Call it the “Edward Snowden Effect” if you like, but insider attacks have become more frequent in the past year according to a report based on a survey of information security professionals conducted by Crowd Source Partners. In addition, it is a fact that insider threats are far more difficult to detect and prevent than external attacks.
Once the extent of Snowden’s actions became apparent, many organizations were forced to ask themselves if a similar insider attack could happen to them. The answer, in my opinion, is that this type of attach can indeed occur anywhere at any time. Any organization that has information of value is vulnerable to threats from within. An insider threat incident at your organization or business may not have high profile national security ramifications as in the Snowden case, but significant damage can be done to your business if this was to occur.
In this blog article I want to focus on a secondary kind of threat that relies on having an insider’s access credentials and privileges, although it’s not the employee him or herself doing the dirty work. In this particular scenario I am thinking of, an external intruder uses a compromised account to clandestinely gain access to your internal systems. The perpetrator may have gained your credentials by way of a phishing attack or a data breach, or even bought them on the “Dark Web”. Once the bad guy has your information he already has legitimate access to your systems, giving him the opportunity to steal information, corrupt essential computer systems, and disrupt your normal business operations.
To combat this type of threat many organizations are now turning to a science called “user behavior analytics (UBA).” UBA involves keeping track of what users are doing, especially those with elevated privileges such as system administrators, and employees with access to highly sensitive information, and searching for behaviors that are outside the range of these employees’ normal activities. Some experts purport that UBA is the best means to detect inappropriate activity by internal actors (or those pretending to be such.) UBA works even better when combined with in-depth intelligence about a user’s identity attributes and the privileges he has on the network. This combined method encompasses analyzing the access rights and entitlements an employee has; the activities he or she has been performing across multiple accounts, and the typical activities that members of his peer groups are doing.
While this approach takes a combination of the right data sources, sophisticated machine learning and perceptive data science to pinpoint truly unusual actions that are good indicators of misuse of assigned privileges. However, once these activities are highlighted, alerts can be raised to the security operations center for investigation, response and remediation in order to combat the insider threat. Perhaps you should consider adding UBA to your computer network defensive posture!
To learn more about combating insider threats and how to secure small businesses and nonprofits check out the NCI training page http://www.nationalcybersecurityinstitute.org/training/
Crowd Research Partners (2015). Insider Threat Spotlight Report. Retrieved from http://www.crowdresearchpartners.com/portfolio_item/insider-threat-report/