September is National Insider Threat Awareness Month, which emphasizes the importance of safeguarding enterprise security, national security and more by detecting, deterring and mitigating insider risk.
The risks of espionage, violence, unauthorized disclosure and unknowing insider threat actions are higher than ever; therefore, maintaining effective insider threat programs is critical to reducing any security risks and increasing operational resilience.
National Insider Threat Awareness Month is an opportunity for enterprise security, national security and all security leaders to reflect on the risks posed by insider threats and ensure that an insider threat prevention program is in place and updated continuously to reflect the evolving threat landscape.
Recent examples of insider threats include:
- In August 2022, a federal jury in California convicted Ahmad Abouammo, a former manager at Twitter, of acting as an unregistered agent of Saudi Arabia and other violations. In July 2022, a federal jury in New York convicted former CIA programmer Joshua Schulte of violations stemming from his theft and illegal dissemination of highly classified information. Harboring resentment toward the CIA, the programmer had used his access at CIA to some of the country’s most valuable intelligence-gathering cyber tools to covertly collect these materials and provide them to WikiLeaks, making them known to the public and to U.S. adversaries.
- In June 2022, civilian defense contractor Shapour Moinian pleaded guilty in California to federal charges, admitting that he acted as an unregistered agent of China and accepted money from Chinese government representatives to provide aviation-related information from his U.S. intelligence community and defense contractor employers.
To promote awareness, The Threat Lab and the National Insider Threat Task Force (NITTF) are hosting the third annual Virtual C-InT SBS Summit, a 30-day virtual education, awareness, and training event that looks at hot topics related to cognitive immunity relevant to Counter-Insider Threat professionals’ efforts to detect, mitigate, and prevent concerning behavior.
Below, in honor of National Insider Threat Awareness Month, security leaders offer advice on how to reduce insider threat risks effectively.
Chris Plescia, Chief Technology Evangelist, Aware:
Your employees are both your biggest asset and can present your largest threat. We continue to see an increase in both behavior indicators (changing employee sentiment and the way they are communicating) as well as actual acts where information (IDs, PWs, Screenshots, files) is shared.
I feel much of this can be attributed to the comfort and casualness that everyone has using these digital tools for day-to-day business and personal communications, as well as the fact that it’s very easy to share things (IDs, passwords and screenshots) that contain sensitive information.
Our research shows that 24% of insider threats are inadvertent. Even when one has the best intentions to help a customer or support the business, sharing of inappropriate information, IDs and passwords places the organization at risk. Likewise, 31% of the risk comes from malicious intent to cause harm or damage the reputation of an organization. It is important to be able to identify unanticipated behavior and have internal controls designed to trust but verify.
To mitigate these kinds of actions, we have a few key steps to follow:
1. Choose secure collaboration platform(s) and ensure you have formalized governance and usage policies established.
2. Implement AI-based compliance monitoring to provide visibility, knowledge and insights across the content (both private and public).
3. Have a Team and established processes in place to act upon the alerts at all times.
James Christiansen, CSO VP, Cloud Security Transformation, Netskope:
The ‘Insider threat’ has been one of the greatest threats since the beginning of IT. It’s the risk that never goes away because insider threats involve employees — often the weakest link in any company’s security posture. Employees are not only vulnerable to common attacks or insecure practices (e.g., email phishing), but they have bonafide access to workplace systems and an understanding of internal processes, providing the malicious insider a head start. For example, recent research found that 22% of users upload, create, share or store data in personal apps, creating an ever-increasing amount of data sprawl that puts sensitive company data at risk.
Organizations aren’t required to report internal losses associated with insider losses, meaning this issue is more prevalent than we know. While there is rapid change in technology, there are a few steps to protecting against an insider threat. First, strong background checks, general awareness, and targeted education to high-value employees are key to turning an insider from malicious to benign. Additionally, find ways to leverage analytic systems using strong statistical analysis to better understand normal and unusual behavior. By doing so, we can get better visibility, control, and ability to notify the users of their actions. Lastly, your best security monitor is your fellow staff members. Create a culture whereby if employees see something, they feel comfortable enough to say something.
