Malicious Insider Threats

    Overview

    What is a malicious insider? 

    A malicious insider is a person who has insider knowledge of an organization’s proprietary information and intentionally misuses it to negatively impact the integrity of the business.

    This person could be a current or former employee, contractor, or business partner.

    Malicious insider threat examples 

    Some common insider threat examples are:

    • A recently fired employee selling sensitive information to a competitor.
    • A disgruntled employee exposing trade secrets to the public.
    • An employee that deletes important records and information to breach compliance regulation.

     

    GettyImages-1309763358-1200px.jpg

     

    How to recognize a malicious insider threat? 

    Both humans and technology can recognize malicious insider threats.  

    A company’s personnel can serve as a primary line of threat detection as peers that regularly interact with a potential malicious insider are likely to notice changes in behavior, personality, and motivations that can signal a possible security threat.

    Technology can help detect insider threats through:

    • User activity monitoring
    • Incident investigations
    • Access management
    • User and behavior analytics

    How to detect and prevent malicious insiders

    Because malicious insiders already have insider access, their activities are often invisible to security teams’ user activity monitoring. They can fly under the radar until weeks or months later when the cost of a data leak has ballooned.

    But a number of different indicators can point to an insider behaving maliciously. A few best practices can help you detect data leaks and misuse in real time.

    Track exfiltration abnormalities

    Malicious insiders may want to share company data with a third party or keep the information for their own personal gain. So any unusual data movement could be a sign of data theft, like an employee trying to download large amounts of data or sending data to personal accounts.

    Additionally, malicious insiders may try to see data they don’t have permission to access. For example, an employee tries to request access to or change the sharing permissions of a private Google document.

    It may seem overwhelming to look for abnormalities across all of your company data. Beginning with high-risk data movement can be a great place to start. Track the data movement of outgoing employees, those with a history of poor security practices, or employees flagged by HR for one reason or another. Doing so will help your security analysts target the most vulnerable data at the right time.

    Establish trusted activity

    To detect unusual behaviors across all data movement, it’s important to establish with all employees what’s normal and acceptable through training and awareness. A security policy is an important tool in educating employees on security best practices. This policy outlines how your organization and its employees should use and protect company data and systems.

    A strong security policy looks at more than just data movement. It creates access controls, monitors user activity, trains employees, promotes awareness, and defines how to respond in the event of a data breach. All of these controls can help fend off threats from malicious insiders. By starting with trusted activity, your team can monitor known risks while developing a strategy for unknown risks, work that is often made easier with the right tools.

    Look for suspicious hardware or software

    When a malicious insider steals data, they may use unauthorized hardware or software to download and move the data. Malicious insiders often send data to software like a personal email or cloud storage account. They may also use hardware like an unauthorized USB drive or personal device. Beyond digital theft, they may also rely on hard copies to take data with them by using company printers. Make a plan that can protect your data on and offline.

    Create an insider threat program

    Security teams alone can’t contain all the risk from malicious insiders, so a company-wide program can enlist employees’ help and the right software. An insider threat program includes all the steps and processes your company will need to manage the risks of insider threats. The program should include stakeholders in your company who will need to be a part of any threat response, like human resources, legal, and security teams.

    This group of stakeholders should define what actions would trigger an investigation and how to flag any suspicious activity. Additionally, this group should receive executive buy-in to train employees, create awareness, and implement new technology to help monitor all data movement.

    A successful insider threat program doesn’t just address malicious threats but also all known and unknown insider threats, and focuses on both prevention and response. With the right automated tools you can automatically block data exfiltration for a more proactive approach.

    What motivates malicious insiders?

    Why might insiders act maliciously? Let’s take a look at the motivating factors behind malicious insiders:

    Financial gain:

    Malicious insiders sometimes are looking to make money. They may try to sell data to third parties. Often, departing employees will take a job with a competitor and use their insider access before leaving to gather data that they can then leverage in their new role.

