The Ultimate Guide to Insider Threats

Introduction

Insider threat is a multifaceted challenge representing a significant cybersecurity risk to organizations today. While some are unintentional insiders, such as employees who fall victim to phishing attacks or make careless mistakes, others are malicious insiders, such as employees looking to sabotage the organization or steal data. 

Insider threat is comprehensively defined as, “The threat posed by a person who has, or once had, authorized access to information, facilities, networks, people, or resources; and who wittingly, or unwittingly, commits acts in contravention of law or policy that resulted in, or might result in, harm through the loss or degradation of government or company information, resources, or capabilities; or destructive acts, to include physical harm to others in the workplace.”

Roles

Understanding the different types of insider threats and the most applicable vectors to your organization is crucial. While C-suite executives are often assumed to be cyber attackers’ favorite targets, many others are more susceptible to attacks. 

For instance, IT admins with extensive system privileges or people in public relations or investor relations whose names and contact information are prominently displayed across web pages. Product managers are significant targets of bad actors seeking intellectual property. Salespeople and customer-facing staff are often the most targeted. 

Beyond these roles, a myriad of outsiders has insider access to sensitive data, such as contractors, service providers, temporary workers, suppliers, partners, and others. In a nutshell, anyone can put an organization’s data at risk, given the right circumstances. Hence, there is a need to consider how people might behave and whether their behavior is risky — rather than focus on their title or role within their organization.

Malicious insiders

Malicious insiders may intentionally exfiltrate, steal, or sabotage data for personal gain, revenge, or to benefit a competitor. Departing or disgruntled employees may no longer feel duty-bound to keep confidential data and systems safe. Malicious insiders often carry out their operations over time, taking steps to hide their activity and remain undetected. This fact makes detecting and preventing these types of threats particularly challenging. Malicious insider threat activity often goes undetected and unreported. Malicious users need monitoring while understanding and considering their motivations, including monetary gain, need for recognition, attention seeking, a distorted perception of right and wrong, and more.

Compromised insiders

Compromised insiders may be forced to act maliciously due to blackmail or extortion. Compromised users may have their accounts taken over and misused by an outside cyber attacker. Once their accounts are compromised, attackers have insider-level access to the organization's data and systems. Compromised users need fast intervention.

Negligent/Unintentional insiders

Negligent insiders do not have malicious intent but may make mistakes that lead to data breaches or other security incidents through ignorance or carelessness. Even the best workers make mistakes. Some are relaxed with security and inadvertently expose or store data in unsafe locations. They may fall for a phishing attack, lose a laptop or a portable storage device that a cybercriminal can use to access the organization’s network, use weak passwords, or email the wrong files (e.g., files containing sensitive information) to individuals outside the organization. Others sidestep critical data-loss controls, bypass security controls to save time, ignore security patches and software updates, and disregard rules and policies because they hinder their work. Negligent users need continuous coaching, proper/adequate training, documentation, and controls for all procedures.

As organizations across industry verticals are continuously at risk of being affected by insider threats, developing and updating security measures and necessary controls to combat this activity should be a dynamic and continuous process. These required controls and measures to put in place would depend on the size and industry vertical an organization belongs to. Some controls to put in place include but are not limited to the following:

For this report, Industrial Espionage is defined as provided in Section 1637 of the National Defense Authorization Act for Fiscal Year 2015. Economic or Industrial Espionage means (a) stealing a trade secret or proprietary information or appropriating, taking, carrying away, or concealing, or by fraud, artifice, or deception obtaining, a trade secret or proprietary information without the authorization of the owner of the trade secret or proprietary information; (b) copying, duplicating, downloading, uploading, destroying, transmitting, delivering, sending, communicating, or conveying a trade secret or proprietary information without the authorization of the owner of the trade secret or proprietary information; or (c) knowingly receiving, buying, or possessing a trade secret or proprietary information that has been stolen or appropriated, obtained, or converted without the authorization of the owner of the trade secret or proprietary information.

Cyberspace is the most prominent attack vector for various industrial espionage threat actors, from insiders to adversarial nation-states to commercial enterprises operating under state influence to sponsored activities conducted by proxy hacker groups. Hence, cyber-enabled espionage capabilities are among the most pervasive threats to US manufacturing, research, and development sectors. Military and political espionage has long been treated as a threat to national security, but in the past few decades, the theft of commercial trade secrets has also been recognized as a significant national problem.

