Detecting insider threats can be tricky, especially as many of the indicators of an insider threat can be easily mistaken as normal user behavior. However, once you fully understand what an insider threat is, and you know the common methods and techniques that insiders might use to exploit your security, you’ll be able to identify the indicators far more easily.
Insider Threat Motivations
To understand what an insider threat looks like it’s useful to know why they happen. Most commonly, insider threats are simply errors. Your employees are not as careful with their permissions as you would like them to be. Sometimes they click on a link in a phishing email, or they accidentally delete files containing sensitive information. More often than not, the “insider” will not be aware of the threat that they have become to your security.
Of course, there are more malicious insiders who will deliberately abuse their privileges to steal sensitive information for personal gain. These are potentially easier to predict if you know what to look for.
So, what are the indicators of insider threats that you need to look out for?
Insider Threat Indicators the IT Team Can Track
Below are some of the most common insider threat indicators that the IT or security team can track through the use of a Data Security Platform or similar monitoring and auditing solution.
Abnormal User Behavior
If a user starts accessing, copying, moving, or deleting files containing sensitive data, and they have never done that before, then they might be considered an insider threat. This quite often manifests itself as users attempting to modify, copy or access files unrelated to their job function. Watch out for abnormal user behavior in relation to both successful and unsuccessful access attempts, file modifications, file deletions, and file copy events.
Often, in the case of malicious insider threats, a common attack path is to infiltrate and then escalate privileges until the right level of access is gained. The higher the privileges escalate, the easier it is for the attacker to access the data they need and cover their tracks more effectively. You should be on the lookout for any changes to permissions that grant access to sensitive data. Any users with permissions to sensitive data that they do not require should have their access revoked and a principle of least privilege enforced.
Emailing People Outside the Organization
Any user that is regularly sending emails to recipients that are outside of the organization and not a client, vendor, or relevant third party, might be an insider threat. It is possible that they are sharing sensitive data or confidential information. Look out for user accounts that are regularly sending emails outside the organization, especially emails containing file attachments or sensitive information. These are users that you will want to speak with.
Logging on Outside of Office Hours
Users may log onto the network outside of office hours for completely normal reasons. However, all out-of-hours activity needs to be considered as a potential insider threat. Users that are accessing sensitive information at 2 in the morning, for example, could potentially be an indicator that the user is abusing their privileges, or that the account has been compromised. The same can be true for user accounts logging on to the network when on vacation.
Insider Threat Indicators That Co-Workers Can Notice
Quite often, insider threats can be identified through the vigilance of your employees. Proper insider threat security awareness training can help co-workers learn what an insider threat looks like. Here are a few examples:
Sudden Changes in Behavior
Employees that have recently decided to commit a crime, or who have just carried out an attack, are likely to exhibit different behavior than co-workers are used to. This could manifest itself on both ends of the spectrum. They could become hostile and dismissive or even overtly friendly. Behavioral changes on their own are not necessarily an indicator of any kind of threat, so they cannot be relied on as the main form of identification. However, changes in behavior coupled with some of the above indicators could reinforce the IT team’s conviction that an insider threat is underway.
Employees on Notice
An employee that has recently been fired or quit, is a prime candidate for an insider threat. They may feel hatred or a sense of injustice towards the company and abuse their still active privileges as a method of revenge. They may feel like they have nothing to lose. Employees that feel hard done by should be kept a close eye on, and any employee that discusses their hatred for the company openly should be considered a potential insider threat waiting to happen.
Sudden Changes to Financial Standing
Again, not something that on its own should be considered an insider threat indicator. However, often insiders who have committed attacks, do so for personal financial gain. An employee that was complaining about financial woes turns up the net day in a new car, which might be something to keep an eye on or investigate further behind the scenes.
How Lepide Helps Spot the Indicators of Insider Threats
Keeping track of all the changes, interactions and user behavior that you need to in order to properly identify an insider threat would be impossible without the assistance of a specialized solution. The Lepide Data Security Platform is designed to give you complete visibility over your sensitive data, including where it is, who has access to it, and what users are doing with it.
Our anomaly spotting technology will alert you in real-time whenever any abnormal changes, interactions, or trends take place that you will want to be aware of. The platform can even execute threat models on the detection of such events to automatically contain the threat, such as by locking out a user account or computer.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and protect you against insider threats, schedule a demo with one of our engineers or start your free trial today.