Dominate Insider Threats With These 9 Answered Questions.

Photo by David Werbrouck on Unsplash

Even in the digital world, the worst stabs always come from the ones you trust. One story that demonstrates this fact is when a former system administrator was able to infect more than 2,000 servers with a malicious program. The targeted financial services firm UBS PaineWebber lost $3,1 million as a cost of rehabilitation. The 63 years old attacker was furious about the poor salary bonus he received by the company he thought he worked hard for. His primal intention was to destroy the firm’s sensitive data and cause interruptions in the network.

In 2017, Nuance company had experienced an insider threat incident when a third-party factor was successful to expose more than 45,000 of personal medical records. The company, which specialized in speech recognition software, decided to shut down its platform to investigate the incident which resulted in an absence of availability for some of its customers.

Nuance’s stakeholders had to notify all the affected customers and law enforcement authorities about the incident. Also, the company and the authorities had conducted an investigation process which resulted in revealing the sophisticated third-party actor. The latter performed his misdeed by accessing one of the company’s transcription platforms.

Although the intentions and methods were different, these two insider threats examples call to mind one lesson which is: Insider threats are a reality and all organizations ( no exception ) are susceptible to get hit by one.

The infographic below includes some information about Insider threats from ObservIT: The Cost of Insider Threats report:

www.thecyberwriter.com

Far from the financial costs, organizations who experienced one or two insider threat incidents also suffered from other losses including but not limited to:

  • Reputational consequences
  • Business continuity
  • Lost of market value
  • Competitive advantages

Sometimes organizations are not responsible for the existence of insider threats, but it’s totally their duty to be aware and ready to go against any incident of this type. They must put into consideration the fact that an insider threat is already inside their infrastructure. For this reason, organizations should put in place all the possibilities and anticipations to conserve against this type of cyber attacks. One way to do this is to dominate those insider threats before and after they execute an attack.

The goal of this article is to fulfill your curiosity about how to dominate insider threats and prevent them from devastating organizations. This will be represented as a series of answered questions divided by four stages which are: Prevention, detection, investigation, and response. By the end of this article, you will gain a full understanding of how to encounter a preservation program and dominate insider threats incidents.

Prevention’s Questions.

1 What to protect?

Prevention is the first stage of keeping insider threats from lay a finger on a network. Organizations need to evaluate their information system to recognize their most valuable data in the network. For example, information about the intellectual property that differentiates the organization from other competitors. This can be the core technology of services or product, customers personal details or employee’s private information. This depends on the organization’s industry. Yet, here’s a list of the IT assets to protect:

  • Databases.
  • Files Servers.
  • Cloud applications.
  • Endpoints.
  • Active Directory.
  • Business Applications.
  • Mobile Devices.

The main idea is to decide what’s matter the most for an organization.

2 From who and what you need to protect your data from?

Simply put! Organizations must protect valuable information from insider threats who can perform insider attacks. Here’s an insider threat definition: Insider threats are the ability of an employee, a third-party agent, or a contractor to exploit his or her legitimate access; or a vulnerability in the system to destruct a company’s infrastructure, steal worthy information or establish a network disturbance. Thus, your vision should be holistic.

Unlike outsider threats, insiders live within the organization’s network and are more harmful because of these three characteristics:

  • Trust: Employees are required to be a part of the organization and they take part in its success, but employers should know that employees can betray their companies for some reasons such as financial greed or revenge.
  • Access: Insiders have the accessibility to critical components of the company’s infrastructure. So, one insider with an illicit behavior will decimate the company’s system.
  • Knowledge and Skills: Insiders knows a lot about the company’s infrastructure, policy, and culture. Thus, they can maneuver them and go undetected.

Insiders use these three characteristics to perform more precise and damageable attacks.

