How to Protect Your Organisation from Insider Threats
March 2023 by Igor Baikalov, Semperis Chief Scientist and former SVP of global information security at Bank of America
Insider threats—cyber incidents carried out by trusted actors—are increasing sharply. As with all cyberattacks, most breaches committed by inside threat actors involve access abuse, whether the compromise was the result of negligence or malicious intent. The global economic slowdown has resulted in layoffs and general uncertainty, creating conditions that raise the risk of insider threat attacks, whether they stem from decreased resources for training, lack of security policy enforcement or from lower job satisfaction among employees—which can lead to retaliatory behaviour.
Insider threats are particularly dangerous because they involve access abuse by trusted actors who, in order to do their jobs, have access to critical assets and sensitive data across the organisation. But most security solutions focus on detecting illegitimate access. To adequately address insider threats, organisations need solutions that protect the core identity system itself by scanning for identity system vulnerabilities that insiders can abuse, detecting and automatically remediating risky changes, shining a light on attack paths into critical assets, and providing post-breach forensics to close backdoors left by malicious insiders. In particular, organisations in the midst of major transitions, such as consolidating business offices or reducing the overall workforce, need the ability to take action on suspicious activity from high-risk users—such as employees who are flagged as a flight risk or are slated for upcoming termination.
Insider threats are on the rise—again
Although external malicious actors receive most of the media attention, insider threats—stemming both from negligence and from malicious intent—are on the rise. According to the Ponemon Institute’s 2022 Cost of Insider Threats Global Report, 67% of companies experience 21 to 40 insider-related incidents per year—up from 60% in 2020—with each incident incurring an average cost of $484,931. Insider threats are notoriously difficult to eradicate: It takes victim organisations an average of 85 days to contain an insider-related incident.
Access abuse underlies internal threat incidents
Anyone who has permission to access critical business assets can potentially abuse that privilege, either through negligence or malicious intent. Negligence can lead to system compromise in several ways, but the result is the same: Because of a mistake someone made—for example, an end user who left their laptop unlocked or an Active Directory admin who failed to follow defined employee off-boarding policies—privileged credentials are easy picking for malicious actors. An inside threat actor with malicious intent can use privileged access to compromise the organisation’s system for a variety of reasons, from monetary gain to revenge. Regardless of the intent, access abuse underlies insider threats. An identity-first security strategy that addresses every phase of the cyberattack lifecycle—including recovering from an insider attack if the worst happens—is critical to protecting organisations from insider threats.
Based on my experience addressing insider threat and risk monitoring at Bank of America, I can attest that the stark increase in inside threat incidents is a warning to organisations that haven’t yet implemented a comprehensive identity threat detection and response solution. Access abuse is the common element in insider attacks. Employees, contractors, vendors, and partners can inflict devastating damage on organisations, either out of carelessness or malice. Protecting against insider threats requires a concerted effort—a comprehensive strategy that addresses every phase of the attack lifecycle, including prevention, remediation, and recovery.
Identity-first security steps to guard against insider threats
Active Directory (AD) and Azure Active Directory is the core identity system for 90% of businesses. Organisations need AD-specific recovery solutions to protect their critical identity services before, during, and after an attack.
• Before attack: Uncover security vulnerabilities that could pave the way to access abuse by trusted actors (for example, accounts with expired passwords and inactive accounts), enable deployment of an identity freeze—preventing certain changes by a defined set of users—in advance of terminations to forestall malicious changes by disgruntled employees, and view any attack paths to critical Tier 0 assets
• During attack—Continuously monitor for indicators of compromise (IOCs), tracking risky changes to on-prem AD and Azure AD, and be able to automatically roll back specific changes that could signal an attack—for example, unexplained additions to the Domain Admins group.
• After attack— Access post-breach forensic capabilities to uncover attack techniques used by insiders and close backdoors into AD and Azure AD
Semperis is the only provider of solutions purpose-built by identity security experts for protecting Active Directory.