In 1996, Congress enacted the Economic Espionage Act (EEA), which made misappropriating or stealing IP and trade secrets a federal crime. Further, the EEA criminalized economic and industrial espionage executed for the benefit of a foreign government, as well as the more common commercial theft of trade secrets, regardless of the ultimate beneficiary. Reports by the National Counterintelligence and Security Center (NCSC) indicate that industrial espionage against the United States continues to represent a significant threat to America’s competitive advantage, security, and prosperity.

In addition to outsider attackers, insider attackers are frequently involved in industrial espionage by gaining access to sensitive data while exploiting known and zero-day vulnerabilities. Industrial espionage encompasses illegal intelligence-gathering activities, and the attacks are hostile attempts to steal, compromise, change, or destroy information by gaining unauthorized access to an organization’s computer systems. Although advanced cybersecurity tools create a formidable defense against remote electronic attacks, insiders often steal valuable commercial information. For instance, if an adversary can recruit an employee or trusted partner of the targeted organization, that person can use their access to provide data, documents, critical context, and know-how—while operating under the radar and evading detection.

Trusted insiders can identify and work around network and physical security controls, particularly when their illegitimate intentions can be disguised by their legitimate access to information. The number of revealed industrial espionage cases is the tip of the iceberg. The actual financial cost is often challenging to estimate due to factors including delayed discovery, victims unwilling to report incidents, and avoiding the exposure of their incompetence to prevent the erosion of clients and shareholder confidence. However, the financial cost of industrial espionage could be estimated from various reports. For example, the Centre for Strategic and International Studies (CSIS) reports revealed that industrial espionage could cost the world more than $445 billion annually, with a rapid estimated increase of $100 billion to $545 billion. Indirect damages (e.g., stolen customers and the future of the enterprises) are even more complicated to estimate, making it unrealistic to embark on legal measures to restore losses from industrial espionage.

Organizations that understand insider types and why trusted insiders are motivated to steal economic and commercial information can better detect and prevent industrial espionage. Numerous motivations might drive an individual to turn against their employer to steal a company's sensitive data, including sabotage, theft of intellectual property or national defense information, insider fraud, workplace violence, malicious, negligent, and unintentional insider threats, and more. Emotional factors that drive malicious insiders include financial hardships, financial compensation, blackmail, divided loyalties, significant stressful life events, disgruntlement, dissatisfaction at work due to actual or perceived unfair treatment, and an individual’s sense of national pride and politics. Individuals with access to sensitive information are motivated not only by a desire to harm an employer they resent, but they frequently take advantage of their access for personal gain.

Despite the attention given to hacking and cyber-enabled industrial espionage, humans (employees, contractors, and business partners) with direct access to information, facilities, and systems have a significant advantage over external attackers and thus remain at the center of the threat. These humans are not only aware of their organization’s technology, procedures, and policies; they are also familiar with its vulnerabilities, including exploitable network flaws and loosely enforced policies. Thus, protecting networks from external cyber-attacks is insufficient; organizations must better understand the motivations that drive trusted humans with access to valuable information to reveal them to competitors or adversaries.

Intellectual property (IP) theft, through both clandestine and open methods, can provide competitors with valuable proprietary commercial information at a fraction of the actual cost of its research and development (R&D) and in far less time than it would take to develop the information itself from scratch. IP theft eviscerates the value of past investments to create or build a marketable product or technology and undermines prospects for future revenues. Stolen IP enables competitors to sell nearly identical products with virtually no R&D costs and often undercuts the original developer on price. The ability to gain extraordinary access to proprietary R&D information at a fraction of the cost of its initial development presents a significant motivator to adversaries willing to take advantage of or recruit individuals with inside knowledge. These adversaries work diligently to identify insiders susceptible to bribery or coercion, who may be careless about or ignorant of security policies, and who can abscond with trade secrets. Hence, access to an insider enables an adversary to circumvent security controls from the inside rather than penetrate them from the outside.

The motivations to uncover a rival’s trade secrets, which are critical to a company’s operations and economic success, continue to persist with technological advances, making protecting IP and sensitive data even more challenging. Losing data to a domestic competitor could also result in significant revenue losses and damage to long-term viability. However, malicious insiders don’t only steal proprietary information to share with companies abroad; they often do so as they prepare to leave their jobs to work for competing companies inside the United States. For example, an engineer in a prominent organization could download thousands of project files before quitting their organization, which is then sold to a top competitor in the market. Corporations could also deliberately hire employees of competing firms to exploit their knowledge of and access to the competitor’s IP. Those former employees use stolen passwords to unlawfully gather business intelligence without authorization.