Rick McElroy, Principal Cybersecurity Strategist, VMware:
As the Great Resignation continues and ‘quiet quitting’ becomes increasingly popular, organizations find themselves at a higher risk for insider attacks. Over the past year, 41% of cybersecurity professionals have encountered attacks involving insiders, according to VMware’s Global IR Threat Report. These findings underscore the increasingly critical nature of talent management when it comes to cybersecurity controls, especially as companies are trying to manage employee turnover, onboarding and the use of non-sanctioned apps and platforms.
It’s critical for CISOs to have visibility into their own network to track insider threat indicators, such as data transfers and accessing unusual resources. This allows for organizations to better protect their proprietary information, and for security teams to more quickly detect insider threats.”
Nabil Hannan, Managing Director, NetSPI:
To account for internal threats, there must be a mindset shift in what constitutes an organization’s threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under-addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques.
Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally.
So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security.
Greg Foss, Principal Cloud Security Researcher, Lacework:
Think of the last employer for whom you worked. Did they have individual or shared accounts for corporate resources? Did access to these services exist outside of the corporate boundary, with no central means of access control? What about programmatic access that isn’t associated with an individual identity? Or better yet, cloud management infrastructure or even just one of the many instances hosted within.
You are not alone if you answered ‘yes’ to any of these questions. Former employees will likely maintain access to some corporate resources, whether they know it or not. It’s not just the insider threat that we must understand, but “the former insider.” A possible recession brings significant uncertainty, resulting in many people with varying access to sensitive resources losing their jobs. Some of which become disgruntled. Organizations must understand their infrastructure, implement robust access controls, and monitor for misuse because once an insider, always an insider.
Mario Orsini, Associate Director, Security, Raytheon Intelligence & Space:
Insider threats can take many forms, but the top categories witnessed are typically: recruited, such as when a foreign entity uses exploitable weaknesses to convince an individual with access to provide information to those who do not have a need-to-know; volunteer, when an individual may choose to sell out their country or organization because of motivators such as greed, disgruntlement, divided loyalties, or ideological reasons; and unwitting, which is when an individual unwittingly gives away information through poor security procedures or clever elicitation collection techniques.
Regardless of the motive, it’s critical for organizations and their security teams to help prevent the next insider attack. One of the top ways to bolster protection is by adopting Zero Trust within an organization. Zero Trust principles such as ‘Never trust, always verify,’ network micro-segmentation, and least privilege access can be extremely effective in ensuring an organization doesn’t become the next major breach victim.
Will LaSala, Field CTO, Americas, OneSpan:
The rise of digitalization and Web 3.0 has led to an exponential increase in high-value transactions occurring online. As more processes become digitized, an array of solutions have cropped up, most void of security capabilities. These solutions are unable to verify and authenticate the true identity of the person or business on the other end of the contract — which creates opportunities for threat actors to take advantage of unsuspecting employees, gain access to an organization’s network and obtain sensitive data.
Employees have become accustomed to signing contracts quickly and digitally, they are failing to verify whether or not the contract they have received is legitimate. As a result, employees are signing and unknowingly sharing confidential information with external threat actors. For example, attackers continue imitating the DocuSign brand, sending phishing links and documents that appear to be from DocuSign but in reality, are links and files that expose login credentials. With insider threats becoming a prominent security issue, organizations must take a proactive approach to mitigate exposure opportunities.
To ensure that employees do not unknowingly expose data when signing digital documents, organizations should add enhanced authentication to secure access to agreements as well as ‘flatten’ uploaded documents to avoid shadow attacks. Businesses that provide these solutions also have a role to play, ensuring the identification and authentication capabilities are built into the entire digital transaction lifecycle.
Daniel Elkabes, Vulnerability Research Team Leader, Mend:
In an era widely fueled by and dependent on data-driven tools, developers are under a lot of pressure to get software, applications, and products out quickly. Expedited work timelines, in tandem with increased demands and simple human error can result in developers unintentionally using open source code that has malicious packages; consequently opening the doors for threat actors to sneak in. For security teams who are working diligently to protect their organizations against external threats — addressing insider threats can be an intimidating topic to approach, as it shines a light on any oversights or errors that were made by colleagues. It is this hesitancy, however, that underscores the need to spread awareness.
