What are some Potential Insider Threat Indicators?

17 July 2022 | by Xavier Bellekens

insider threat meeting

What is insider threat in cyber security


The insider threat problem is one of the most difficult threats to manage in cyber security. This is because it can come from a variety of sources, including employees, contractors, and even business partners. Insider threats can result in data breaches, fraud, and other types of damage to an organization. Insider threats can be difficult to detect and prevent because they often involve trusted individuals who have legitimate access to sensitive information.

Furthermore, some people are willing to do anything for a little extra cash, while others have an ideological reason or loyalty that drives them into dangerous territory.

Goals of insider attacks


Insider targets can vary depending upon their motivations. Usually they focus in particular on data that a person or business can easily sell in a black marketplace (e.g.., personal information of a client or employees such as credentials).

Insider threats are a serious challenge for organizations today. While there are many potential motivations for an insider to commit malicious acts, the goals of insider threats can be broadly classified into four main categories: financial gain, organizational disruption, revenge, and espionage.

Each of these categories represents a unique set of risks that must be managed in order to protect the organization from insider threats. One of the most important steps in managing insider threats is to identify the specific goal or goals that the insider is pursuing. Once the goal or goals have been identified, the organization can develop a tailored response that is designed to mitigate the risks associated with those goals. By taking a proactive approach to managing insider threats, organizations can protect themselves from the potentially devastating consequences of these threats.

3 Types of Insider Threats in Cyber Security


Insider threats can come in many forms, but they can broadly be classified into three categories: insider negligence, insider maliciousness, and insider accidents.

Insider negligence

Insider Negligence refers to situations where an insider fails to follow proper security protocol, resulting in a security breach. For example, an employee who fails to lock their computer when they step away from their desk may inadvertently give an adversary the opportunity to access confidential company data.

Malicious insiders

Malicious insider occurs when an insider deliberately seeks to harm their organization, either for personal gain or out of spite. An insider with malicious intent may, for example, leak sensitive information to a competitor or attempt to sabotage company systems.

Insider accidents

Insider accidents are situations where an insider makes an honest mistake that nonetheless results in a security breach. For instance, an employee who accidentally clicks on a phishing email may unknowingly provide hackers with access to the organization’s network, or enabling public access to a sensitive file.

All three types of insider threats can pose serious risks to an organization, and it is important for businesses to take steps to protect themselves against all three. Some common measures include instituting mandatory security training for all employees and implementing strict access controls on sensitive data. By taking these and other precautions, businesses can help

How are malicious insider threats recruited


According to some estimates, the dark web market for stolen credit card and personally identifiable information (PII) is enormous and valued approximately $120 billion. Even if the worth of data varies, it is still true that cybercriminals stand to profit financially if they can obtain sensitive data.

Henceforth, cybercriminals are starting to recruit employees and use them as nefarious insider threats as one method of gathering sensitive data. The healthcare sector is especially mentioned in a McAfee report as one that is troubled by this form of insider threat.

According to a survey, 20% of workers would be prepared to sell their passwords, and 44% would do it for less than $1,000. According to the SailPoint Market Pulse Survey, some employees would sell their company credentials for less than $100.

Criminals often look out for employees that demonstrate either a vulnerability that could be exploited such as

  • Drug or alcohol addictions
  • Unpredictable behavior in the workplace
  • Financial distress

Potential insider threat indicators


Insider threat can come from a variety of sources, including current and former employees, contractors, and third-party vendors.

While insider threats can be difficult to detect, there are a few potential insider threat indicators that may signal malicious intent. Some of the warning signs include;

  • Obtaining or downloading large volumes of data both at usual hours and odd hours
  • Accessing private information they don’t require in order to accomplish their job
  • Accessing information they have never previously accessed
  • Asking for privileged access to resources that aren’t necessary for their core job function
  • Using unlicensed storage devices, such as USB sticks and flash memory,
  • Searching the company’s network for sensitive information
  • Copying critical data-containing files repeatedly
  • Sending private information (data exfiltration) via email or any form of communication outside the company

Other insider threat indicators include

  • Storing important assets at home or in any other unapproved location
  • Using unlawful computers, cameras, recorders, or recording equipment in locations where crucial assets are kept, discussed, or processed
  • Asking co-workers to sign off on the deletion of sensitive material even if they were not there when it was done
  • Removing important items without the proper authority from the work area
  • Using a Top Secret/Sensitive Compartmented Information clearance or being a contractor with a reporting requirement while attempting to hide any work-related or personal international travel
  • Using network tools to scan corporate networks, or access data on the network

Potential behavioral insider threat indicators


For example, an insider may exhibit sudden changes in behavior, such as increased absences or tardiness, or a decrease in job performance.

They may also have a sudden financial need or display an unusual interest in sensitive company information. In addition, insiders may try to gain elevated access privileges to company systems or data, or they may share confidential information with unauthorized individuals. While these behaviors alone do not necessarily indicate malicious intent, they can be red flags that warrant further investigation. By remaining vigilant for potential insider threats, organizations can help protect themselves from costly data breaches and other damage.

