How to Recognize and Address Insider Threats

insider threats featured

According to federal prosecutors with the U.S. Navy, veteran Johnathan Toebbe, alongside his wife Diana Toebbe, attempted to sell sensitive information regarding Virginia-class submarines. This wouldn’t be the first time an insider threat led to a potential leak of crucial military information, but the fact that it has happened in 2021 indicates that even in 2021, mitigating insider threats is still a vital issue. 

This news should be abundantly clear that insider threats are still a significant problem in modern cybersecurity. Here we’ll discuss what insider threats are and what you can do to reduce or mitigate the dangers of these threats for your organization. 

What Is an Insider Threat?

We tend to think of an insider threat as something that government agencies worry about. Secret documents, foreign agents and clandestine meetings are all part of this romanticized version of covert theft. 

But espionage is a real danger for many organizations. There is always the threat of insider breach in areas like federal systems or defense applications (as we’ve seen numerous times, including the most recent incident discussed above). But corporations and even mid-sized businesses can be victims of industrial or corporate espionage executed by an insider with access to resources others don’t have. 

Simply put, an insider threat is the threat of a security breach or the theft of data by someone inside your organization. Insider threats are particularly insidious because they are much harder to predict and counteract. Attacks by outside agents can be modeled and secured against, but it’s much more challenging to know if and when someone who works under you will suddenly decide to abuse their privileges for ill-gotten gain. 

That being said, there are two types of insider threats that you should consider as realistic scenarios for your business:

  • Malicious Threats: These are threats that are what they are: attempts to steal information from you for purposes of profit or other gains.
  • Accidental Threats: Accidents do happen, unfortunately, and in some rare cases it is possible that someone in your organization can unwittingly disclose information to others without intention to do so. 

In the case of the latter type of threat, the best you can do is shore up system security and employee training to avoid accidents before they occur. However, in the case of malicious threats, you must have followed security and compliance procedures to prevent the problem and mitigate damage should it occur. 


How Do I Recognize Insider Threats? 

insider threats

The most significant challenge posed by insider threats is that they are unpredictable. Anyone can be a potential threat. That’s not to sound paranoid, but rather to highlight that in many cases, the individual posing a threat is usually a trusted employee or contractor. For example, Edward Snowden was a subcontractor working with the CIA and NSA with access to highly classified information on, among other networks, the DoD SIPRNet system. Chelsea (nee Bradley) Manning was a member of the U.S. Army with access to classified systems for years. 

This isn’t to say that recognizing threats is an impossible task, but instead that it takes a certain attention to detail to have any chance of success. Some of these details can include:

  1. Sudden Changes in Behavior, including isolation, secretiveness or depression. Changes in behavior can also include changes in digital behaviors, such as attempts to access files outside the scope of work or long work hours at secure terminals. 
  2. Challenges at Home, such as accruing debts, loss of property or family or other areas where money could be used as leverage for blackmail. 
  3. Political Changes, such as sudden shifts into seemingly radical ideologies or fascination with foreign states. This kind of warning signal can also coincide with recent or repeated trips to the same foreign countries, or a sudden uptick in international travel. 

These details are broad, and in many cases, fall out of the scope of cybersecurity. And yet, they are some of the most important facets to understanding the potential for an insider threat. They call on you and your team to step out from behind the IT system and the computer monitor and look at the inner workings of your organization. While physical and administrative security are parts of most compliance frameworks, they cannot speak directly to the nuances of your team and any warning flags that may arise from them. 


Can I Prevent Insider Threats?

In short, not entirely. Like any security approach, insider threat prevention will always face challenges regarding how comprehensively you can protect information. This challenge is only compounded by the fact that you have to give some level of trust to employees and contractors above and beyond other stakeholders. 

That doesn’t leave you powerless, however. There are several steps you can take to help blunt these threats: 

  • Perform Wide-Ranging Risk Assessment: Risk assessment isn’t simply about understanding technical security gaps. Skilled risk assessors can determine risks in every part of your organization. And, just because you’ve identified someone (or a position, or a department) as a risk doesn’t mean that they are a problem–it simply means that you should pay special attention to their situation. 
  • Leverage Physical Security Measures: Keypads, locked data centers, monitored and secured workstations all go a long way towards protecting key assets. Although an insider most likely has some sort of access to anything they might steal, physical controls limit the pool of potential risks related to any resource while providing the system necessary to track who accesses what resources and when. 
  • Extensive Logging and Monitoring: Speaking of tracking, audit trails and monitoring are critical for preventing and remediating insider threats. Your organization should have immutable logging capabilities and extensive reporting to help you understand who uses resources, when and for what purpose. These logs are a great resource for tracking potentially risky or telling behaviors before a breach occurs, and they provide forensics for remediation after the fact. 
  • Use Advanced Identity Proofing: Modern IAM is evolving every day. While MFA and strong passwords can secure your system to some extent, they aren’t going to stand up to a long-planned insider attack. More advanced security like passwordless entry and compliant identity proofing can significantly limit overlaps in resource access. 
  • Enforce Strict Role- or Attribute-Based Access Control (RBAC or ABAC): Your organization should have clear, strict and regularly reviewed policies on permissions, access controls, and roles. No person in your organization should have any access to information that doesn’t serve their job. RBAC and ABAC can give you granular access controls without sacrificing usability. 


Prepare Your Security and Compliance Infrastructure with Lazarus Alliance

Insider threats are a real, ever-present challenge for government agencies, public organizations and private businesses. Because they are so unique, however, they can be hard to prevent. 

With Lazarus Alliance, you can work with a security firm with decades of experience hardening IT systems, auditing for complex compliance requirements and helping organizations like yours prepare for the most challenging security threats, even those that come from the inside. 


Ready to Look Inward and Prevent Insider Threats?

Call Lazarus Alliance at 1-888-896-7580 or fill our this form to learn more on our penetration testing and red team services. 

Lazarus Alliance