Insider Threat Detection

Insider threat incidents have increased by 44% over the past two years, and the cost of an incident now tops $15.3 million, according to the 2022 Cost of Insider Threats report from Ponemon. To defend against this pressing security — and business — risk, organizations need a comprehensive insider threat detection strategy. This article provides extensive guidance to help you get started building an effective program.

Insider threats: What are we dealing with?

The Ponemon report delineates three types of insider threat:

A careless or negligent employee or contractor. Internal users can do harm without any malicious intent, due to negligence, ignorance or error. For example, someone might ignore update installations, accidentally email sensitive information to the wrong recipients or fall prey to a phishing scheme.
A criminal or malicious. Malicious insiders deliberately take action to harm their organization. The most common motives include desire for revenge for perceived injustices and desire to gain some benefit or profit. Actions often include leaking sensitive data, sabotaging systems or stealing intellectual property in the hopes of advancing their careers.
A credential thief. An external actor who steals the credentials of a legitimate user gains access to the corporate network and therefore becomes an insider threat.

What are common indicators of an insider threat?

Sometimes unusual personal behavior can indicate the potential for an insider threat. Examples include signs of heightened agitation, expressions of resentment towards the company — especially by departing employees, who are leading sources of internal data theft — and mentions of revenge or possible gain. General cues like the above can serve as early warning signs that an insider may be developing malicious intent, but more specific behaviors can be indicators that a plot is already moving forward. Some of the most common insider threat indicators are:

Unnecessary access requests. Each user needs access to only certain data. For example, accountants don’t need design files, and systems developers don’t need financial records. If an employee or contractor attempts to access data that doesn’t pertain to their work, a threat may be underway.
Unauthorized escalation of user The more access an insider has, the easier it is to steal data or hide their actions. When employees unnecessarily attempt to escalate their own privileges, they may be paving the way for an attack.
Use of unauthorized storage media. Attempts to use prohibited data storage devices can be a clear sign that insiders are trying to acquire data without transferring the files through a server, since that activity is routinely tracked.
Sending emails to recipients outside the organization. Emails that are sent to recipients other than clients, vendors or other business partners — especially if they have file attachments — could be an insider threat in progress. Note that the action could be malicious or negligent, and the actor could be an employee or an adversary who has taken over a user account.
Accessing information and systems during off hours or vacation. Employees should attempt to access data only while on the clock. While remote work and around-the-clock schedules make abnormal access times harder to spot, they can be a sign of an attack.

What are the steps in building an insider threat detection program?

Insider threat detection is a complex process includes continuous activity monitoring, behavior analytics and threat management. Here are the steps that organizations should take to create an effective program:

Initiate the program. Convince executives and other stakeholders of the importance of insider threat detection program. Assemble a team that will take charge of your insider threat detection mission and empower them to set the tone for the rest of the organization.
Assess your IT infrastructure. Be sure to include:

- Users, including contractors, suppliers and partners, so you know all the potential points of compromise a threat can come from
- Effective permissions, so you know who has access to what and whether each user’s access aligns with their job responsibilities
- Data storages, so you know what critical assets need to be protected
- Access control systems, such as routers, switches, VPN
- Installed security and threat prevention systems, so you can evaluate which of them might be helpful with threat detection in the future