    Desire to get revenge or personal gain:

    This type of malicious insider has a vendetta against your company. Maybe they didn’t receive a promotion; maybe the company terminated their role and they’re angry about losing their job. Either way, this person might steal data or sabotage internal systems as a way to “get back” at those they feel have wronged them. Alongside money and revenge, malicious insiders may be looking for notoriety by leaking sensitive information to the press.

    Corporate espionage:

    These insiders have been compromised by an external source and are stealing data in order to help that outsider. While the goal is still personal or financial gain, the motivation is slightly different than the examples listed above. This may seem like the most outlandish, but countless cases have lead back to a nation state using an employee to gain access to intellectual property for a strategic gain.

    Common malicious insider techniques

    Malicious insiders can carry out attacks in many ways and for many reasons, but a common theme amongst all the techniques is monetary or personal gain. Four common techniques are:

    • Fraud: Wrongful or criminal use of sensitive data and information for the purpose of deception.
    • Intellectual Property Theft: The theft of an organization's intellectual property, often to be sold for monetary gain.
    • Sabotage: The insider uses their employee access to damage or destroy organizational systems or data.
    • Espionage: The theft of information on behalf of another organization, such as a competitor.

    How to stop a malicious insider

    For many companies, it comes as a surprise that threats from a careless or malicious insider are just as dangerous and as prevalent as attacks from outside the organization. Most IT security teams are well-versed in the dangers of threats like spear-fishing, ransomware and impersonation attacks. But fewer administrators are aware that half of all data breaches, according to a 2017 Forrester report, are traced back to a malicious insider, a careless employee or compromised user.

    Stopping insider threats requires a different set of technologies than preventing external email-borne attacks. Threats sent via an internal email, for example, won't pass through a secure email gateway, which might otherwise detect and block email containing malware, malicious URLs or suspicious attachments.

    To stop a malicious insider, organizations need solutions for preventing data leaks via email, identifying suspicious content in emails, and blocking internal emails that may spread or trigger an attack. Fortunately, Mimecast provides all-in-one, cloud email protection that addresses all these concerns and others.

    How to recover from a malicious insider attack? 

    Recovering from a malicious insider attack can be difficult especially if the data has been destroyed completely. The best way to recover from an insider attack is to prevent it from occurring in the first place. However, if your organization does experience an attack, the following steps can help you mitigate the damage:

    1. Report illegal activity to law enforcement

    2. Audit your systems to check for malware or viruses

    3. Review the incident and revise security and personnel access protocols.

    Blocking a malicious insider with Mimecast

    Mimecast provides a SaaS-based solution for information security management that simplifies email security, archiving, continuity, compliance, e-Discovery, and backup and recovery. Available as a subscription service, Mimecast's solution involves no hardware or software purchase and no capital investment – services are delivered from Mimecast's cloud platform for predictable monthly cost.

    Mimecast solutions are easy to use, too. Administrators can manage and configure them from a single pane of glass with a web-based interface, while end users throughout the company benefit from fast archive searches, secure messaging services, and email security that doesn't impact performance.

    To address the problem of a malicious insider, Mimecast's Internal Email Protect service automatically monitors all email leaving the organization as well as email sent internally. Using sophisticated email scanning technology, Mimecast helps to spot emails with suspicious content as well as malicious URLs and weaponized attachments. To remediate threats from a malicious insider, Mimecast can delete or block suspicious emails. For emails determined to contain sensitive material but not malicious intent, Mimecast can require the user to send emails using a Secure Messaging portal.

    Benefits of Mimecast services for thwarting a malicious insider

    With Mimecast technology to stop a malicious insider, organizations can:

    • Successfully block threats and stop sensitive data from leaving the organization and causing damage to reputation or compromising customers.
    • Automatically find and remove internal email containing threats.
    • Mitigate the risk of a successful breach spreading throughout the organization via email.
    • Simplify email management with a single console for reporting, configuring and managing email across the organization.
    • Combine technology for stopping a malicious insider with data loss protection for preventing leaks and information protection services for sending email and large attachments securely.

    Learn more about stopping threats from a malicious insider with Mimecast.

    Related Malicious Insider Resources

    Back to Top