Insider Threats and Incident Response
The increase of insider threats place added requirements on organizations to have an incident response plan. Incident response can be quite an endeavor and the response to insider threats often involves a wide range of organizational staff. Insider threats are influenced by a combination of technical, behavioral, and organizational issues. As a result, management, human resources, legal counsel, and physical security personnel may be involved in the response along with the Information Technology and cybersecurity departments
Insiders reflect a range of company relationships and behaviors that includes:
• The traditional threat posed by current or former employees;
• Collusion with outsiders – employees recruited or coerced by competitors or organized crime;
• Business partners – suppliers, contractors, or distribution channels;
• Mergers and acquisitions introducing new, unknown insiders; and
• Cultural issues – both national and corporate – introducing tensions.
The CERT guide recommends 19 practices for mitigating Insider Threats. Many of these are well known security controls, but here they are presented through the lens of the insider threat. These practices emphasize a direct bearing on incident response planning and management.
1 Include insider threats in an enterprise-wide risk assessment.
2 Clearly document and consistently enforce policies and controls.
3 Incorporate insider threat security training for all employees.
4 Beginning with the hiring process, monitor suspicious or disruptive behavior.
5 Anticipate and manage negative issues in the work environment.
6 Know your assets.
7 Implement strict password and account management policies and practices.
8 Enforce separation of duties and least privilege.
9 Define explicit security agreements for any cloud services – address access restrictions and monitoring capabilities.
10 Institute access controls and monitoring on privileged users.
11 Institutionalize system change controls.
12 Log, monitor, and audit insider actions with log correlation or SIEM system.
13 Monitor and control remote access including mobile devices.
14 Develop a comprehensive employee termination procedure.
15 Implement secure backup and recovery processes.
16 Develop a formalized insider threat program.
17 Establish a normal network behavior baseline.
18 Be especially vigilant regarding social media.
19 Close the doors to unauthorized data exfiltration.
If you are interested in learning more about defending against insider threats you may read other insider threat blogs at the National Cybersecurity Institute website.
Source: the SEI/CMU Common Sense Guide for Mitigating Insider Threats, 4th Edition.