A Wolf in Sheep’s Clothing: Identifying Malicious Insiders

Kanika Agarwal by   11.22.2017   IT Operations

Deploying defenses to protect against outside threats may seem more natural than protecting yourself against your own employees. However, we now know that attacks from malicious insiders are by far the most damaging to your organization.

In the light of this, identifying malicious insiders should be number one on your list of priorities when it comes to IT security.

Segregating Malicious Insiders

Insider threats are people who have been entrusted with authorized access to the network and often have significant knowledge about the network architecture, including targeted files and systems.

Because many organizations focus on protecting their perimeter, little attention is paid to what is occurring within the system. As a result, these threats may stay undiscovered for months; long enough to do real damage.

But where do you start when the threat comes from your own employees?

Let’s start with the “not so-model employee’, who has been consistently the first in and last out of the office. Despite no project allocation, this individual is pulling some extra hours at work. Is that normal, or could it be a sign of malicious activity?

Another on the list is the ‘ironman streak,’ an individual who is long due for a vacation. This guy remains secretive and does not collaborate with others to work on the common platform. There are chances that he or she is gearing up for an insider attack.

So, why do employees go rogue? Listed below are some of the common reasons which turn a good employee into a bad one:

  • An outsider promise – An outsider, especially a competitor could provide a financial incentive for an insider to go rogue.
  • A life-changing event – You never really know what’s going on in your employees’ personal lives. Significant events may force an individual to take drastic action if they think they can get away it.
  • On the way out – An employee who has handed in their notice may want to take away some trade secrets or sensitive details to benefit the next employer.
  • Disgruntled – An employee who was recently let down for a promotion, or something similar, may look for a way to take revenge.

Recent Statistics regarding rogue employees

Based on a recent survey conducted by more than 200 Security and IT executives from around the world, the following challenges were highlighted:

  • 93.6% of organizations do not have full visibility into insider threats contributing to a delayed response.
  • 53.4 % organizations reported breaches caused by insiders while an additional 35.3% have no idea if their breaches were inside jobs.
  • More than 70% of organizations said to have trouble detecting cybersecurity insider incidents, 55% have trouble investigating events, and 44.5% have trouble proving what happened without a doubt.
  • More than 50% of organizations struggle with data exfiltration vulnerabilities including file sharing, printing or USB storage.
  • Only two-thirds of organizations claim to have up to 10 security tools than the remaining lot.

The most critical aspect to understand here is that an employee is an insider with legitimate access to the company network.

What is the solution?

LepideAuditor enables you to keep track of your sensitive data by helping you determine who has access to what, when the data is being accessed and where data is located. Here are just some of the cool things you can do with LepideAuditor to help you identify and crack down on malicious insiders:

1. Enforce the Principle of Least Privilege as the standard

Privileges to users can escalate due to numerous factors that can be difficult to monitor; such as changing job requirements, employees leaving the business or new employees joining. Instead of giving users all-or-nothing access, the privilege must be granted based on specific user needs and scenarios. Once the job is done, revoke privileges as soon as possible. Use LepideAuditor to learn which users have expansive privileges on your network.

2. Track changes to access rights

What happens if the user or group permissions for accessing network resources are changed? Your network is likely to experience severe disruption at least. As a solution, if you can determine who changed the user or group permissions, when they were changed and where from, you can then control access rights and avoid tampering with confidential data.

3. Educate employees and senior management in the importance of data security

Having the entire workforce take part in security training and regular briefings on best practices can go a long way in improving IT security. When employees are actively involved in the process of protecting company assets, they are more likely to take ownership of their obligations and responsibility. Also, educating employees and senior management on risks surrounding sensitive data helps them identify system vulnerabilities for you.

4. Monitor access to sensitive data

Unusual numbers of failed read attempts, unsuccessful delete operations or successful modifications that occurred at odd business hours are an indication that an insider is abusing their privileges. By analyzing user access patterns; malicious intent can be detected.

5. Manage the threat of shared passwords

Many employees use the same, easy-to-guess passwords, instead of trying to remember a different complex, secure password for every account and site login. Another prevalent problem in many organizations is shared passwords. This becomes more significant when employees bring passwords from home to work. Always remember, password sharing is a substantial security threat. LepideAuditor gives you a more in-depth overview of user activities; such as logon attempts, user logged on multiple computers, and concurrent logon sessions. It gives a fair idea about the suspicious logon events that could happen because of illegtimate sharing of passwords.

6. Monitor account logon activity

Insiders already have legitimate access to the corporate network, so they may pose severe risks to IT security. Delegated IT administrators are required to mitigate the risks of insider threat or privilege abuse on the platform in any way they can. User logon information plays a crucial role in doing this, as it shows which users are logged on, which users have made failed attempts to logon in the computers and much more. You can use LepideAuditor to track all logon activities using its predefined reports on logon and logoff events. You can also configure our solution to receive alerts for successful logon and logoff events on the computers or domain controllers.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.