How to Spot Insider Attacks and Stop Them from Destroying Your Business
TIME TO READ: 9 MINUTES
Cyberattacks can come at you from anywhere. Even from within your own company.
It may seem impossible, but sometimes, the people you trust to do an important job, end up betraying that trust. They're the ones who steal your IP, your customer data, or purposefully unleash malware on your network.
This is what's called an "Insider Attack," and that's what this month's WOOF! will address.
What's an Insider Attack?
An "insider attack" is a cyberattack launched by someone within the organization. They can come from a current employee, a former employee, a contractor, or a trusted business partner with access to your systems.
Insider Attacks make up between one-third and one-half of all cyberattacks. However, they're some of the most destructive. In 66% of incidents, insider attacks using trusted access cost more to remediate than external attacks.
Why? The insider knows what data your business has, where it's stored, and how valuable it is. Think "inside job" instead of "smash-and-grab."
Methods of Insider Attacks
Insider attacks typically target specific departments within an organization: the Finance Department, Customer Access Department, Legal, or R&D.
Why those? Not only do they often have valuable data like customer banking numbers, they also represent a target the insider can reach.
Generally, insider attacks leverage the network access they already have. They're often administrators, or have a privileged account, which grants them full access to the data they plan to attack.
From this comes what's called an "everyday" insider attack. Examples include:
- A salesperson downloads your customer database, and takes it to your competition.
- A developer downloads code or internal-use-only documentation, and uses it compete against you.
- A “second streamer” (seeking additional income) sells company data on the Dark Web, while still working at the same company.
- An employee uses unapproved software to work with a third-party contractor, accidentally giving out access to otherwise locked-down data.
If an insider lacks the privilege necessary to launch their attack, they can get it other ways. A "privilege escalation attack" takes place when an insider boosts a normal user's credentials into a privileged account, and then uses that account to
Some insider attacks even employ accomplices. Using their network login, they grant access to someone on the outside. Like a cybercriminal who promises them half of the ransom, for instance.
In case these methods sound far-fetched, let's look at some real-world examples. Unfortunately, these are very real, and very destructive.
Six Insider Attacks in the Real World
Here are some real world examples of high-profile insider attacks that took place in the past few years.
GENERAL ELECTRIC: Two employees of General Electric stole advanced computer models for calibrating GE turbines. One employee convinced
a system administrator to grant him higher level access than he should have. They stole the files by sending them to a personal email address. Then the employees quit, started a new company, and competed with GE on contracts for turbine calibrations!
RAYTHEON: A 10-year employee of Raytheon and naturalized U.S. citizen provided top-secret American missile data to the People’s Republic
of China. He went on vacation to China…and brought a company-issued laptop containing the sensitive information with him.
CISCO: A Cisco employee gained unauthorized access to the company’s cloud infrastructure. They deployed malware that deleted 456 servers used for Cisco’s WebEx Teams application. This locked 16,000 WebEx users out of their accounts for weeks.
IBM: A Chinese national working for IBM developed source code for IBM's clustered file systems. In order to work on the proprietary software, he had high-level account access. Using this, he built a secret copy of IBM’s software. Then he quit his job, and offered his copy for sale to profit himself and his home country. Unfortunately for him, he tried to sell it to an FBI sting operation.
CANADIAN PACIFIC RAILWAY: The Canadian Pacific Railway suspended a systems administrator for insubordination, then fired him upon his return to work. He convinced his boss to let him resign instead. Before he turned in his laptop, he wreaked havoc on the company network—deleting essential files, removing administrator accounts, and changing passwords. Then he wiped his laptop hard drive and handed it in.
TARGET: The store chain suffered a massive data breach in 2014, losing 70 million accounts with credit card data. How did the hackers infiltrate Target’s
network and steal the data? They used a refrigerator contractor’s access.
How to Spot Signs of Insider Attacks
There is one saving grace with insider attacks—because they come from people already within the organization, you stand a better chance of identifying an attack before it starts.
Insiders often plan their attacks in advance. You can watch for signs of planning, like these:
- They may visit hacking or cybercrime websites from their work computer. The majority actually perform the attacks during their regular workday.
- They may request a permissions upgrade for their account without an apparent reason.
- They may create a new user account with administrator access. Again, without an apparent reason.
Their work habits may change as well:
- Taking work materials or their laptop home when not asked to
- Becoming interested in work issues that have nothing to do with their jobs
- Bringing personal computers or devices into the office
- Accessing the company network at unusual times
- Failing to set up backups for essential applications
Finally, your HR Manager should keep an eye out for employee behaviors that may portend an upcoming attack:
- Sudden cases of unprofessional behavior
- Conflicts with supervisors or coworkers
- Misuse of travel, time, or expenses
- Violations of corporate policies
- Refusal to take vacation
- Poor work performance
- Complaints about money problems
- Persistent non-responding to cybersecurity training (thereby creating an inadvertent security risk)
How to Defend Against Insider Attacks
Now that we know what to watch out for, what do we do about them? Can we stop this kind of cyberattack before it happens?
Yes, we can, if you take some precautions. Here's a list of security precautions, in behavior and technology, which can catch insider attacks before they're unleashed.
- Install & maintain IT security systems. Robust cybersecurity systems should include:
- Access controls—Removing access to services certain employees don't need for their work (see "The Principle of Least Privilege")
- User monitoring—Logging actions by employee workstations, including users with high privileges (e.g. administrators)
- Endpoint detection & response software on all workstations
- Spam/phishing email filters
- The Principle of Least Privilege: Give employees only the application permissions required to do their job.
- The Principle of Least Physical Access: Only give physical access to secure areas to employees who need access. You may even consider a background check before granting people access to secure areas.
- Separation of Duties: For very sensitive functions, require two people to perform different parts of a sensitive transaction, such as creating a new vendor and issuing a check.
- Run background checks on job candidates. Does a potential hire have a history of legal issues?
- Enforce your Vacation Policy. Make sure employees take their vacation! It relieves stress that might make someone decide to attack. It also gives the IT management a chance to audit the network. (This is often where companies identify
fraud, or the setup for an upcoming attack.)
- Carefully coordinate employee separations. Immediately turn off all accounts, notify team members, and review the terminated employee's server/network access.
- Permissions Audits: Conduct regular permissions audits of company network security and applications. Has someone elevated their permissions to super admin?
- Conduct Network Vulnerability Scans: Conduct quarterly internal/external network vulnerability scans to look for unauthorized or unneeded holes in your network.
- Use an insider threat management solution. This is software that tracks privileged user activity/access across your network.
- Set up secondary authentication to alert you when someone changes a user's permissions.
NOTE: #1, 2, 7, 9, and 10 also protect against external cyberattacks, thereby doubling their effectiveness. As such, there's no reason not to implement them!
Trust, but Verify
Don't become a statistic! Keep an eye out for potential insider attack behaviors. Set up defenses to protect your network, your business, your employees, and your customers. Trust your people, but verify their activities. Good luck out there!
Concerned about your team's network access permissions? Ask us for a verification review at firstname.lastname@example.org.