Identifying industrial espionage due to malicious activity by potential or current insider threat actors is often challenging before damage is discovered. However, it is possible to identify characteristics typical of individuals indicating personal stress, which might render them susceptible to acting emotionally and rashly. While such traits are not definitive evidence of wrongdoing, they are warning signs. It is crucial to understand and recognize that malicious insider threat actors often exhibit indicators that, if identified early, can be mitigated before harm to the organization occurs.

Psychological approaches could be used to detect and assess the probability and quality of insider threats. The unethical behaviors of insiders could be influenced by personality characteristics (e.g., financial problems, having unmet goals, field experience, lack of loyalty, ideology, compromise); organizational and societal factors (e.g., culture, leadership, codes of conduct and norms, and reward systems); the interaction between individual characteristics and situational factors within organizations (e.g., obedience to authority, reinforcement, role taking, responsibility for actions, etc.); and the social interactions within the organization (e.g., unethical actors will behave unethically).

Malicious insiders frequently employ charm and charisma to mask their true intentions, capitalizing on human susceptibility to being swayed; thus, catching them in the act isn't always easy. Reliance on scientific methodologies and procedures like insider threat hunting methodologies grounded in concrete detections and patterns is significant in detecting industrial espionage. Proactive detection via threat hunting involves hunting for anomalous insider behavior that may not be detected by security controls alone. The threat-hunting approach involves techniques such as user behavior analytics (UEBA) tools that analyze user behavior patterns to identify anomalies. For instance, UEBA tools can detect if an employee is suddenly accessing unusual files or systems. Other patterns of behavior that organizations should look out for include failed login attempts, unusual access to sensitive data, significant transfers of data to external devices, changes to system permissions, attempts to disable security controls, and more.

Human intelligence can also detect industrial espionage, where security analysts proactively hunt for insider threats by reviewing system logs and other data sources for suspicious activity. Other data sources include security information and event management (SIEM) logs, access control logs, network traffic logs, application logs, file logs, identity and access management (IAM) logs, email logs, and more. Upon gathering all relevant data and considering all possible hunting queries to search data sources for anomalous behavior, analyze/investigate the findings and review the results to identify potential/legitimate insider threats while looking for patterns of behavior that are inconsistent with normal user activity. Investigating the findings might involve interviewing employees, reviewing further data sources, and conducting forensic analysis.

Overall, it is essential to note that no single detection measure is perfect, as insiders are often sophisticated and could evade detection. Organizations should, therefore, implement a layered security approach that includes multiple detection measures that are regularly reviewed and tested using red team exercises or penetration testing tools to ensure that they are effective.

Malicious insiders frequently employ charm and charisma to mask their true intentions, capitalizing on human susceptibility to being swayed; thus, catching them in the act isn't always easy. Reliance on scientific methodologies and procedures like insider threat hunting methodologies grounded in concrete detections and patterns is significant in detecting industrial espionage. Proactive detection via threat hunting involves hunting for anomalous insider behavior that may not be detected by security controls alone. The threat-hunting approach involves techniques such as user behavior analytics (UEBA) tools that analyze user behavior patterns to identify anomalies. For instance, UEBA tools can detect if an employee is suddenly accessing unusual files or systems. Other patterns of behavior that organizations should look out for include failed login attempts, unusual access to sensitive data, significant transfers of data to external devices, changes to system permissions, attempts to disable security controls, and more.

There is no walking back the harm done due to industrial espionage - once intellectual property – sensitive data, and more has been compromised. Combating insider threats requires incorporating different aspects involving individuals, technologies, and their related environments. Creating an effective and coherent cyber ecosystem to detect, monitor, and mitigate insider risks is not easy. The complexity of insider threat research requires a series of theories and approaches, including security awareness, enterprise security policy and architecture, threat modeling, human governance strategies, insider vulnerability assessment, and more. Behavioral analytics and technological measures are active areas in insider threat research, which include personality traits, datacentric threat detection combined with continuous monitoring of an intellectual property repository with advanced behavioral analytics, and human governance mechanisms, such as information security culture and organizational ethical climate.

