Q3 2022 saw insider threat peak to its highest level yet, accounting for nearly 35% of all unauthorized access threat incidents, according to “Q3 Threat Landscape: Insider Threat the Trojan Horse of 2022,” a report by Kroll. In Q1, 31% of all unauthorized access cases were related to insider threats; in Q2, 24% of cases were related to insider threats.
Kroll also observed several malware infections via USB this quarter, potentially pointing to broader external factors that may encourage insider threat, such as an increasingly fluid labor market and economic turbulence.
The “great resignation” — the rise of employees seeking new opportunities in the wake of the COVID-19 pandemic and the shift to remote work — has also coincided with a higher risk of insider threats, which is already exceptionally high during the employee termination process. According to Kroll, disgruntled employees may seek to steal data or company secrets to publicly undermine an organization. Others may seek to move over data that they can leverage at their new organizations, including contact lists and other proprietary documents.
In one case observed in Q3 by Kroll, an employee attempted to steal gigabytes worth of data by copying it over to cloud storage networks. In this instance, the company followed a standard protocol that included disabling the users’ accounts and deleting data from cloud storage accounts accessible to them. Months after the employee left for a competitor, the organization began to suspect that the individual was using company data at their new position to enhance sales efforts.
Kroll notes that a review of the individual’s personal laptop identified that they had created copies of company data on multiple cloud storage accounts and personal data devices when they had access to corporate networks. An additional review of the individual’s web browser identified multiple searches related to personal cloud storage and deleting files, which indicated the individual knew the activity was wrong and deliberately made an effort to cover their tracks.
Some of the notable findings of the report include, but are not limited to:
- An increase in phishing, particularly via valid accounts, which could be tied to malware trends, such as a growth in the use of credential stealer, URSA
- A decrease in overall ransomware attacks but interesting activity among specific groups such as LockBit
- Increase in malware, fueled by the proliferation of credential-stealing malware such as Ursa, Vidar and Raccoon, among others
- Increase in attacks against professional services and manufacturing firms
Defending against insider threats
Laurie Iacono, associate managing director in Kroll’s Cyber Risk practice, says, “The steady growth of insider threat is a worrying trend for businesses. Whether it be insiders that are malicious by intent, simply careless or compromised by cybercriminals, the potential damage — particularly with regards to intellectual property (IP) theft — can be significant. Rising inflation and the number of jobs available post-pandemic have become a reason for many to move jobs. This becomes a ripe ground for possible insider threat, as employees try to retain information on the projects they’ve worked on outside of corporate devices or, in other cases, they retain access rights and permissions for tools and applications they previously used as HR and IT teams struggle to keep up with the amount of staff turnover.”
To counter insider threats, Iacono recommends “organizations pay close attention to the access rights they give to staff and always try to maintain a ‘least-privilege’ environment. Monitoring for suspicious activity — such as a particularly large data download or unknown USB device — is another way to spot potential compromises of security. Above all, clear instructions to employees on what is and isn’t allowed, combined with fast and efficient IT and HR processes that work together in harmony, will prove the best defense against insider threat becoming a trojan horse.”
Other best practices include:
- Deploy, manage and monitor endpoint detection & response (EDR) sensors to all endpoints within the network
- Use canary or honey tokens throughout the corporate infrastructure
- Require employees to use only company-approved devices and systems
- Maintain restrictions for using social networking sites and non-corporate email on company devices
- Employ digital risk protection solutions that monitor at-risk data
- Communicate with security operations centers (SOCs) and/or investigation teams to collaborate and share data
- Conduct robust logging and random auditing of active directory or other privileged access credentials
- Integrate checks of cybersecurity program elements into internal audit and compliance programs
- Restrict physical and electronic access for any departing employees
- Watch for early warning indicators that include remote access during off-hours