  • Displaying conduct that repeatedly compromises security
  • Engaging in criminal activity or requesting that you engage in any illegal action such as stealing data
  • Displaying unexplained or excessive wealth that cannot be justified by inheritance, gambling luck, or a lucrative business enterprise
  • Showing a rapid change in one’s financial circumstances or a sudden payback of significant obligations and other suspicious financial gain
  • Put people who have access to crucial resources under pressure by giving them preferential treatment, favors, gifts, money, or incentives
  • Demonstrates attitudes or conduct typical of irate workers such as
    • Disagreements with managers and coworkers
    • A declining performance
    • Poor performance review
    • A tendency to be late
    • An unexplained absence rate
    • Disregard for company policies

Countering Insider Threats


The threat begins at the hiring interview. Companies must build a healthy workplace to reduce the dangers posed by malicious insider behavior by their employees and educate them to prevent unintentional threats from insiders.

These techniques or methods are the basic elements of a larger framework that addresses insider threats and other cybersecurity threats.

  • Increase visibility by implementing tools that monitor employee activity and combine data from various data sources. For instance, you can utilize deception technology to entice an insider or imposter who is trying to harm you and obtain access to their activities.
  • Encourage cultural shifts so that security is not just about technical knowledge but also about attitudes and values. You should educate your staff on security issues and seek to raise employee satisfaction in order to counteract negligence and address the causes of malevolent activity.
  • Protect important resources, such as facilities, people, systems, and technology, which can be either physical or logical. Critical assets also include intellectual property, which includes proprietary software, schematics, customer data for vendors, and internal manufacturing procedures. Develop a thorough understanding of your important assets. Ask yourself things like, What are our most important resources? Can we order our resources? And what do we know about each asset’s current condition?
  • Document organizational policies so that you can enforce them and avoid misconceptions. To prevent sharing of privileged content that has been developed and is currently under embargo. Everyone in the organization needs to be aware of security protocols and understand their rights in connection to intellectual property (IP).

Other countermeasures may also include:

  • keeping track of all essential internal digital resources and sensitive data and activity
  • Keeping track of all sensitive information and locating sensitive files
  • Putting in place a least privilege paradigm and a zero-trust strategy for access to data and digital assets
  • Utilizing cyber deception and AI to detect abnormal behavior through the use of advanced active defence technologies
  • Deploy user activity monitoring solutions
  • Establish a forensic investigation protocol in case malicious insiders are detected
  • Define information security policies for revoking access of former employee
  • Define information security policies for outside parties, partners and third parties and include policies for the supply chain partners that have access to the network.
  • Characterise different scenarios to stay ahead of an insider threat
  • Determine the actions to take to
    • Mitigate threats
    • When one or more alerts or insider threat indicators have been raised / triggered
    • Identify the persons in the organisation to have involved (e.g., HR, CEO, CIO, CISO, etc…)
  • Document the steps taken by your team to identify the insider threat, the suspicious user activities as well as all security information and event you may have gathered from the employee’ devices, the network security tools, and any other tools you user for the insider threat detection. This document may be used later in court.

Recent Examples of Insider Threats

Ex-CIA At a New York City trial, a former CIA software engineer accused of the largest theft of classified information in CIA history was found guilty.

Tesla’s Spygate Elon Musk, the founder of Tesla, informed staff via email that this insider had engaged in “very substantial and devastating sabotage” against the business. Including using fictitious usernames to make “direct code changes to the Tesla Manufacturing Operating System.”

SunTrust Insider A rogue insider may have stolen part of SunTrust major regional US bank 1.5 million clients’ personal information.

Coca-Cola trade secret theft A research engineer stole trade secrets from Coca-Cola using simple exfiltration methods, but she wasn’t discovered until she tried to steal the same information from another business.

Solutions to combat insider threats and other cyber security risks


There are many different types of threats to an organization, but only one that is hardest for security solutions: insider attacks and obtaining high fidelity insider threat indicators.

In these cases it can be difficult if not impossible to detect by traditional cyber security tools. There’s often no external sign pointing out the strange behavior of an insider threat, disgruntled employees or former employees with legitimate access privileges. And since insiders already know how things work best within the company itself, this makes malicious activity all too easy avoid detection.

Moreover, insider threats don’t exist in a vacuum; businesses must protect themselves against malicious software and ransomware targeting corporate machines and other cyber risks. Organizations can use five types of tools to minimize cyber risks, including:

Lupovis recognises that insider threat is one of the most difficult security challenges to address. It requires a multi-faceted approach that not only detect negligence, malicious insider and insider accidents , but also protects data at a granular level. Our platform provides a comprehensive solution that covers all of these bases.

We provide visibility into how users are moving through the network, and our deception solution ensures that whatever a malicious insider tries to access or modify, you are in control. This combination of capabilities gives you the tools you need to detect and prevent insider threats before they can do damage. Lupovis Snare is the next-generation security platform that uses deception technology to detect and prevent advanced threats.

Our platform provides high-fidelity alerts so you can take action quickly and effectively.

By using our platform, you can have a strengthened security posture that will give you the peace of mind you need to focus on your business. You’ll also have access to advanced threat intelligence, so you can stay ahead of the curve.

17 July 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.