Posted in:

Insider threats: the new generation

Digital upheavals, Software-as-a-Service flaws, and workers who say the data they create actually belongs to them: just some of the factors that drive the emergent generation of mixed – and mixed-up – insider threats. By James Hayes.

More organisations have become savvy to the reality that insider threats are now as prevalent AS the malicious attackers who try to hack through the cyber security perimeter from without – they can also prove more difficult to detect, despite the fact that a CISO might pass a digital malefactor in the corridor two or three times a week, or even work right alongside them.

Yet despite heightened commitments to invest in internal security monitoring tools (see Cyber Security Europe, Autumn 2018 issue), a range of evidence suggests that the insider threat has not diminished in scale over the last 18 months. Indeed, more than 50% of c-suite executives who responded to BetterCloud’s State of Insider Threats in the Digital Workplace 2019 report whose organisations are embarked upon greater cloud adoption say that insider threats are now among their top five security concerns. And it’s not the same old threat multiplied. The intrinsic nature of insider threats is changing, due to a confluence of otherwise disassociated factors. This has morphed the challenge away from a threat represented nominally by untrustworthy, crooked or malevolent employees motivated by illicit personal gain or revenge.

This sounds as old news to seasoned cyber security practitioners, but may come as somewhat of a shock to non-technical senior executives who have acquired responsibility for enterprise cyber governance. According to the Ponemon Institute’s 2018 The Cost of Insider Threats Report, insider threats of all shades are on the increase. Incidents involving employees or contractor negligence especially have continued to show a marked rise, possibly in line with uptakes of technology. Since 2016, the average number of such incidents increased by 26%, the report indicates, and by 53% for attacks by malicious/criminal insiders. Understanding of insider threat profiles has improved in recent years.

More insider threat research has apprised organisations to the fact that malicious insiders do not, in fact, still constitute the biggest threat type that they face. According to another recent study, the Dtex Systems’ Insider Threat Intelligence Report 2019, threats from within can now be categorised into three broad types: malicious, negligent, and compromised.

In terms of the overall culpability divide, malicious employees who intentionally engage in activity to harm the enterprise are responsible for some 23% of the insider incidents reported by the Dtex sample. However, users who introduce insider risk due to careless/feckless behaviour or human error are the cause of 64% of insider incidents. (The remaining 13% of insider incidents is made up of employees whose credentials are compromised and leveraged by outsider infiltrators.)

Within these three broad categories, some more specific threat personas can be singled-out. For example, the Verizon Insider Threat Report 2019 identifies some insider threat sub-profiles among the careless/feckless persona, such as the Asset Misuser. These are constituted by ‘Employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorised applications and use unapproved workarounds’, the report says. Their actions are categorised as ‘inappropriate as opposed to malicious’. Many fall within the world of so-called Shadow IT (i.e., hardware/software/services installed/used unilaterally and without the knowledge, approval or support of the enterprise IT department).

Other sub-profiles Verizon spotlights are the Inside Agent, the Disgruntled Employee, the Malicious Insider Threat, and the ‘Feckless Third Party’.

DEFINITIONS OF ‘INSIDER’ AND ‘THREATS’ BROADEN
The Inside Agent ‘appropriates (steals) information on direct behalf of external parties that could be criminal or commercially competitive’. Insider Agents are recruited, solicited, bribed or even coerced to exfiltrate employer data. External ‘controls’ have been known to provide Inside Agents with coaching in technical knowhow.

The Disgruntled Employee dates from the very earliest perception of the insider threat problem. Such employees seek to harm their organisation via destruction of data or disruption of business activity. Although some may be motivated by an actual or perceived grievance, others can be classed as pure mischief makers. The Malicious Insider Threat, meanwhile, are actors with access to corporate assets who use existing privileges to access information for personal gain. The data they steal will be resold on the Dark Web and elsewhere for supplementary income, and in terms of motivation, are perhaps easiest to comprehend.

Lastly, Verizon names and blames the ‘Feckless Third Party’: these are the business or supply chain partners who compromise security through negligence, misuse, or even malicious access to or use of an asset. Another sub-profile who could be added to the above by other reports could be labelled the ‘Hapless Untrained’. These are employees who make mistakes

that can result in data breach exposure because they have been coached neither in how to use the applications under their control, nor in cyber awareness training. With so many individuals now being placed in charge of some form of line-of-business application that interoperates with core datasets, this inadvertent risk exposure looks bound to worsen. The trend to class untrained employee mistakes as a form of insider cyber threat is, perhaps, controversial – or at least calls for more qualified elucidation. After all, ever since computer technology first entered the workplace, its users have been prone to unintentional slip-ups and the occasional blunder.

