What is an insider threat? An insider threat is someone on the inside of your company/organization, such as an employee or contractor, that puts your data and operations in jeopardy. Unlike the unintentional insider (the person who doesn’t know better or has made an honest mistake), the malicious insider intends to steal from or damage your company. They could be after intellectual property or the company’s financial resources, or out to sabotage operations.

Signs of a malicious insider can appear in two layers (often working in tandem): the people layer and the network layer.

At the people layer, watch for these warning signs:

• Asks for access to information or accounts not needed for his or her job.
• Works odd hours to avoid being observed while at work.
• Willfully violates security rules such as bringing in unauthorized USB drives or attempting to bypass web content blockers.
• Lies about his or her travel or contacts with competitors (or foreigners if you’re in the government space).
• Routinely fails to report malware or other computer issues or lies about it when confronted.
• Becomes suddenly very affluent–buying things that seem to be vastly unaffordable on their salary.
• Seems to be under a lot of stress, perhaps due to a personal situation.

At the network layer, here are some things to monitor:

• User account denied access attempts (shows someone trying to access unauthorized information).
• Account privilege escalation (may show someone who moves from a basic account to a higher level for more access).
• Unusual volume of downloads from a user account (may show someone who is stealing company data).
• Unusual port traffic from a user’s computer (may show someone trying to move data out of your company).
• The presence of unusual software on a user’s computer (may be the presence of malware or software used to exfiltrate information).

What to Do

If your workplace already tracks the most important information and technology systems, plan for a potential insider threat as it relates to these important assets:

• Do you have policies in place that specify individuals are only provided access as needed to do their job (and the technology to enforce those policies)?
• Do you have auditing capabilities that show which accounts accessed what data and when?
• Do you have policies that forbid employees from sharing their login information with others (yes, including with I.T. personnel)?
• Do you have a mechanism by which to review these audit records for violations and anomalies?
• Do you have account control procedures which modify an employee’s access when they change departments or roles and deactivate their account when they leave?

Training

It’s important to train employees on the insider threat and what employees are responsible for reporting. An aware employee can help you spot the insiders before it’s too late. Picture a scenario where Joe, the company’s proprietary software developer, took a trip to Thailand but told everyone he was in Vermont visiting his grandma. Maybe there’s an innocent explanation–he didn’t want to make people upset over his multiple vacations that year. But, he bought a fancy sports car recently AND was seen downloading files to a forbidden USB drive. Joe just may be an insider who is using his access to sell the company’s software to a competitor or adversary.

One of the most famous real life cases of an insider threat is Edward Snowden. Snowden who had worked for the CIA and the NSA, used his role as a systems administrator at the latter to extract information. It was estimated that he copied upwards of one million classified documents while working as a contractor for the NSA. Though Snowden denies it, it was reported that he persuaded 20-25 co-workers to give him their login credentials, claiming he needed them to do his job. These employees fell victim to social engineering perpetrated by Snowden. He ended up releasing thousands of documents to the press, compromising Top Secret programs across the government. Understanding and awareness of the potential insider threat might have mitigated Snowden’s damage to National Security.