7 Warning Signs of an Insider Threat

Internal threats are employees that conduct cyber-attacks on their own organization, which can cause the majority of a companies’ data loss. However, there are plenty of red flags revealed ahead of time if you know what to look for.

According to CA Technologies, over 50% of organizations suffered an insider threat-based attack in 2018, while 25% say they suffered more attacks than in the previous year… 90% of those organizations admitted to feeling vulnerable to insider threats.

Internal threats can be accidental, such as an employee mistakenly leaking information, an outsider imitating an insider with stolen credentials, or an insider seeking revenge or money. Sometimes spotting internal threats can be difficult, but there are warning signs that can help to alert the company of a potential incident before it ensues.

These attacks can be very costly. According to Ponemon, a successful internal attack costs $600,000 on average. Talk about pricey!

Insider Threat Examples

One of the most well-known insider attacks was done by Edward Snowden, the contractor that leaked thousands of documents that revealed how the National Security Agency (NSA) and other intelligence agencies operate. Chelsea Manning is another example. She leaked a large cache of military documents to WikiLeaks.

Another case of an insider: Anthony Levandowske, whom is the Otto Motors’ founder. He reportedly stole 14,000 files from Google’s Waymo autonomous car project just to start his own company. This hurt the company’s finances so much that they ended up giving a stake in its business to Google.

Let’s look at some of the warning signs of an insider threat:

1. Major changes at the organization

There are usually some obvious physical signs before the digital red flags become apparent when it comes to insider attacks.  Dr. Jamie Graves, VP of product management and security analytics at ZoneFox -a behavioral analytics company (later acquired by Fortinet) says, “Usually, there is some sort of organizational change or event that precedes an attack. The most common are if, as an organization, you go through great change- you’re going to be acquired or you’re going through redundancies.”

He goes on to say, “If you dig into it, there’ll be a reason why in there. There could be an indicating factor, and then when you talk to people in your organization they say, ‘Oh yes, Bob, he’s coming up for redundancy, or he’s failed a review, etc.’ You need to have your ducks in a row when it comes to monitoring for that sort of [malicious] behavior.”

2. Personality and behavioral changes

Personality and behavioral changes will be the  first sign of a potential insider threat. The individual could be very clearly and vocally unhappy or seeming to lack motivation. They could be talking about money troubles, working long hours, over the weekend, or spending a higher number of work hours from their home would also be indicators.

Speaking poorly on the company or discussing looking for new jobs should be taken as warning signs. Tom Huckle, lead cyber security consultant and head of training and development at Crucial Academy, a cyber-security training firm, touches on this subject. He says, “If you use LinkedIn Recruiter, you can see if your employees are searching for new roles when they opt in to the option of ‘Looking for New Opportunities. If you do not have access to this, other telltale signs could include them engaging with suspicious parties [on social media] through likes and comments.

3. Employees leaving the company

It is often likely that those leaving the company, whether by their own volition or not, are considering taking data with them. Most IP theft by insiders occurs within 30 days of an employee leaving a company. Those who have a past of ignoring safety protocol should be monitored closely. A Deloitte study showed that 50% of employees known to have been involved in insider attacks had past history of breaking IT security protocols.

4. Insiders accessing large amounts of data

If the behavioral red flags are overlooked, there will be digital warning signs that someone is actively conducting or considering an insider attack. Tom Tahany, intelligence analyst at Blackstone Consultancy, says, “Insiders no longer have to photocopy, photograph, or remove large swaths of physical documents from an office space. Rather, the downloading of several terabytes of data from an online reservoir can be done within minutes from a remote location and distributed rapidly.” The accessing and downloading of large amounts of data is a very strong indication that you have an insider threat.

5. Unauthorized insider attempts to access servers and data

Many insiders go through a reconnaissance stage, where they look into what data and/or systems they have access to. Carolyn Crandall, chief deception officer at Attivo Networks says, “ Warning sings include attempts by authorized users to access servers or data they shouldn’t be, authorized users accessing or requesting access to information that is unrelated to their roles or job duties, and theft of authorized user credentials. Whether the activity is from an authorized employee just poking around where they shouldn’t be out of curiosity, an authorized employee with malicious intentions accessing servers or data to cause damage or steal information, or an external attacker that has obtained valid credentials of an authorized user, if any of these activities are detected it is cause for alarm.”

6. Authorized but unusual insider access to servers and data

Individuals accessing areas of the database they have permission to, but would rarely/never need to access during their day-to-day operations, adjusting many files in a short amount of time, staying late/arriving earlier than usual, or repeatedly trying (and failing) to access areas they don’t have permission for are all clues that an internal attacker may be present.

7. Attempts to move data offsite

The last stage is individual(s) trying to withdrawing data. Examples of this are large downloads to external storage (USB ports, for example), big uploads to personal cloud apps (Dropbox, for example) when your organization doesn’t use that application, or large amounts of emails sent outside of the company that have many attachments.

USBs are still a functional way to remove large amounts of data with less of a footprint, remote late night downloads are also very common. Cisco’s cloud data exfiltration study discovered 62% of questionable downloads happened outside of regular business-working hours, 40% actually took place on the weekends. It is important to keep in mind that even small amounts of data can contain sensitive information that the internal attacker might want.

Jeff Williams, CTO and co-founder at Contrast Security stated, “A credit card is 12 digits from 0 to 9, easily stored in 6 bytes. That means 100,000 credit cards fits into 60KB, a million is only .6 megabytes. You could easily hide that data in a picture or document and nobody would ever detect it.”

Maintaining Employee Trust

One red flag doesn’t always mean that someone is guilty of the crime. There should be an amount of trust between employers and employees. That being said, these are the warning signs to look out for. Prevention is better than the cure. Cooperation, collaboration, and communication between departments is one step to take to create an effective insider threat management program.