Identify and prioritize insider threats. Uncover weak points by conducting a risk assessment, analyzing your ability to handle an attack, reviewing past incidents and identifying areas for improvement. Be as comprehensive as possible, considering everything from data theft by compromised accounts to mistakes or privilege abuse by insiders. Prioritize threats by likelihood and impact so you can focus on the most important ones first.
Educate employees. Create an insider threat awareness training program for all employees, with the goal of cultivating a culture of digital security. Help everyone understand security best practices and common risks like phishing schemes and deceptive IP addresses, as well as the consequences of failing to adhere to best practices.
Document your policies. Create clear policies so everyone knows what is required of them. Be sure to include procedures for reporting threats and incident
Deploy. Security tools can help you detect and block insider threats, with functionality such as user activity monitoring, user behavior analytics built on machine learning, and sophisticated alerting and threat investigation. If you already have a data loss prevention (DLP), security information and event management (SIEM), or endpoint detection and response (EDR) solution in place, ensure your insider threat detection solution can leverage the alerts it generates.
Monitor. Audit your IT environment to uncover trends and spot suspicious events. For example, a spike in file download activity should generate an immediate alert. Be sure to monitor your whole IT environment, including file servers, SharePoint and Teams, Exchange and databases. Tip: Don’t try to feed all the data you have into your insider threat detection solution right away. Start with one data source and test to see if it meets your expectations: Simulate malicious insider activity and see whether your solution is able to catch it, how long it takes it to do it, and how it presents the details of this suspicious activity for your review. When you try this process on one data source, then use the same process to add other data sources, one at a time.
Reevaluate. Remember that both the threat landscape and your IT environment are constantly changing. That means you’ll need a continuous feedback loop to help you factor in changing threats and risks. Ensure your program can evolve with your business processes and emerging dangers.

Top techniques to detect insider threats

Identify a specific insider threat to train your detection on. This can be malicious insider activity that already happened in your organization or abnormal activity that you know you want to detect. Ensure your detection model can catch and alert on this threat with an acceptable level of false positives. Monitor for spikes in activity. The easiest abnormal activity to spot is a spike in activity, such as a high number of login attempts by a particular account or a large number of file modifications. When you detect an anomalous spike, you should investigate promptly. If the investigation reveals the activity was not actually a threat, adjust your baseline to reduce false alerts in the future. Stay on top of unusual activity. Watch for access patterns that are abnormal for a given user, especially the following:

A high number of access events — Keep an eye on frequency and volume of logins, both successful and failed, within a short period of time. The more events within a short period of time, the more suspicious the activity is. For instance, a massive number of file reads can be a sign of malicious behavior by, for example, a user who is about to leave the company or has been recently terminated. (Read more about how departing employees can turn into your worst security nightmare.)
Access to different files — A user’s attempts (successful or not) to read files and folders that they haven’t accessed before can also be a sign of malicious intent; the user might be looking for valuable data that can be sold, used against the employer, published on the web, etc. Focus on activity after business hours and other deviations from normal user behavior, such as access to archived company data.

Measure users against their peers. One common pitfall in threat detection is a broad analysis that includes users with different sets of responsibilities, such as an HR specialist and an IT administrator. Instead, be sure to compare the activity of each user with their own peer group. For example, logons from other cities might be routine for salespeople but unusual for building maintenance staff. Identify and monitor shared accounts. Closely monitoring shared accounts is vital for a strong cybersecurity posture. Track logins by these accounts and analyze risk using factors such as login time and the machine’s geographical location. Multiple logins from different machines by the same shared account can be a sign that the account has been compromised. Closely monitor service accounts and privileged accounts. Best practices require that highly privileged accounts be used rarely and only for specific tasks that other accounts cannot perform. Keep your inventory of these accounts up to date and monitor their activity closely. Look for signs of security policy violations or privilege abuse, such as use of the account to perform suspicious tasks or unusually long sessions. Correlate data from multiple sources. Spotting some security threats requires taking advantage of multiple data sources. For example, an anomalous VPN login might not alarm you, but if you see that the same user starts accessing folders with sensitive data they never accessed before, you might want to investigate so you can respond quickly. Keep an eye on your infrastructure resources. In addition to monitoring user activity, be sure to stay on top of activity around your file shares, databases, servers and so on. You want to spot any suspicious activity there and know who performed it. For example, multiple logons to one server by different accounts could indicate an attack by an intruder with stolen credentials or a trusted employee who has gone rogue.

How can Netwrix help?

Data access governance software from Netwrix provides an effective and scalable approach to insider threat prevention. Moreover, it will help you reduce the risk of cybersecurity incidents by enabling you to understand who has access to what and strictly limit access to sensitive data. You can:

Audit activity across your IT ecosystem.
Reduce access to sensitive data to the required minimum to reduce the risk of insider threats and minimize the damage from ransomware and other attacks.
Streamline regular privilege attestations by data owners.
Protect sensitive data whenever it goes with accurate and consistent tagging of content.

Dirk Schrader

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.