Industry executives can develop preemptive strategies to mitigate and effectively prevent industrial espionage and its detrimental effects through a deeper understanding of why trusted insiders choose to steal economic and commercial information. Improving employees’ training and awareness of security threats and best practices can prevent lax behavior that increases risk, thus significantly preventing industrial espionage activities. It is vital to educate corporate leaders about the information and technologies that adversaries want to steal with the objective and goal of not discouraging or hindering scientifically and commercially valuable collaboration but instead learning to balance cooperation with security. Therefore, organizations must intensify their efforts to instill a culture of security and security awareness, evaluate their security postures, and establish comprehensive insider threat programs.

Because indicators of potential insider threats often go unrecognized or are ignored by people who are hesitant to report their concerns, corporate leaders must encourage and empower their workforce to come forward when a colleague demonstrates concerning behavior.

Organizations should develop and disseminate clear security policies and build awareness of guidelines and best practices through periodic training classes, posters, and email campaigns. Employees must know that they can share their concerns with human resources, security staff, and any key stakeholder in the organization’s insider threat program, including the insider threat hotline if one exists. Organizations should employ basic security measures, including monitoring all network traffic and using security software. Building an effective response will require understanding industrial espionage as a multi-vector threat to the integrity of the US economy and global trade.

As a result, government agencies should take a more active role in helping organizations that partner with them on R&D re-evaluate their security postures and establish comprehensive insider threat programs that are responsive and crafted uniquely to meet industry needs. The assistance from agencies could include developing security policies and governance structures, undertaking capability assessments, establishing insider threat awareness programs, and designing and delivering security training. Organizations unable to receive support from the agencies should draw on the wide range of insider threat expertise, valuable tools, techniques, and processes outside of government.

Protecting sensitive data has become more complicated and demanding due to increasingly distributed access to more data through channels such as emails, endpoints, unstructured sources like web pages, remote work, and a shift to the cloud. Regardless of the industry sector or organization, people lose data, and data does not lose itself.

Unfortunately, traditional cybercriminals and ransomware attackers are taking advantage of the situation by not only stealing more data than ever but restricting access to data by encrypting it and maliciously publishing data for victims who refuse to pay the ransom.

To combat these challenges, organizations must rethink how they prevent data loss, mainly when it stems from insider threats, which are on the rise, in part due to today's distributed cloud-first environment. According to a Ponemon Institute Report, between 2020 and 2022, insider threats increased by a staggering 44%, while the cost of addressing them increased by 34% from $11.45 million to $15.38 million. Unfortunately, most security teams and traditional DLP controls typically overlook context because they need insider threat detection and response, insider-led security incidents, and visibility into people-caused data loss, ultimately leading to a lack of accuracy and false positives. Organizations should embrace a people-centric approach to data loss prevention that expands beyond traditional drivers like compliance and includes insider threat management capabilities that consider user behavior.

To prevent data loss and decrease the number and cost of incidents, both DLP and insider threat management (ITM) must converge, although both approaches prevent data loss differently. DLP tracks data movement and exfiltration by monitoring file activity and leveraging content scanning to determine whether users are handling sensitive data according to corporate policy. DLP is used across the enterprise with low-risk, everyday users in mind. Whereas DLP focused on ITM or ITM-informed DLP is used for risky users, such as departing employees, privileged users, contractors, and employees on probation or temporary contracts. ITM focuses on user behavior by tracking application usage, user interface actions, website access, and file movement to analyze, detect, and prevent risky user behavior. This could be captured for visual evidence to accelerate or aid investigations.

The rise in employee churn, layoffs, and resignations has led to a greater risk of data exfiltration, infiltration, and sabotage, and the CISO community knows it and rates it a top concern. Employees are constantly leaving and joining organizations at an unprecedented rate. In 2021, more than 47 million Americans voluntarily quit their jobs as part of the Great Resignation. This trend was compounded by the many tech layoffs and industry consolidation in 2022. The security perimeter is hampered as employees and contractors work from everywhere and anywhere, changing the network security perimeter from brick-and-mortar to people-based. The sense of isolation and insulation from management has also led to relaxed security, privacy, and policy rules and processes. Further, complexities created for security teams by improperly implemented bring-your-own-device (BYOD) policies have blurred personal and professional lines, thus increasing data exfiltration. Although many DLP controls automate policy enforcement, many teams disable this feature to avoid interrupting critical business processes, while ineffective content-focused policies overlook high-risk user activity. Security teams must, therefore, know when to use extra layers of monitoring to prevent data loss.