3 How to prevent insider threats?

After indicating what’s valuable to your business, critical assets should be centralized and classified on priority basis. After that, organizations should put in place these non-technical solutions including but not limited to:

  • Creating strong data policy
  • Training employee
  • Checking employee, third-party partners, and contractors status and access privileges

In the other side, here are some technical solutions IT security teams should use:

  • Identity and access management
  • Information security management
  • User entity and behavioral analytics ( UEBA )
  • Monitoring user activity
  • Data Encryption
  • Data Loss Prevention

Plus, forming a list of potential insider threats that might hit the organization will add an ambit of dominance too.

Detection and investigation Questions.

4 When to detect and investigate insider threats?

Insider threats might be already inside the organization trying to tear down the network. Therefore, to stay safe and aware, security teams should build a repeatable procedure to mitigate any potential insider attack consistently. This procedure is what’s so-called “detection of an existential threat”. More importantly, If any insider threat indicator occurs, an investigation process should start immediately. The two operations are often performed one fell swoop.

5 What do you need to detect and investigate Inside Threats?

Security teams need cutting-edge tools that offer data visualization and wild view of users’ actions to act fast and flexible. Security teams need Insider threats management platforms to expedite the detection and investigation processes and keep an eye out on significant users by providing the maximum of detailed information about users including timelines of users’ activities. Moreover, results should be visible and effortless for security pros to understand. Take into account the fact that insider threat management applications should have the ability to work seamlessly with other logging and monitoring tools.

6 Who and what should the security teams look for?

Using the specified tools, the chosen team should target users who show any insider threats indicators such as; unusual behaviors toward the network; breaking one or two terms of data policy including, for example, downloading or uploading data to unauthorized cloud storage platform. In a case like this, Insider threats Software Management tools will alert the security team with a potential breach and track the user to see if he or she is up to no good. If the alert is positive, the security team should check the suspected user’s profile for other details containing:

  • Type of data that is being violated
  • Data location.
  • Where the data is going?
  • What type of devices the insider is using.
  • Is this an unintentional or intentional behavior?

More serious, An insider threat could not be one person but a group of criminals. For this reason, the team should check if any other users are associated with the malicious insider. They should center their efforts toward users with advanced privileges.

How to respond to an insider threat incident?

7 What’s the first step?

After identifying what is happening and be assured that an insider threat is attacking the organization’s resources, it’s time to arrange an insider threat response team and bring a plan to the table. A response team could consist of:

  • IT security pros: They will be responsible for the technical aspects of the response operation like digitally stopping the insider threat.
  • HR manager: He or she will be responsible for checking the employee statue and look for any indicators that will vindicate his or her conduct, like financial problems or the will of revenge.
  • Legal: To analyze the incident from a legal perspective and collaborate with stakeholders to conduct a law enforcement.
  • Stakeholders: The decision makers should give directives to other parts of the team and take the final decision.

Furthermore, if the budget says yes, organizations can seek the help of an outsourced party to handle the situation.

8 When to response?

The real question is: Is it appropriate to respond immediately or investigate deeper? Acting quick after discovering an insider threat incident will stop serious damages and protect the network’s functionality, but the team might miss the chance of catching other insider attackers. In contrast, performing deeper monitoring and investigation could lead to finding other unknown insider threats who are linked with the main attack. Yet, this move can lead to massive losses. In general, if enough proof is on hands to prove the case, responding instantly is the best action a response team could take.

9 When to go public?

After carrying out an investigation, an insider attack should be reported to a higher authority. If the insider threat incident impacts any individuals, an organization should inform them and identify what personal data has been breached. Based on Article 33 in the General Data Protection Regulation (GDPR) compliance, organizations should report a data breach within the time of 72 hours. In the U.S, and based on the Data Breach Notification Laws, most states have a deadline range of 30–60 days to notify a data breach. Thus, each state has its own deadline, and entities should respect this deadline with no unjustified delay.

This article was originally published on thecyberwriter.com. Need a cyber security content writer for your business? Check my website and let’s get to work together.

Web developer | security researcher.