While it may be true that the majority of insider threats are actually the result of negligent/naive employee’s, rogue employee’s still account for 22% of insider-threats, according to the 2017 insider threat intelligence report. And should a rogue insider find a way to circumvent an organisation’s security controls, the impact of the breach could be far more severe. Below are 5 important questions organisations need to answer if they want to protect their network from rogue administrators.
1. Are you able to identify unauthorised access to your systems?
Rogue administrators will likely try to access information that is unrelated to their day-to-day tasks. Such information may include intellectual property, financial data, PII, and so on. It is imperative that you are able to closely monitor both employees and contractors and receive real-time alerts should they access systems they are either not authorised to access or have never accessed before.
2. Are you able to identify “privilege escalation”?
A malicious insider will likely seek to elevate their access privileges in an attempt to gain access to important documents. You will need to look for situations where either an employee or contractor is suddenly granted access privileges that are undocumented and don’t facilitate their typical job function.
3. Would you know if an employee is transferring data to a personal email account, external drive or cloud service?
Rogue administrators have been known to transfer large amounts of sensitive information, such as intellectual property or financial data to a personal email account, external drive or cloud service. You will need to be able to monitor suspicious events such as excessive copying of files from the company server to an external system.
4. Would you be able to spot the signs of a disgruntled, or potentially malicious administrator?
An administrator might go “rogue” due to a number of different reasons. Maybe they feel angry or upset about the way they are treated in the workplace and want to get revenge. Maybe their actions give them a sense of empowerment. There are a number of questions you might want to ask, such as; Are they being hostile to other employee’s? Do they respond badly to criticism? Have they adopted a “them against us” mentality towards management? Are they boasting to other employee’s about their intellectual prowess? Are they under financial stress? Are they working long hours, or hours that they would not typically work? Obviously, it would be inappropriate to delve too deep into their personal life, but it is important to keep a close eye on their behaviour none-the-less.
5. Are you able to spot the signs of someone trying to cover their tracks?
Rogue admins may use a variety of techniques to obfuscate their activity and bypass security controls. One method that is particularly effective is to use a Tor browser, which routes browsing, communication, and file transfers through a distributed network of relays in order to prevent people from following their tracks. However, it is possible to obtain a list of Tor nodes/proxies and add that list to your firewall settings. This task can be automated, and alerts can be setup to help you identify suspicious network traffic. Alternatively, it may be the case where an employee gains access to a privileged mailbox account, reads the emails and then marks them as “unread” in attempt to cover their tracks. Using mailbox access auditing tools, it is possible to raise alerts when emails in privileged mailbox accounts are marked as “unread”. Other things you may want to look out for is the use of VPNs, private browsing, and the use of encryption software.
Protecting your organisation from rogue administrators requires a lot of visibility into who, what, where and when, suspicious events are taking place. SIEM solutions can be used to aggregate log data from multiple sources, including endpoints, servers, databases and applications. However, when dealing with malicious insiders, the focus should be on detecting suspicious activity associated with files, folders, user accounts, and mailboxes.
Sophisticated auditing solutions, such as LepideAuditor, enable you to closely monitor the status of privileged accounts. You can detect, alert and respond to anything that may be deemed suspicious, such as privilege escalation, suspicious file and folder activity, account modification/deletion, privileged mailbox access, and so on. Since it is possible that a rogue admin may try to use password-cracking software to gain access to a privileged account, LepideAuditor provides a “threshold alerting” feature which enables you to detect and respond to anomalous logon failure. It might be the case where an administrator was either fired from the company, or left on bad terms, yet was still able to access to their account after they left.
LepideAuditor enables you to detect and automate the removal of user accounts that are no longer active.