can be significant, which is why companies must assume that everyone is a potential insider threat.

“Considering there was a 47% increase in insider threats between 2018 and 2020, organisations need to do more to protect against this growing threat. Utilizing a data governance platform that leverages machine learning is a good first step to prevent “data leakage,” as this ensures users have access to sensitive information on a “need to know” basis. For example, there’s no reason that everyone at the company should have access to financial growth plans or HR documents listing sensitive employee information without at least justifying their request first. Limiting file access and offering holistic awareness training will be key in combating negligence and curbing the spread of internal information.  

“This Insider Threat Awareness Month, and always, organizations should take a proactive approach that detects misuse before it’s too late.”

Identity management, social engineering, and fakes (whether deep or shallow).

Gunnar Peterson, CISO at Forter, offers advice about credential and identity management:

“When people think of insider threats, oftentimes their mind immediately goes to a malicious employee out for financial gains. However, the more dangerous instance (and often overlooked) is the compromised insider. A compromised insider or account takeover (ATO) is a user whose account credentials have been harvested by an adversary via phishing or similar tactics who then has easy access to sensitive company systems or assets.  

"With security researchers warning that phishers are having ‘remarkable’ success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest tech companies and customer support firms, we will likely begin to see compromised insider incidents on the rise.

“This Insider Threat Awareness Month, I want to remind security teams across all industries that the simplest defenses in our toolbelt, credential and identity management, can be the difference between a secure system and a headline-grabbing breach.

“Many breaches are the result of businesses relying on automated access control and realizing too late when a user has been hijacked. With some of the new phishing scams around, the adversaries are using Telegram instant message bots to forward submitted credentials in real-time, allowing the attackers to use the compromised credentials and one-time code to log in as the employee.

“To succeed against ATO attacks and prevent compromised insider incidents, organizations must build robust identity management systems and invest resources into building a learning system that evolves to identify anomalous user activity. Doing so can leave organizations protected from insider threats year round.”

Martin Rehak, CEO and founder at Resistant AI, says that shallowfakes are a threat: “Shallowfakes—the dilemma facing insurers dealing with increased digital document fraud.

“Fraud continues to be a serious threat to the insurance industry. 

“Contributing to this fraudulent scenario are so-called “deepfakes”. But while these have become increasingly prevalent in fraudulent insurance claims, the insurance industry is now seeing more of what are called ‘shallowfakes’. 

“The difference between deepfakes and shallowfakes is that while deepfakes require AI to create them, shallowfakes can be created using only basic photo editing software, such as Photoshop.

“While shallowfakes don’t require AI to create them, AI can significantly increase the chances of detecting them. The use of AI solutions—combined with human instinct, attention to detail, and awareness and knowledge to check the validity of what is being processed—can prove a win-win for detecting fraudulent documentation.

“The cost of inaction to the insurance industry may be high. In all likelihood, few if any insurance firms have yet addressed the growing threat posed by shallowfakes. Yet it should be a high priority for them—without immediate action being taken to mitigate the impact of shallowfakes, they could be a threat that is hard to stop.”

Who can become an insider threat?

Matt Rider, VP of security engineering EMEA at Exabeam, offers insight into different types of insiders that can be a threat: “Although responsible for 22% of all security incidents (according to VBIR 2021) Insider threats are not all one and the same. They come in an array of shapes and sizes and each one can threaten the security of an organization in a unique way. It is helpful therefore to break these down into three distinct categories: malicious, compromised, and negligent.

“The ‘malicious insider’ is an employee who intentionally steals data, either for personal gain or to negatively impact the organization involved - mature security organizations will ensure that they work closely with HR teams to help identify and monitor potentially malicious insiders. A ‘compromised insider’, however, generally acts without malice and usually has no idea they’ve been compromised. All it takes is clicking on a link in a phishing email or opening an infected file and their credentials can become compromised. Finally, a ‘careless’ or ‘negligent insider’ is someone who leaves their laptop on the train, walks away from their unlocked workstation, or simply fails to follow cybersecurity best practices. These individuals can be particularly challenging, because their actions are very hard to predict and defend against.