According to Egress Software Technologies’ Insider Data Breach Survey 2019, when it comes to the causes of data breaches — both malicious and accidental — 60% of IT leaders surveyed have been inclined to give employees the benefit of the doubt and believe they are primarily caused unintentionally by employees who rush and make mistakes. A ‘general lack of awareness’ was the second leading cause (44%), while 36% believe that a lack of training on the security tools a company uses is the primary driver for the error ratio. Nevertheless, 30% of respondents to the Insider Data Breach Survey 2019 believe that internal data breaches result from employees ‘leaking data to harm the organisation’, while 28% believe employees are, once more, stealing data for personal financial gain.

By far, the most toxic type of insider threat actor is the Negligent End-User. Only 21% of respondents to BetterCloud’s report State of Insider Threats in the Digital Workplace said they think malicious actors (intentionally causing harm, either for personal or financial gain) pose the biggest cyber threat. Even fewer – 17% – said compromised users (exploited by outsiders through compromised credentials) posed the biggest threat.

Security experts have pieced together a range of behaviours and characteristics that could indicate an intention on the part of an employee that an insider attack is being planned or enacted. For example, employees who plan to leave, or those who have already left, are more likely to be involved in an unlawful cyber activity.

Fifty-three percent of respondents to BetterCloud’s State of Insider Threat in the Digital Workplace believed that outgoing or recently departed employees were prime threats to their organisations, followed by third-party on-site product and service providers whose contracts were ending or had ended. ‘Because offboarding processes are often unorganised and slapdash, exiting employees or exiting contractors can fall through the cracks and retain access,’ the report explains. ‘Employees planning to leave, if they are disgruntled, may also be inclined to steal data before their access is revoked’.

The deviant salesperson who downloads their client contact list before leaving to take up a new job with a competitor is an insider threat type that pre-dates the advent of computer databases. If they have thought to plan long enough ahead, there’s every likelihood that the fact the information has been compromised will never be known by management; at least intruder detection systems can let IT security personnel be aware that an outsider is trying to hack into their systems: 54% of respondents to the Bitglass Insider Threat Report 2019 assert that it is more challenging to detect insider attacks than it is to detect external cyber attacks.

Latest studies of insider threat thresholds indicate that they are no longer sporadic in frequency, and that such incidents have become routine occurrences. McAfee’s Cloud Adoption Risk Report 2019, for example, found that typically, organisations now experience 14.8 insider threat incidents per month on average, and that 94.3% of organisations experience at least one insider-borne incident per month on average.

With improved Threat Intelligence at-risk organisations can now make informed estimates with respect to the financial cost that insider threats have caused them. The Ponemon Institute report reckons that large organisations with an employee headcount of more than 75,000 spent an average of €17.98m over between 2017 and 2018 to resolve insider-related incidents; smaller organisations with a headcount of fewer than 500 spent an average of €1.61m.

Companies in financial services, energy and utilities and retail incurred average costs of €10.83m, €9.20m and €7.96m, respectively. The European companies’ annualised costs to contain insider-related incidents were €6.31m.

Along with the impact on operations, a rise in insider threats also impacts IT human resource. Ninety-three percent of CIOs already spend up to half of their time on IT security, at a time when Digital Transformation and business innovation initiatives are also high on the agenda, according to Dtex Systems’ 2019 Insider Threat Intelligence Report. And there’s evidence that indicates that Digital Transformation itself may heighten the insider threat risks, as organisations move their operations onto cloud-based platforms that, if not well managed, can make insider risk less visible to cyber security chiefs, reckons Bitglass’s Insider Threat Report 2019.

According to 56% of organisations polled by Dtex, the detection of attacks from insider threats is ‘more challenging’ after they have migrated IT functions and/or data to the cloud; this is likely largely due to the lack of direct monitoring oversight by the internal IT security function.

Some studies of the new generation insider threat highlight the influence technological evolution seems to have in more detail, especially where medium-to-large organisations have migrated their IT requirement into the cloud. As noted by BetterCloud’s State of Insider Threats in the Digital Workplace, the emergent consensus is that insider threat risk becomes more problematic after an organisation migrates some or all its IT solutions requirement to a Cloud Services Provider (CSP), typically by the adoption of an ‘as-a-Service’ platform. Software-as-a-Service (SaaS) means that line-of-business applications and data sets are stored and run from a CSP’s own infrastructure, accessed via the Internet or some other circuit. BetterCloud’s report posits that SaaS could create ‘a nascent generation of risks’.

Employee end-users have a lot of freedom and power when they use SaaS applications (and IT security teams are losing control). More than ever, and in line with the current productivity gains ethos, IT users are empowered in many ways to collaborate and interact with data and with other users.