Defeating the insider threat

Insider threats are a growing problem for security teams. In this article, Bloor analyst Fran Howarth explains how to spot the telltale signs of a security problem inside the gates.

By Fran Howarth

Wed 30 Aug 2017 @ 17:26

Many people assume that cybersecurity is about stopping external adversaries, but insider threats can be much more damaging. According to Verizon’s 2017 Data Breach Investigations Report, 25 per cent of all breaches are caused by the actions of insiders, whether inadvertently or through malicious actions.

Insiders have access to critical information

Insider threats can be particularly insidious since such users often have access to highly sensitive information, along with an intimate knowledge of security controls and how they work.

However, increasingly, internal users are being targeted by external actors, often through phishing schemes or other social engineering exploits that target users and look to dupe them into giving access to, or otherwise compromising, their credentials. This will make it seem as if an attack is coming from a trusted insider, whereas the attack began with a malicious adversary from outside the organisation. This can happen to employees of organisations of any size, since smaller organisations can often provide a conduit into the networks of their larger business partners. Human error also has a significant part to play where insider threats are concerned.

The Ponemon Institute recently examined the role of insiders in terms of the threats that they face, finding that just 43 per cent of organisations feel that they are able to adequately monitor what users with privileged credentials are doing and the data they are accessing. In large part, this is because the tools that they have available are not as effective as they would like, although staff shortages and lack of expertise are also significant factors.

The role of user and entity behaviour analytics

In recent years, the use of user and entity behaviour analytics (UEBA) has spiralled owing to the advanced analytics and predictive modelling capabilities that the technology offers.

It can help to provide evidence of activity at each stage during an incident by tracking and monitoring end user activity and comparing that activity to a baseline of expected behaviour, in order to weed out anything that is anomalous. The system should be capable of learning what constitutes anomalous behaviour and then generating rules for guiding defensive actions to mitigate the threat.

The types of behaviour that will set off alarms that an incident has occurred include privilege escalation and lateral movements across the network — behaviours that often indicate that a user has been compromised, often by an external adversary.

UEBA will be able to pinpoint which devices and systems have been affected and what files and information have been accessed so that defenders are provided with the information that they need to determine the best course of action to take to remediate the threat. This is enabled by the use of artificial intelligence and machine learning techniques that make user and entity behaviour analytics so powerful.

The insider threat kill chain framework

To show how insider threats can be identified through all stages of an attack, the FBI adapted the kill chain framework — originally developed by Lockheed Martin with further revisions later made by ZoneFox — to insider threat detection.

The framework identifies several stages in the insider-threat kill chain — recruitment or tipping point, search and reconnaissance, exploitation, collection and acquisition, and exfiltration and action. At each stage, actions likely to be taken by perpetrators that are indicative of an insider threat are identified.

Monitoring user behaviour is seen by many to be a grey area, but user and entity behaviour analytics does not look to monitor any specific user’s activity, which is frowned on and even illegal in some jurisdictions. Rather, it just looks for behaviour considered to be outside of the norm so that unwanted actions can be stopped in their tracks. Insider threats can be extremely damaging, but this technology provides a useful and practical way of dealing with them.

Learn more about staying secure with threat lifecycle management by downloading the white paper 'Evolving uses of the kill chain framework' from Bloor.