“While improving general awareness of insider threats can help address some of the core risks, there are numerous other preventative steps that many organizations still don’t apply as rigorously as they should. First and foremost, organizations need to invest in relevant cybersecurity training for all employees. Next, businesses should invest wisely in technology solutions and infrastructure that enables them to see the whole picture and address the challenge of insider threats. From a technology perspective, one of the most potent weapons currently available is user and entity behavior analytics (UEBA), which allows an organization to create a baseline of ‘normal activity’ and thus flag any major deviations as potential security alerts, which security teams can then investigate.” 

Dalia Hamzeh, Senior Principal Enterprise Security Program Manager at Progress, discusses the threat of employee negligence and the importance of education: “Insider threat is commonly associated with malicious intent, but statistics continue to prove that attacks resulting from employee negligence, a type of insider threat, is much more likely to be the source of a security incident. These threats could include an employee downloading pirated software on a company device that contains malware or reusing a corporate password on personal accounts. Training your organizations’ workforce to identify suspicious insider behavior, and reinforcement of those efforts, should be a key initiative year-over-year. Additionally, an organizations’ awareness agenda should be sure to include role- or team- specific training for employees to detect the less obvious threats – such as timely review of employee terminations and access or the software employees are downloading. 

“When employees are educated on specific indicators of insider threats and the damaging impact they potentially have, they’re more likely to notice and report them. It’s also important to build a culture in your organization where employees are encouraged, and feel comfortable, to flag potential threats to the cybersecurity team.”

Richard Barretto, Chief Information Security Officer at Progress talks about the importance of staying connected with remote employees: “Recognizing Insider Threat Awareness Month is a great way to open lines of communication within your organization to combat insider risks. The remote work shift has catalyzed and changed the way we look at insider threats. What we once considered ‘insider,’ within the walls of our organization, has theoretically disappeared. That’s why in today’s age of remote connections, it’s more important than ever for organizations to take the vital actions needed to protect and defend against them. This means posturing your security and network architecture as if every person and device is a hostile threat.

“The goal here is to segment access and protected information across your corporate network and have the necessary controls in place to equip your organization to identify and mitigate those threats at lightning speeds. Adapting this Zero Trust Model—granting least-privileged access, implementing sign-on verification measures where possible and practicing good cyber hygiene—should be considered a top priority for every organization in 2022. It’s also important for organizations to have an early warning system for WFH employees and ability to remotely manage their employee devices in the case there has been a compromise and a device needs to be quickly wiped.”

And...think about former employees, and the importance of a good off-boarding.

Added 10.3.22.

The US Attorney's Office for the District of Hawaii announced, on September 28th, that a Honolulu man pleaded guilty to "to sabotaging his former employer’s computer network." Casey K. Umetsu, Sr. will be sentenced in January. He'd worked on the IT staff of a financial service company for about two years, and, after leaving the company, he used credentials he'd retained to access his former employer's systems to redirect its web traffic to other sites, effectively crippling both its websites and its email. His goal was to get himself rehired at a higher salary. “Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” US Attorney Clare E. Connors said in the statement. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim.”

Chad McDonald, Chief of Staff and CISO of Radiant Logic, commented on the incident, which he sees as an instance of poor identity access management.

“The breach by an IT system administrator on his former employer is another example of enterprises continuing to practice poor Identity Access Management. As soon as the employee was laid off, his credentials should have been removed from the system and he certainly should not have had access to any area of the network.

"The breach resulted in the company’s website and email being disrupted, however, the impact could have been much more significant. Insider threats are a real and significant problem. A robust identity management program is foundational to mitigating insider risk and should not be overlooked. Additionally, rather than being an ex-employee wanting his job back, it could have been a cyber criminal, who might have stolen personal information, which could have been leaked onto the dark web and led to further cyberattacks on the company, or other crimes being committed such as fraud. Fundamentally, today's enterprise should have a comprehensive information security program that looks at both internal and external risks.  

"This incident should be a wake-up call for all organisations about the importance of Identity Access Management. Organisations must define access levels to identity data based upon risk and justifiable need. A strong identification management system would have recognised that the user was a former employee and had no right to access the network, however, this was clearly not in place.

"Businesses need to look at how they can effectively unify and streamline their identity data to provide complete and accurate user profiles. With visibility across all systems, security teams are then able to update the credentials of users in real-time, giving them absolute control over user access and preventing any disgruntled employees from causing major disruption.”

So, when it comes to former employees, lead them not into temptation.