To prevent losses of critical information with extra focus on issues with departing employees, non-traditional people-centric DLP controls aligned with ITM should be content-aware to identify regulated and sensitive data accurately. They should also be behavior-aware to help determine unusual access and risky user behaviors, likely indicators of malicious intent. They should also be threat-aware to help identify phish-prone users, compromised accounts, malware, or OAuth abuse to streamline investigations and expose unclear intent or purpose. Overall, a well-defined ITM-informed DLP control should encompass background checks for everyone, including contractors, partners, and third-party vendors, instead of just full-time employees. Ensure comprehensive onboarding and security training. Harden access controls by enforcing PoLP. Deploy efficient monitoring using analytic resources for threat hunting and SIEM solutions to analyze log files for risky users and data activity. Automate prevention and remediation to keep valuable data safe and increase the security team’s efficiency.

Promote internal collaboration with HR and security teams, working closely to understand user behavior better. Clearly define oversight roles and responsibilities, typically CISO, CSO, CPO, and legal counsel, to reduce inefficiency and share oversight of DLP control functions. Organizations must no longer focus on only securing the perimeter (which does not necessarily protect against insider threats). Instead, they must adopt an ITM-informed DLP approach centered around people accessing specific data, what they do with it, and how they share it.

In cybersecurity, having too many privileges is a liability. To avoid liability, organizations should ensure that internal and external users have only the system permissions they need to perform their jobs. Role-based access control (RBAC) isn’t always perfect, as some organizations often allow internal employees to hang on to privileges long after they’re required, which couldn’t make criminal hackers happier. The more permissions an employee has, the bigger the target they become. Thus, with credential theft, unauthorized individuals access more network assets than their privileges. Individuals getting promoted often receive more access rights but never forfeit those they no longer need for their current responsibilities, and this is a critical issue.

The guest accounts some organizations create for visitors, partners, contractors, and suppliers could be a significant problem, as these external users are frequently granted the same permissions as internal staff, including privileged access. These guest user accounts often persist longer than intended and well beyond the completion of services by external users who become insiders. Of course, setting up additional users could sometimes be costly. But as soon as a user shares accounts or passwords to accounts, you no longer have any accountability. Users can then do whatever they want and get away scot-free. The audit trails then get broken because you can no longer tell which individual did what. Unfortunately, permission drift still occurs even when organizations have user privilege policies because they pay lip service to them and don't enforce them. Some do not even realize they need these policies and procedures in place.

Conduct a risk assessment to determine the policies the organization should enforce regarding privileges, especially onboarding, and offboarding while understanding its security posture and addressing existing gaps. Define and implement policies and procedures that include a least-privileges policy to prevent drift. Follow through by enforcing the policies and continuous monitoring, as it is almost certain that permissions drift will creep back into the configurations and require repetitive assessment and clean-up efforts.

For instance, every time an internal employee and external user’s role changes, their privileges must be reassessed as a matter of policy. If an employee leaves the organization, for example, immediately cut off access rights and ensure they didn't create any new admin accounts before departing. If an individual never logs in to a particular app with sensitive data, revoke their access. Set and follow these policies and procedures while ensuring uniform treatment of employees. As inconsistency could cause issues, don't let one user off with a warning while terminating another for violating the same privilege policy. All these acts must be embedded in the organization's security culture.

This comprehensive exploration underscores the imperative for organizations to confront and mitigate the pervasive threats posed by insider activities and industrial espionage in the realm of cybersecurity. The delineation of insider threats into distinct categories—malicious, compromised, and negligent— highlights the multifaceted nature of vulnerabilities, necessitating tailored responses across various organizational roles.

The report advocates a proactive approach, emphasizing the necessity of robust insider threat programs, comprehensive risk assessments, and vigilant data loss prevention measures to safeguard sensitive information. Moreover, the illumination of motivations driving industrial espionage underscores the complexity of detecting and preventing these insidious activities, necessitating sophisticated detection methodologies incorporating behavioral analytics and in-depth data scrutiny.

Furthermore, the report champions a paradigm shift towards a people-centric approach, fostering collaboration between security and HR teams to fortify defenses. Addressing the critical issue of permission drift, the report emphasizes the significance of stringent policies, continuous monitoring, and uniform enforcement to prevent unauthorized access.

Ultimately, this report serves as a pivotal guide for organizations seeking to bolster their cybersecurity frameworks. Its insights into detection, prevention, and mitigation strategies against insider threats and industrial espionage provide a roadmap for cultivating a resilient and fortified security posture in an increasingly dynamic and precarious digital landscape.