How Can Feds Better Defend Against Insider Threats?

Types of Insider Threats

Lucia Milică, global resident CISO for Proofpoint, tells FedTech that there are three main types of insider threats: malicious, negligent and involving compromised users.

“Broadly speaking, insiders are different from external hackers because insiders already have legitimate and authorized access to sensitive systems and often interact with sensitive data on a daily basis,” Milică says.

CISA says there are two types of unintentional insider treats: negligent and accidental. In negligent cases, “insiders can expose an organization to a threat by their carelessness,” by ignoring security and/or IT policies. In accidental ones, well-intentioned users who are oblivious or naïve can “make a mistake causing an unintended risk to an organization” by “mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink or opening an attachment that contains a virus within a phishing email, or improperly disposing of sensitive documents.”

Meanwhile, intentional insiders “intentionally take actions that harm an organization for personal benefit or to act on a personal grievance.”

There are numerous consequences to an insider threat that, according to the Cybersecurity and Infrastructure Security Agency. Source: CISA

In the case of federal agencies, Milică notes, authorized access also includes having specific security clearances. “The key in all three cases is the capability to identify risky behavior and very quickly ascertain whether it warrants additional research,” she says. “Federal security teams that get drowned in alerts they can’t efficiently investigate often miss important indicators.”

Gartner analyst Jonathan Care recently identified three different types of insider threats: the “determined spy,” the “disgruntled associate” and the disaffected “unaware and just don’t care.”

The determined spy is “an external threat actor who lures insiders to compromise their identity and endpoints,” Milică says. “While these insiders may not necessarily be as tech savvy as an IT admin or someone with a high clearance, the external attacker is often very technically proficient. Once they infiltrate an endpoint, they will look to hide the data they collect and cover their tracks to avoid discovery.”

Ryan Kovar, distinguished security strategist at Splunk, adds that these insiders can also be subverted by a third party in the interest of that third party on the basis of national identity. That particular identity he says, is “probably the more unique part of the federal government or organizations that support the federal government.”

Meanwhile, the disgruntled associate, also known as the malicious user, Milică says, “is often someone who knows a federal agency’s blind spot when it’s time to attempt data exfiltration — and they certainly don’t want to be caught.”

The third and most common type of insider, Milică adds, “is the disaffected employee who is unaware and/or just doesn’t care. These individuals cut corners to get their job done quickly. They don’t necessarily try covering their tracks, but they definitely circumvent rules.”

DIVE DEEPER: How can the government take advantage of cybersecurity automation?

Insider Threat Indicators

CISA lays out numerous indicators, including personal stressors (“serious physical, emotional or mental health concerns”); background indicators (“involvement with individuals or groups who oppose core beliefs or values of the organization”); addictions (alcohol, drugs, gambling); and “multiple short-term employments.”

To detect an insider threat, an agency needs to have “telemetry to understand what the threats are, which sounds very obvious, but becomes very difficult when you start thinking of scale,” Kovar says.

There are some common indicators that apply to any of the tactics, techniques and procedures for any of the insider personas, Kovar says. “What you’re looking for is unusual access, quite often, or unusual behaviors,” he says.

The Cybersecurity and Infrastructure Security Agency notes that insider threats can be expressed in several different ways. Source: CISA

For example, it might be a user in accounting who suddenly goes for the first time ever into the file directory that has top-secret information on an agency’s high-value assets, according to Kovar. Or, perhaps the information is not top-secret but is something that has nothing to do with the user’s normal work.

If there is a user who normally does interact with high-value assets and information, an unusual aspect or behavior might be that the IT security team has detected the user has downloaded the information to the desktop and put it on a USB drive for the first time.

This behavioral monitoring requires the agency to map out the baseline of normal behavior for users, Kovar notes.

“We can condense through peer group analysis, and say, ‘Hey, this person does this thing every single day. Why are they accessing these folders or this email directory for the first time ever?’” Kovar says.

Insiders are much more likely to use physical exfiltration, such a printing out documents, copying information on local hard drives and accessing data via USB drives and ZIP disks, Kovar says.

Other behavioral indicators of insider threats that CISA notes include “observable resentment with plans of retribution”; “excessive or unexplained use of data copy equipment (scanner, copy machine, cameras)”; “bringing personal equipment into high security areas”; “disgruntlement toward peers due to perceived injustice”; and “excessive volunteering that elevates access to sensitive systems, networks, facilities, people or data.”

Technical indicators of insider threats noted by CISA include email messages with abnormally large attachments or amounts of data, Domain Name System queries associated with dark web activities, the use of activity masking tools such as VPNs, connecting an unauthorized device to the network, downloading or installing prohibited software, unexpected activity outside of normal working hours and attempts to bypass or disable malware protection tools or security controls.

READ MORE: Learn why agencies should take a new approach to data security in 2021.

How to Create an Insider Threat Program

CISA lays out the ground rules for creating an effective insider threat mitigation program. They include the ability to identify and focus on “those critical assets, data, and services that the organization defines as valuable.”

The program must also monitor user behavior “to detect and identify trusted insiders who breach the organization’s trust.” Another key element is that the program “assesses threats to determine the individual level of risk of identified persons of concern.”

An effective program must also manage “the entire range of insider threats, including implementing strategies focused on the person of concern, potential victims, and/or parts of the organization vulnerable to or targeted by an insider threat.”

Solid programs, CISA states, must also “engage individual insiders who are potentially on the path to a hostile, negligent, or damaging act to deter, detect, and mitigate.”

These are some of the key elements of an effective insider trheat program. Source: CISA

Milică says effective federal insider threat programs efficiently visualize information on insider activity “across applications, systems and sensitive data at all times.”

“With malicious users, you are looking for a timeline of technical activity that includes preparation for exfiltration, data exfiltration, and intentional covering up of tracks,” she says. “Additionally, these users will display harmful offline motivations such as revenge, anger or frustration to cause harm.”

To identify negligent activities, IT security teams must “look for indicators of poor hygiene, like storing passwords in text files, leaving databases exposed to the public internet, using unsecured Wi-Fi connections, using unsanctioned applications and actions that are designed to sidestep security restrictions,” Milică adds.

EXPLORE: Read our roundtable discussion on how federal agencies are approaching zero trust.

Insider Threat Detection Tools

Stopping insider threats within federal agencies requires a comprehensive solution that addresses both people and technology, according to Milică.

“On the technology front, many organizations mistakenly focus on data movement alone,” she says. “However, agencies need visibility into user and file activity at all levels. They need to know the ‘how’ and ‘why’ of a user’s behavior to figure out intent and actions.”

Kovar notes that Splunk’s user behavioral analytics tools, which can gather data from disparate sources including a user’s background, behavior and potential motivations. Or, he notes, agencies can use Splunk’s core platform and machine learning tools to create their own security models, though he says that solution is for more advanced users.

Some agencies are opting for a completely automated approach to insider threat detection, and others only want data presented to human analysts who then can determine insider threats. “I think honestly, the best programs I’ve ever seen — and they’ve mostly been honestly in the defense industrial base — have been programs that blend the two,” he says.

Milică notes that insider threats can come not just from federal employees but contractors, third parties and partners throughout the supply chain.

“Raising security awareness can curtail the negligence that makes up insider threats,” she says. “Establish a set of governance policies informed by legal counsel and communicate those to your employees. Offer security training programs tailored to each executive level in your organization. These training sessions should occur with some frequency and be refreshed to reflect changes in how insider threats occur.”