Malicious insider

What is a malicious insider?

A malicious insider is an individual who has authorized access to an organization’s network and systems and misuses it. Malicious insiders are usually employees, but sometimes are contractors, partners, or vendors who have been granted access privileges and have an understanding of the organization’s security policies, processes, and systems. 

These individuals distinguish themselves as malicious insiders because they use their access privileges for nefarious purposes. In some cases, malicious insiders use their ability to access physical locations to steal or do damage to equipment or paper-based materials. 

What motivates a malicious insider varies, but several of the more common drivers for their criminal behavior are: 

• Being coerced into a misdeed by means of extortion 
• Desiring notoriety 
• Fraud to use sensitive information for deception (e.g., identity theft) 
• Retribution by a disgruntled employee  
• Sabotage, causing damage to systems and other property 
• Stealing money 
• Stealing, sharing, or leaking sensitive information for monetary gain or espionage (e.g., for competitive advantage) 

Detecting malicious insiders

Malicious insiders are detected by keeping an eye out for unusual behaviors or activities. Methods of detecting a malicious insider include the following. 

Accessing information outside of a user’s job function

If someone is accessing information that is not related to their job function, this could be a sign of a malicious insider. Examples include a marketing person trying to access human resources files or a finance person trying to access engineering files. 

Deploying employees and contractors

Whether an employee or contractor (i.e., who has access privileges) leaves an organization voluntarily or at the organization’s behest, they have the potential to become a malicious insider. These malicious insiders take advantage of their access privileges before they depart.   

Excessive data movement

• Files transferred using file transfer tools to move files out of the organization 
• Large amounts of data transferred outside the organization 
• Spikes in data downloads 

File names and extensions renamed

Malicious insiders often rename files or change the file extensions to evade monitoring systems implemented to prevent data exfiltration. 

Request for escalated privileges or permissions

There are legitimate cases for escalating privileges and permissions. However, when there is a spike in requests or an individual asks for escalations that do not seem to align with their actual needs, it could be a sign of a malicious insider.   

Use of unsanctioned systems and tools

• Install email extension to encrypt files and send them to their personal email 
• Simplify data exfiltration 
• Track the progress of an internal project 

Malicious insider examples

• Deploying ransomware 
• Editing or deleting documents, records, files, or accounts 
• Exposing large sets of confidential information 
• Installing and propagating malware 
• Sabotaging critical systems (e.g., cutting wires, turning off cooling systems, or starting a fire) 
• Selling information for financial gain 
• Stealing and selling trade secrets   
• Transferring money to authorized accounts 

Malicious insider techniques

Malicious insiders employ a number of techniques to perpetrate their illicit activities, including: 

• Accessing systems and information after hours, especially in the case of physical materials 
• Attaching files to encrypted emails 
• Creating user accounts outside of established processes and controls 
• Downloading large amounts of data and exfiltrating it using file transfer tools 
• Employing a variety of hacking tools 
• Escalating access privileges for their account or that of an unaware colleague 
• Gaining access to sensitive systems or data by claiming a false need 
• Requesting exceptions from specific cybersecurity policies for fake reasons 
• Using external storage devices 

Responding to a malicious insider threat

Three key steps for mitigating damage in the wake of a malicious insider incident are: 

1. Report the malicious insider activity and damage to law enforcement. 
2. Scan all systems to check for malware and unknown detected devices. 
3. Conduct a full investigation of the incident and revise security protocols to address vulnerabilities. 

Recovering from a malicious insider attack

For a malicious insider to successfully commit a crime, there must be gaps in security systems. While it is impossible to identify and address every possible attack vector, processes and tools can be implemented to stop many malicious insider events. 

Perform regular risk assessments

• Identify current inventory critical assets 
• Understand any vulnerabilities and threats  
• Prioritize remediation to minimize risks and threats 

Document and enforce access policies and controls

• Account management policies 
• Data protection policies 
• Incident response policies 
• Management policy and configuration documentation for all systems (i.e., hardware and software, including cloud services)   
• Password management policies  
• Policies for how employees and authorized third parties (e.g., contractors) interact with IT resources, such as: 
  • Third-party access policies 
  • User monitoring policies 

Implement physical security controls for all work areas 

• Alarm systems  
• Biometric scanning for entering restricted areas (e.g., fingerprint, voice, face, iris, or handwriting verification) 
• Locks for doors, especially server rooms and sensitive file storage areas 
• Picture identification required for entry 
• Security guards 
• Surveillance cameras 

Leverage security software and appliances 

• Active Directory 
• Anti-malware 
• Data loss prevention (DLP) system 
• Encryption for sensitive information 
• Endpoint protection system (EPS) 
• Intrusion detection system (IDS) 
• Intrusion prevention system (IPS) 
• Mailbox journaling for Exchange Servers with e-discovery enabled 
• Password management policies and systems (e.g., strong passwords and multi-factor authentication)  
• Privileged access management  
• Role-based access controls  
• Spam filters 
• Traffic monitoring software 
• User behavior analytics (UBA) technologies 
• Web filtering solution 

Enforce password and account management protocols 

• Ensure that all access privileges are revoked when an employee or third party’s relationship with the organization is terminated 
• Follow password best practices (e.g., strong passwords, multi-factor authentication) 
• Monitor and control remote access from all endpoints (e.g., desktop systems, laptops, and all mobile devices) 
• Require users to use their unique user ID and password for access 
• Review users’ access privileges, including mobile and remote access, to maintain it at the minimum required level 

Fortify network perimeter security

• Avoid using VPN or FTP 
• Blacklist all hosts and ports, then whitelist only the ones that are needed 
• Check firewall configurations 
• Configure a DMZ 
• Employ microsegmentation, separating business units and creating restricted areas for sensitive information 
• Establish a baseline of normal behavior 

Develop and enforce controls

• Administrator roles required to have unique accounts for their administrative and non-administrative activities 
• Approvals for deleting critical data or changing configurations 
• Authorizations for copying sensitive data to removable media  
• Least privilege 
• Obsolete hardware and documents recycled or destroyed  
• Privilege creep prevention 
• Separation of duties 

Monitor and record all activities

• Log, monitor, and audit user actions 
• Maintain logs for several years to support incident investigations 
• Use log management and change auditing systems 

Set up secure backup, archiving, and recovery processes

• Implement and configure: 
  • File and mailbox archiving 
  • Backup systems and policies   
  • Disaster recovery plan 

Malicious insider detection is a team effort

As one of the most elusive types of cyber attacks, malicious insider attacks require extended vigilance to detect and prevent data breaches or other risks. A different approach is required because malicious insider activity is nearly invisible to traditional IT security systems (e.g., firewalls and intrusion detection systems).  

Combining IT tools, especially those that leverage artificial intelligence (AI) and machine learning (ML), can help detect a potential malicious insider by identifying unusual behaviors. Security programs that include a human element are able to reduce the risk of malicious insiders by identifying nuances in exhibited behavior that, when paired with IT-centric insights, can stop them before they create trouble.   

You might also be interested in: