Spotting Insider Threats
Insider threats look normal until they don’t.
This makes them especially hard to catch, and if you don’t know what you are looking for, you won’t see it until it’s too late. Thankfully, there are some steps you can take before, during, and after a threat to give your security team a fighting chance.
What Is an Insider Threat?
First, let’s define what we’re talking about here. An “insider threat” always has the following characteristics:
- They’re a real, live person. They could be an employee, contractor, or consultant.
- The “threat” they pose could be intentional and malicious. Or, it could be unintentional, risky behavior. This is what makes “insider threats” so difficult to pin down.
- They have some level of legitimate access to the network and/or applications used by the organization.
- There is some assumed level of trust.
All of these things can combine in the perfect storm: A trusted user that’s supposed to be on the network, with access to critical business applications. Short of a lie detector, you have no outward way of knowing what their honest intentions are with your digital assets (we have to assume good for the sake of business), but you also can’t afford to give them the “keys of the kingdom,” just in case (we have to assume bad for the sake of security … We’ll talk about “Zero Trust” later). And sometimes, their intentions might be good, but their clumsy behaviors might be unwittingly hazardous. This leaves security experts in a pinch.
With access to the network and a certain level of trust, how on earth do you identify a legitimate user as a threat? You’ll spot it by anomalous behavior. The user’s network traffic is going to look normal, until it doesn’t.
The Tell-Tale Signs of Insider Threats
“By their fruits, ye shall know them.” Nowhere is this truer than when spotting signs of an insider threat. Whether the insider knows their behaving badly or not, there will be evidence of the user …
- Talking to systems they don’t normally talk to. This person has never talked across the network to this device until now (East/West), or they’ve never talked to that server in Hong Kong before (North/South).
- Using protocols or ports they don’t normally use. This user accesses that internal web server application all the time, but they’ve never tried to SSH into it until now.
- Frequenting different websites. This person usually talks to Google, Facebook, and Netflix. Why are they talking to GitHub all the sudden?
- Generating different data patterns. Changes in the volume of traffic generated by a user could be indicative of scanning behavior or data exfiltration.
- Accessing resources at odd hours. The user has never reached outbound to any web resources after 5pm on a weekday .. Until now.
When it comes to unwitting employees, the signs are very much the same, albeit they meander into trouble innocently. Unfortunately, the result is the same for the organization, whether it’s caused by a disgruntled employee or a user who happened to click on a phishing link. That’s why it’s important to prepare for each step in the Incident Response Lifecycle.
The Solution: The Incident Response Lifecycle
We could (and probably will) spend an entire blog discussing the Incident Response Lifecycle, but today we’ll summarize it quickly by breaking it down into three quick steps: Before, during, and after an incident.
- Prevention beyond technology (“Before”). Some cybersecurity tools are purpose-built for threat prevention (Our Outpost is a good example), but here’s where we wanted to talk about “Zero Trust.” We’re almost to the point where jaded security professionals roll their eyes at that term, but no one can debate its basic tenet: Start from the ground up by only granting users access to what they need, and no more. From proper network segmentation to the principle of least privilege, this applies to the network itself and every device on it.
- Detection of Anomalous Behavior (“During”). Remember the ‘tell-tale signs’ we discussed above? So, how can you detect that behavior? Typical network detection and response tools (NDR) utilize ML/AI-based algorithms to set baselines for what’s normal, then trip alerts when something goes out of bounds. In addition, these tools lean on frameworks like MITRE ATT&CK to seek out behavior consistent with known attack vectors.
- Post-Incident Forensics (“After”). We all know by now that no one is immune to a breach or ransomware attack. Acknowledging that fact is the first step to planning for recovery after an incident. In addition to the basics of backup and data recovery, having the proper “paper trail” can go a long way into figuring out what went wrong. System logs are critical to identify activity on the endpoint, but do you have an archive of network traffic to determine how and when a user accessed any given system?
The case for Nomic Insight
Insight can assist in each high-level step of the Incident Response Life Cycle: Before, during, and after. Insight takes the best of what an NDR tool and SIEM have to offer, and distills those features into an intuitive interface, backed by our support team.
Here are a few quick examples:
- Troubleshoot Zero Trust policy decisions before they cause problems (“Before”). Have you ever geo-blocked the Netherlands, only to find that all your Microsoft updates start to fail? If we’re being honest, implementing Zero Trust in the real world can be annoying; Legitimate users can easily be stymied by overly strict policies. Quickly sifting through Insight’s Flows can provide visibility into network traffic before a ZT policy is implemented, saving the potential headache of a false positive that disrupts your organization.
- Anomaly Detection and Custom Signals (“During”). Want to know when any user initiates an SSH session with a foreign IP? We’re constantly expanding Insight’s capability to detect anomalous behavior. In addition to that, Flow-based Signals allow customers to create custom flow filters specific to their network and receive notifications when those filter criteria are met.
- Rewind the “DVR” of traffic history (“After”). Traditionally, network activity logs are notoriously cryptic, and finding the answers you need in a clunky SIEM can be prohibitively time consuming. Insight’s Flow search allows you to quickly piece together network activity with enriched metadata that includes geolocation, ASN, application protocol, and threat intel – invaluable information for thorough incident response.
Insider threats will always be a problem so long as there’s a human being in the mix. Someone will get aggravated, or someone will make a mistake. By planning for contingencies throughout the entire incident response lifecycle, organizations can avoid unnecessary risk and keep sketchy “insider” behavior to a minimum.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.