Insider Threat Detection

February 7th, 2019
Insider Threat Detection Everything you need to keep insider threat at bay

Malicious insiders can cripple critical systems, copy and sell sensitive customer data, and steal corporate secrets. An insider threat is an employee, former employee, contractor, business associate or other person within an organization who has access to critical data and IT systems and therefore could cause harm to the business. Insider threats can be managed by policies, procedures and technologies that help prevent privilege misuse or reduce the damage it can cause. In many organizations we find a general reluctance to invest in complex, pricey technologies like SIEM and UEBA. In this article we shall briefly talk about the best practices and techniques you can use to minimize the risk of insider threats.

How to minimize the risk of insider threats

  • Perform enterprise-wide risk assessments. Be aware of your critical assets, their vulnerabilities and the threats that could affect them. Assess the various risks caused by insider threats. Then prioritize the risks and continuously enhance your IT security infrastructure according to risk priority.
  • Enforce Policies and Controls. Work with your HR to create policies for every employee interaction with the IT environment. For example, you should setup
    • General data protection regulations
    • An incident response policy
    • A third-party access policy
    • An account management policy
    • A user monitoring policy
    • A password management policy
  • Implement security software and appliances. Deploy and properly configure the following software:
    • Active Directory
    • Endpoint protection system
    • Intrusion prevention system
    • Intrusion detection system
    • Web filtering solution
    • Traffic monitoring software
    • Spam filter
    • Privileged access management system
    • Encryption software
    • Password management policy and system with at least two-factor authentication
    • Call manager
    • Data loss prevention system
    • Enable mailbox journaling on your Exchange Server, preferably with e-discovery software installed.
  • Implement strict password and account management policies and practices. All your users should enter your systems by entering credentials that personalize them; each user should have a unique login ID and password.
  • Monitor and control remote access from all endpoints, including mobile devices. Deploy and configure wireless intrusion detection and prevention systems. Continuously review if employees still require remote access and/or a mobile device. Ensure that all remote access is terminated when an employee leaves the organization.
  • Toughen network perimeter security. Configure your firewall properly. Blacklist all hosts and ports, and then whitelist only those you need. Configure a DMZ. Do not implement VPN or FTP; ensure that no critical systems interface directly with the internet. Establish a baseline of normal network device behavior and monitor to detect an anomaly.
  • Enforce separation of duties and least privilege. Require authorization from two users for copying of data to removable media Also consider data be encrypted. Establish role-based access controls and configure Group Policy to prevent employees from accessing information or services that are not required for their jobs.
  • Identify risky actors and respond promptly to suspicious behavior. Monitor your security systems and respond to suspicious or disruptive behavior according to your incident response policy. Setup alerting on all critical systems and events, and ensure the alerts warn you through multiple channels. Through user behavior analytics (UBA) technologies, you can spot bad actors more efficiently.
  • Train your employees on insider threat awareness. Train all new employees and contractors in security awareness before giving them access to any computer system. Train and test your employees against social engineering attacks, active-shooter situations and sensitive data left out in the open

Getting ready

Before you can effectively detect insider attacks, you need to assess all your current systems. Here are the steps to prepare yourself.

  1. Review all the IT assets in your IT infrastructure. These include:
    1. Installed security systems
    2. Data storage’s
    3. Access control systems, such as routers, switches, VPN
    4. Users, including contractors, suppliers and partners
    5. Effective permissions
  2. Identify all possible use cases and prioritize them by likelihood and impact, so you can focus on the most important ones first.
  3. Collect all logs from all available data sources, including file servers, SharePoint, Office 365, Exchange, databases, etc. If you already have a DLP or EDR solution in place, ensure your insider threat detection solution can leverage the alerts it generates.

Techniques to detect Insider threats

  • Identify a specific insider threat to train your detection on. This can be a malicious insider activity that already happened in your organization or it an abnormal activity that you know you want to detect. Ensure your detection model can catch and alert on this threat with an acceptable level of false positives.
  • Detect spikes in activity. The easiest abnormal activity to spot is a spike in activity, such as a high number of login attempts by a particular account or a large number of file modifications. When you identify an anomalous spike, you can further investigate this activity for more detail, and if the investigation reveals it was not actually a threat, adjust your baseline to reduce false alerts in the future.
  • Detect anomalous access attempts. Keep an eye on frequency and volume of logins, both successful and failed, within a short period of time. Focus on activity after business hours and other deviations from normal user behavior, such as access to archived company data.
  • Keep an eye on anomalies in VPN access to your corporate network. Detect abnormal speed, volume or geographical location of access. For instance, if a user logged from New York and a few minutes later the same user logged in from Sydney, Australia, you need to respond immediately because no one could travel so far so quickly.
  • Monitor access to sensitive company data. Identify access patterns that are abnormal for the user, such as attempts to read critical data that they have never accessed before. Here are the top three things you need to stay abreast of:
    • A high number of access events — The more events within a short period of time, the more suspicious the activity is. For instance, a massive number of file reads can be a sign of malicious behavior, for example, by a user who is about to leave the company or has been recently terminated.
    • Access to different files — A user’s attempts (successful or not) to read files and folders that they haven’t accessed before can also be malicious behavior; the user might looking for valuable data that can be sold, used against the employer, published on the web, etc.
  • Measure users against their peers. One common pitfall in threat detection is comparing the activity of an HR specialist, for instance, with the activity of an IT administrator, who has a vastly different set of responsibilities. Instead, be sure to assess each user against others in their own peer group. For example, logons from other cities might be routine for salespeople but unusual for building maintenance staff.
  • Identify shared accounts in your organization. Closely monitoring shared accounts is vital for a strong cyber security posture. Track logins by these accounts and analyze risk using factors such as login time and the machine’s geographical location. Multiple logins from different machines by the same shared account can be a sign that the account has been compromised.
  • Monitor service accounts and privileged accounts separately from user accounts. Best practices require that highly privileged accounts be used rarely and both, privileged accounts and service accounts be used only for specific tasks that other accounts have no authorization to perform. Keep your inventory of these accounts up to date and monitor their activity more closely. Look for signs of security policy violations or privilege abuse such as use of the account to perform suspicious tasks or unusually long sessions.
  • Correlate data from multiple sources. Spotting some security threats requires taking advantage of multiple data sources. For example, an anomalous VPN login might not alarm you, but if you see that the same user starts accessing folders with sensitive data they never accessed before, you might want to investigate so you can remediate the threat before it’s too late.
  • Keep an eye on your infrastructure resources. In addition to monitoring user activity, be sure to stay on top of activity around your file shares, databases, servers, and so on. You want to spot any suspicious activity there and know who performed it. For example, multiple logons to one server by different accounts could indicate an attack in progress.

It’s critical to be able to detect insider threats, including intruders with stolen credentials and trusted employees who go rogue. These best practices and techniques will help you starting building an insider threat detection program that works for your organization.

Follow Us
Other Articles