Insider Threat- Story and all about.

Rahul Ambhore
4 min readAug 15, 2021

Let’s go on a quick journey of 40 thousand view of Insider Threat, What it is, Who are they, how we can prevent, detect, and respond. What are the tools that can help on the scale, Who/Which Groups in the organization should be responsible?

Let’ Start with Who is Insider Threat: Anyone who has access to your authenticated system that cloud be Employee, Contractor, Vendor, customers, partners.

Insider threat is a genuine issue that often overlooked however it falls in TOP 10 threat that organization faces from cybersecurity.
Primarily, There could be 2 types of Insiders. Accidental or Intentional.
Someone accidentally kept the system unpatched or any vulnerability in code, database backup or data misplaced, use prod data for dev-test, uses of default vendor system creds, email confidential data to the wrong user, which caused data leak can broadly be used called accidental insider. someone for intentionally copy and share data or IP to competitor or use it for his own financial/political gain, revenge, personal gain.

Key Targets are Healthcare systems to gain patient information and Public Service Financial, These attacks cause by Email, printouts and database leaks

A couple of things can help reduce impact and increase detection time for such Insider Threats.

Prevention and Detection: It became critical to tag what is very important to you and who would have access to those data.
Once we are sure about the data category we can have a layered approach without slowing down everything. A few ways data can get compromised are via email, data upload, printouts, or phone calls. If we have robust monitoring and logging around these few channels it will help to minimize the surface. below few options that can help

Data Source for user and activity monitoring
Network Directory (AD) logs
Proxy logs, Firewall/DNS Logs, Wifi logs, Remote access, VPN logs, File/access permissions, Chat logs, Anti-virus logs, Host logs, disabling or limiting access levels.
Non Technical flags, Anonymous Reporting, Background check, conflict of interest, performance evaluation, personal records, Annual leave, Travel history, Attendance, Disciplinary records, etc

Monitoring user behavior via user activity
Correlate data from multiple sources
Include monitoring of mobile devices
Establish a baseline of normal usage
SIEM is essential (Azure Sentinel)

We should have a system to detect/prevent: we also need to capture or find out indicators of insider compromises, Suspicious network access, failed login attempts, Adding and removing user rights in a short window, logging in regularly on sick or some other leave, The use of Tor browser or file sharing apps or websites. significant increases in printer use
unexplained system performance disk capacity issues
Disabling security controls or installations of hacking tools

Types of tools that can help:
- Web Content Filtering
- User Behavior Analytics

What we have covered so far, Insider threats, how to prevent, detect, and the indicators for insider compromises. Now let’s quickly catch up on how to respond.

Incident Assessment
- Quickly understand the nature of the incident
- accidental or malicious
- data or IP stolen
- data or IP published
- network or system breached
- fraud, financial system integrity compromised
- sabotage
- Denial of service
- what data has been breached and when it happens
- how it happens, accidental or malicious
- who was involve and who is impacted

- Isolate the affected system or data, Remove data if necessary (remove from caching services), Preserve log records, Remove access rights

- Understand the full scope of the incident, The accidental incident is easier to fix, Restore integrity, Can you trace all their steps removing backdoors and malicious software, working alone or collusion, Establish a timeline of the attack

Forensics and Evidence
- Preserve Evidence- be aware of the need for evidence when responding
- Maintain Chain of Custody- user a qualified professional
- Forensics — understand the attacker's steps and full scope of the attack

Crisis Management
- Communication- customer, data owners.

Best Practices
- Knowing your critical assets
- Develop a formalized insider threat program
- Clearly document and enforce policies and controls
- Respond to suspicious
- Manage negative issues in the workplace
- Including insider threats in risk assessments
- Be vigilant of social medial
- Structure work to reduce stress and mistakes
- Include insider threat in awareness
- Use strict password policies and practices
- User stringent access controls
- Monitor employee actions
- Baseline normal behavior for networks employees
- Separation of duties
- Use explicit agreement for any cloud services
- Strong Change controls
- Secure backup and recovery processes
- Data exfiltration processess
- Comprehensive employee termination process

Organization Groups responsible to implement Best Practices
HR, Facilities, Legal, Data Owners, IT and Software Engineering

That’s all I have for this post, This is a summary of the Pluralsight course I recently completed to learn about Insider Threats. Few links below to help you, deep dive. do let me know your view and any resources you know which can add value.