Insider threats are a significant cybersecurity risk that originates from within an organisation. These threats can come from current or former employees, contractors, or anyone else with intimate knowledge of the organisation’s systems and procedures. According to CrowdStrike, an insider threat is typically a planned event, usually involving a disgruntled or compromised current or former employee who targets the company either for personal financial gain or as a means of enacting vengeance. These incidents are usually linked to broader criminal or illicit activity, such as fraud, espionage, or data or intellectual property theft. A malicious insider can either work alone or in conjunction with a cybercriminal, cyber terrorist group, foreign government agency or other hostile entity.
CrowdStrike’s findings highlight that insider threats, whether malicious or negligent, are difficult to combat and even harder to detect. In fact, the Ponemon Institute estimates that the average time it takes to contain an insider threat incident is 77 days, with average costs for 30 days at $7.12 million USD. This is because most security tools and solutions are focused on identifying and preventing external threats and are not designed to detect suspicious behaviour from legitimate users. Additionally, many inside actors are familiar with the organisation’s network settings, security policies and procedures and have knowledge of vulnerabilities, gaps or other shortcomings that can be exploited.
Advanced Persistent Threat (APT) actors often leverage insider threats to carry out their operations. Here are some examples of APT actors using inside actors:
- APT39 (Iran): APT39’s activities are concentrated in the Middle East, primarily targeting the telecommunications sector, the travel industry, and IT firms that support it. The group’s focus suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes, or create additional accesses and vectors to facilitate future campaigns. They leverage spearphishing with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection. In some cases, previously compromised email accounts have also been leveraged, likely to abuse inherent trusts and increase the chances of a successful attack.
- APT35 (Iran): APT35, also known as Newscaster Team, is an Iranian government-sponsored cyber espionage team that conducts long-term, resource-intensive operations to collect strategic intelligence. They typically rely on spearphishing to initially compromise an organisation, often using lures related to health care, job postings, resumes, or password policies. However, they have also observed the group using compromised accounts with credentials harvested from prior operations, strategic web compromises, and password spray attacks against externally facing web applications as additional techniques to gain initial access.
- APT41 (China): APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control. They often rely on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organisation, APT41 can leverage more sophisticated TTPs and deploy additional malware.
- APT40 (China): APT40 is a Chinese cyber espionage group that typically targets countries strategically important to the Belt and Road Initiative. They typically pose as a prominent individual who is probably of interest to a target to send spear-phishing emails. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organisation or non-governmental organisation (NGO). In some instances, the group has leveraged previously compromised email addresses to send spear-phishing emails.
- APT31 (China): APT31 is a China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages. They have exploited vulnerabilities in applications such as Java and Adobe Flash to compromise victim environments.
Given the significant risk posed by insider threats, it is crucial for organisations to take a comprehensive approach to mitigate these threats. Here are ten steps organisations can take to combat insider threats:
1. Establish a Robust Insider Threat Program
Develop a robust insider threat program that specifically addresses this critical risk. This program should include policies and procedures for identifying potential threats, monitoring for suspicious activity, and responding to incidents.
2. Educate and Train Employees
Employees should be educated about the nature of insider threats and trained on how to avoid becoming a conduit for such threats. Regular security awareness training sessions can help employees understand the evolving threat landscape and the necessary steps to protect themselves and the company.
3. Monitor User Activity
Use advanced security tools to monitor user activity continuously. Unusual patterns, such as accessing the network at odd hours or requesting access to unnecessary resources, can indicate potential insider threats.
4. Implement Strict Access Controls
Implement strict access controls to limit the information that employees can access. This includes using principles of least privilege, where users are given the minimum levels of access necessary to perform their jobs.
5. Secure Your Active Directory
Active Directory (AD) is often a target for insider threats. Ensure full, real-time visibility into the AD, both on-premises and in the cloud, and identify shadow administrators, stale accounts, shared credentials, and other AD attack paths.
6. Extend Multifactor Authentication (MFA) Security
Protect unmanaged endpoints with risk-based conditional access and extend MFA protection to legacy applications and tools using proprietary analytics on user behaviour and authentication traffic.
7. Create a Baseline of User Activity
Centralise user activity and behaviour across all relevant data logs, including access, authentication, and endpoint. Leverage this data to create a baseline of activity for each individual user, user group, function, title, and device that can help identify unusual or suspicious activity.
8. Leverage Behaviour Analytics and AI to Identify Threats
Use analytics and AI-enabled tools to monitor behaviour for users and devices in real time. Cross-reference alerts with the risk score to provide additional context into the event and prioritise response efforts.
9. Collaborate with External Partners
Work with external partners, such as cybersecurity firms and law enforcement agencies, to share information about potential threats and collaborate on effective response strategies.
10. Regularly Review and Update Your Approach
The threat landscape is constantly evolving, and so should your approach to combating insider threats. Regularly review and update your policies, procedures, and tools to ensure they are effective against the latest threats.
For further reading, you can refer to the following resources:
- APT Groups and Operations by Mandiant
- APT trends report Q1 2020 by Kaspersky
- The Advanced Persistent Threat Files: APT1 by FireEye
- APT29 by CrowdStrike
- APT34 by the numbers: A journey to establishing law enforcement and private sector partnerships by Recorded Future
- APT41: A Dual Espionage and Cyber Crime Operation by FireEye
- The Advanced Persistent Threat Files: APT28 by FireEye
- APT32: Vietnamese Cyber Espionage by FireEye
- APT37: Unraveling the Long Thread of Operation Daybreak by Fortinet
- APT38: Un-usual Suspects by FireEye