What is insider threat? An insider threat is when someone has or had authorized access uses an organization asset for personal use to gain access for a malicious or unintentional intent. This type of access could potentially affect the organization in a negative way. So, how does one effectively prevent against it, detect it and respond to it? There are many ways to do so, but we will only discuss a few.
Prevention Strategies include two method types: General Insider Threat Prevention and Unintentional Insider Threat Prevention
General Insider Threat:
- Ensure information is protected and limited to only those who need the access (use DLP or etc. for all users)
- Routinely monitor computer networks for suspicious activity
- Use appropriate screening methods for new hires
- Allow employees to report suspicious behavior in various ways (i.e. online, phone and/or etc.)
- Do not allow employees to install personal hardware or software on the organization systems
- Pay attention to unusual activity (i.e. excessive spending or buying out of their normal income range, access to system(s) while on vacation or etc.)
- Prevent the use of USB/mobile storage usage
- Look for traffic going to unauthorized geographic locations from the network
- Pay attention to unauthorized or harmful content
- Ensure there is no inappropriate use of encryption
Unintentional Insider Threat:
- Train employees to recognize phishing and other social media vectors
- Train on a regular basis and on different levels (to help improve awareness and cognitive decision making)
- Improve usability of security tools
- Improve usability of software to help reduce human error
- Enhance awareness of the unintentional insider threat
- Provide effective security practices (i.e. two-factor authentication)
- Maintain staff values and attitudes to align with the organizational mission and goals
Detect (with tools):
- Use data/file encryption software
- Data access monitor
- SIEM (Security Information and Event Management) or log analysis
- Data Loss Prevention (DLP)
- Intrusion Detect and/or Prevention System (IDS/IPS)
- Data access control
Respond:
- Isolate the true triggers that lead to the behavior
- Build what you have learned and create policy triggers for better monitoring and escalate (if necessary)
Intervene– may stop the incident immediately but it may deter others who may be involved. This option may or may not get one enough information and you may lose data this way.
Continue to monitor– to learn more about the scope and others involved, but you may increase harm to the organization and information involved.
Ideally, the basic approach to any insider threat situation would include: collecting and analyzing evidence (monitoring); detecting (provide incentives and data); deterring (prevention); protecting (maintain operations and economics); predicting (anticipate threats and attacks) and reacting (reduce opportunity, capability and motivation and morale of the insider). The overall goal of any organization is to design a system that would help monitor and audit for any malicious behavior so, one would know what information was accessed, by who and when. By knowing who accessed the information one is better able to see more in depth what information was obtained and how they would like to respond to the situation at hand. Figuring out the correct response method will be totally up to the organization but organizations must realize that by responding too quickly or not quickly enough could have a major effect on the organization as a whole.
References:
https://www.cisa.gov/insider-threat-cyber
https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view
MillerOnCyber 