Watch Out for the Inside Job-It's Worse than the External Attack


Watch Out for the Inside Job—It’s Worse than the External Attack

Insider threats are on the rise—in one survey[1] of more than 500 cybersecurity professionals, 62 percent saw a rise in insider attacks over the last 12 months. At the same time, another recent survey[2] of more than 770 IT/security professionals revealed that 32 percent have no technology or process in place to prevent an insider attack. This is unfortunate, given the same survey found such attacks cause at least $231 million worth of losses every year—and that’s just the detected attacks.

Dr. Eric Cole, author of the recent SANS report on insider threats, is adamant that virtually every organization has experienced some form of insider attack. “Though only 34 percent of respondents report experiencing an insider attack, I’m certain that every organization has indeed been attacked—they just don’t know it yet,” he says.

Look again at the insiders

Attacks from inside the company can be the most damaging because insiders have legitimate access and inside knowledge, so attacks continue for long periods of time. Companies typically take 15 months to discover they’ve been compromised. Even then, most learn about the attack from a third party, usually a law enforcement agency.

Insider attacks can be malicious or accidental. The different motivations of these attackers lead them to behave in different ways, so let’s take a look both types and how organizations can defend against them.

Malicious insiders: a rogues’ gallery

Malicious insiders access privileged data and systems and seek to harm an organization by affecting the confidentiality, integrity, or availability of information.

The Imposter is an external actor who has gained access to insider credentials or a former insider who has retained access logins. This person typically targets individual, service, or shared accounts as well as other privileged credentials for fraud or information theft.

Combat imposters by enforcing least-privileged access, so they can’t leapfrog from one system to another. Use technologies that detect overt activities such as password cracking and spikes in the volume of information being accessed. Knowing the network baseline will allow you to spot network suspicious activity and move in to investigate it.  Knowing what normal user behavior looks like will allow you to spot suspicious user activity and move in to investigate. 

Entitled Eddie believes he has the right to take his work product with him to use in competing with his current employer. His goal is IP theft and he typically acts alone.

Be clear with Eddie from the outset, discussing work-product ownership and ensuring IP and other agreements are clear. Don’t tolerate “forgetting” of company policies and be suspicious of “accidental” miscommunication. And review Eddie’s online activity at the first sign that he might be thinking of leaving.

Image via Shutterstock

The Ringleader wants information that falls outside the scope of her responsibilities. She plans to go into business for herself or work for a competitor, and aims to get a head start by bringing your IP and your employees.

To stymie ringleaders, heighten security awareness so employees get suspicious when asked for confidential information.  Ensure all IP and other agreements are clear and review online activity as soon as you become aware an employee is leaving the organization.

Disgruntled Debbie feels wronged by the organization—perhaps she had a poor review or conflict with her boss, or expects to be laid off. In her mind this justifies revenge, which could lead to theft or damage to corporate data or information systems.

Watch for signs of disgruntlement, like a negative shift in the tone and intensity of communication. Alert IT when events occur that may trigger disgruntlement, so they can monitor activity and behaviors more closely. 

The Mole works inside one company, but for the benefit of an outside entity. This double agent typically possesses specialized skills involved in creating IP and has access to your most critical data.

To guard against moles, foster a strong culture that supports security and protection of IP. Monitor employees and use encryption and log access to protect privileged data.

Hacktivist Harry sabotages computer systems to make a political or social statement, targeting government systems, high-profile corporations, or any organization or industry he doesn’t like.

Foster an internal culture that emphasizes shared goals and an open, transparent environment, and it will be hard for hacktivists to fit in and carry out sabotage. Leverage data encryption and anomaly detection to identify any suspicious activities.

Non-malicious insiders

Despite their benign intentions, non-malicious insiders can expose sensitive data, fall prey to phishing scams, and open the door for Advanced Persistent Threats (APTs) that compromise the network. Looking for change in user behavior is the only reliable way to detect non-malicious insiders, because when a legitimate account becomes compromised, behavior of that account will change. Anyone can unknowingly become exploited through:

  • Credential compromise, when your systems leak credentials, credentials are stolen from another site, or temporary credentials such as cookies are stolen. Help prevent this by keeping your systems’ security vulnerabilities patched.
  • Phishing, in which users get an email that looks like it comes from a legitimate business, asking them to log in. Users click on the link and enter their login and password information—which the fake page transmits to the criminal. Train users to never follow links or fill out forms in an email message, and ask them to flag and forward any such emails to IT.
  • Keylogging malware logs each thing the user types, including logons and passwords, and then transmits it to the cybercriminal. Stymie this attack by setting up systems to detect any unusual transmissions.
  • Password guessing programs crack weak passwords in minutes. Set up your systems to enforce password strength and frequent password change.

While compromise can happen in different ways, all compromised user accounts will start to show unusual behaviors. Your best fallback defense is rapid, automatic user behavior analytics to detect any anomaly that suggests suspicious behavior.

About the Author 

Mike Tierney is the Chief Operating Officer at SpectorSoft, a leader in user activity monitoring and user behavior analytics. SpectorSoft develops software that helps businesses identify and detect insider threats, conduct efficient and accurate investigations, and enhance productivity. Mike is responsible for the day-to-day operations of the company and has a strong background in product strategy and management. For more information visit or contact SpectorSoft at

[1] Crowd Research Partners Insider Threat Report

[2] “Insider Threats and the Need for Fast and Directed Response,” a SANS Survey. Dr. Eric Cole, April 2015

Edited by Peter Bernstein

Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More