Insider Threats and Mitigations
Insider threats can be malicious or unintentional, but the unifying factor is that the threat agent, in this case, is someone who has or has had authorised access to the organisation's information assets. According to "The Common Sense Guide to Mitigating Insider Threats, 5th Edition", published by "The CERT Insider Threat Center", insiders/insider threats can be defined as follows:
A malicious insider is a former or current or employee, business partner or contractor who meets the following criteria:
- Has or had authorised access to an organisation's network, system, or data and has intentionally exceeded or used that access in a manner that negatively affected the confidentiality, integrity, availability, or physical well-being of the organisation's information or information systems or workforce.
An unintentional insider threat is defined as a former or current employee, business partner or contractor who meets the following criteria:
- Who has or had authorised access to an organisation's system, network, or data and who, through their action/inaction without malicious intent, causes harm or significantly increases the possibility of future serious harm to the confidentiality, integrity, or availability of the organisation's information or systems.
Why We Should Care
Insider threats can be quite difficult to detect, given that the typical threat agents will have authorised access to the organisation's information assets. In the case where privileged access is available, the projected impact can be extremely high.
The typical scenarios (non-exhaustive) where these threats are realised could be as follows:
- Violation of information protection laws for regulated information where authorised access is used to violate legal processing guidelines by forwarding the information to unauthorised entities.
- Sabotage of infrastructure and related information assets by a malicious insider with privileged access.
- Intentional weakening of control posture through malicious actions by an insider working in concert with an external attacker to facilitate a compromise of the environment.
- Unintentional actions by privileged/unprivileged users resulting in adverse security outcomes.
Insider threats, by their nature, are quite complicated to address, and the control landscape could span a wide range of socio-technical measures that should work in concert to prevent or limit the impact of such threats should they be realised.
A key part in defining appropriate approaches is understanding the triggers for these threat events, especially the malicious category, and then target controls to address these root causes.
To understand some of these typical triggers, we need to understand the typical psychological profiles, most likely to manifest some of the negative tendencies aligned with these threats. Ben McCarty, in his book, "Cyberjutsu, Cybersecurity for the modern ninja", has written about the "eight archetypes of likely worm agents", which is essentially a summarised psychological profile of people most likely to manifest insider threat events.
In the article, "The dark triad and insider threats in cybersecurity" – (https://dl.acm.org/doi/10.1145/3408864) by Michele Maasberg, Craig Van Slyke, Selwyn Ellis, and Nicole Beebe also identify negative traits relevant to insider threats and categorise them into the three buckets, namely, machiavellianism, narcissism and psychopathy.
The reader is encouraged to refer to these publications for more information on those traits that could increase insider threat risk.
With an understanding of the factors discussed above, the following preventive measures could be taken to reduce insider risk:
- Defining a cyber risk rating profile (the worst-case impact that could arise from abuse of information access privileges for the position) for all positions within the organisation and tailoring the rigour of pre-employment (and in-employment) screening and background checks to match the risk profile of the position.
- Ensuring workplace practices emphasise the fair treatment of all employees, especially systemically 'marginalised groups' to minimise trigger conditions for insider threat events.
- Conducting regular workplace surveys to detect key issues within the organisation from the perspective of the employees.
- Deploying robust authorisation controls that limit authorisation creep and enforce 'least privilege' principles.
- Explicitly stating cybersecurity-relevant expectations on third-party service provider contract documentation.
- Ensuring that shared user accounts are never used in the organisation (including for third-party service providers), thereby introducing a deterrence factor, since actions performed on a system would always be traceable to a named user identity.
- Controlling the use of removable media to limit data exfiltration vectors.
- Including cyber threat profiling as part of the security awareness curriculum for business unit heads.
- A robust information security awareness programme for all employees, with content tailored for their individual roles.
It is a given that preventive controls will fail no matter how elaborate and suitable detection and response measures must be deployed to deal with this reality. Detective measures will require a great deal of coordination amongst the business unit heads, human resources and the security operations teams.
The following would be some of the measures that would be useful for this purpose:
- Definition of security monitoring use cases, specific for insider threat scenarios and approved by the business, would be used to define event logging baselines across the technology environment.
- Use of 'honeypot' data to detect access attempts.
- Use of employee baseline profiles to detect anomalous behaviour either using UEBA tooling or custom analytic models on the organisation's log data.
It is essential to start with simplified measures and track basic metrics, which can inform future interventions.
No posts found