With open source software providing many benefits to enterprises and development teams, their use and deployment will not slow down. And neither will developers. However, in order to elicit a real change in behavior and avoid risky code being used, developers need to understand the larger implications of their actions and the project. Hands-on, visual training will help developers see how quickly and easy it is for something to go wrong from a simple coding mistake. This will help reiterate the importance of regularly managing open source components and all their dependencies, and how this helps avoid putting the organization at risk.
In addition to training, developers should proceed carefully and dedicate more time to ensure they’re implementing the correct packages that are free of any malware or vulnerabilities. While easier said than done, developers should approach the process of downloading and installing packages for projects through two different steps to eliminate cases of vulnerabilities. First, developers should view the package to ensure that it is safe. Once the package is determined safe and free of any malicious software, developers can then move forward with installation. By taking off the blinders and helping developers see through an alternative lens that examines the repercussions of insider threats and steps that may not always be taken, security teams can provide a clearer image and equally shed light on the larger context of how insider threats impact businesses and customers.
Joe Payne, CEO and President, Code42:
Insider threats are not a new problem, but the problem has grown substantially because almost all corporate data has been digitized and, with a mouse click, can be moved to a personal email, Dropbox or Github account. Almost all malicious data theft from insiders occurs when people change organizations, which is on the rise because of the Great Resignation and recent layoffs. A new approach to stop theft and reduce risk is required.
For years, security teams have approached insiders the same way they do malicious external threats — blocking data movement (and therefore internal collaboration) isn’t as simple when it’s a colleague. Security teams that are used to dealing with external threats will find their tactics aren’t effective for handling internal threats. They need a new playbook and a new generation of technology.
Addressing insiders requires collaboration between security, HR and legal teams, leading with an empathetic approach. Often, employees are just trying to do their jobs when they create data risk. Investigative teams must shift their mindset before contacting the employee, get context to understand the situation and educate the employee to avoid future incidents.
For example, it’s completely possible (and even likely) that your on-the-road sales member didn’t realize downloading her customer list from Salesforce to a personal device created risk for the team — she just thought it would be easier to manage. Often, when a software developer puts his source code in his personal Github account, he thinks that this is okay and not against company policy. An empathetic approach is required in both examples to keep the employees engaged and productive. These simple steps can de-escalate stress for your users and help to build a culture of trust, open communication and respect, while also perpetuating a positive security culture.
Mike Scott, CISO, Immuta:
An uptick in insider threat-related incidents has ushered greater awareness around the need to not only protect the sizeable volume of data collected and stored by organizations but also who has access to it. While it’s hard for some to believe that someone within an organization will proceed with malicious intent, many businesses are guilty of giving employees more access to data and privileges than they need. As people come and go and data further cements itself as an essential resource for modern businesses, more steps must be taken to guarantee its security.
This Insider Threat Awareness Month presents an opportunity for organizations to assess these security risks, assimilate how to detect, and protect their assets before an incident occurs, and manage the misuse of sensitive information in the event of a breach. Insider threats are not always intentional. One way organizations can ensure the proper protections are in place is to define what data needs to be protected, when the data should be protected — always or time-based — and who has access to the data. This way, businesses ensure that only the right people can view the right data at the right times.
Ben Johnson, CTO, Obsidian:
There are three aspects of insider threat that organizations need to keep in mind. When we meet someone, having seen their face, we often think there is no way they are a threat, so we over-share information and access. However, especially in the cloud age, it could be “one click to our own demise” in terms of accidentally leaking or publishing confidential information. The second aspect is that there are, sadly, true malicious insider threats where employees have sinister intentions, become disgruntled, or simply want to steal information to set themselves up for their next job. Finally, virtually every external threat has a goal — to gain access to your organization. Once they have access, what are they? They’re an insider. National Insider Threat Awareness Month needs to be taken as a serious reminder that if we cannot defend against insiders, we cannot defend against outsiders either.
