Decoding the Enigma of Insider Threats

Andrew Rose, Resident CISO at Proofpoint highlights the growing concern about insider threats in businesses, emphasizing the rise of human error as a significant cybersecurity vulnerability. The article also delves into the changing attacker tactics, the diminishing intimacy between staff due to remote work, and the weaknesses in existing security controls.  

In today’s digital era, the concern of insider threats is on the rise, creating a significant challenge for businesses. While malicious insiders are rare, legal options through employment contracts offer some protection. Nonetheless, there’s an ongoing issue with staff who, despite training, tend to take shortcuts and make mistakes. Proofpoint’s 2023 Voice of the CISO report discloses that there has been an increase in the number of CISOs in the UAE (59% this year vs. 50% in 2022), who view human error as their organization’s biggest cyber vulnerability.

The reason insider threats have gained prominence in boardroom discussions boils down to three key factors that are interlinked: Attackers have changed tactics; employers are less intimate with their staff; and the existing controls that kept a lid on insider threats are becoming increasingly ineffective.

Developing Attacker Techniques
The key driver behind the escalation of insider threats is the attacker’s focus on credential theft as their major attack path. The 2023 Verizon DBIR showed that 53% of all successful breaches now use stolen credentials in the EMEA region.

By using a real identify for the attack, criminals can extend their attack chain by weaponizing the trust that the hacked identity maintains. When colleagues, suppliers, and family receive emails from the compromised account, they take them seriously and the likelihood of a misplaced click, an unwise engagement or a mistaken payment is greater. This weaponization of trust is why we now see most malware lurking in places that users commonly rely on—such as OneDrive, SharePoint, and Dropbox.

Lack of Staff Intimacy
Ever since COVID, everything about work/life has changed. Fewer people are going into the office, and mandatory in-person attendance discourages job applicants. Many staff are now recruited entirely over video, and work remotely, so the opportunity to establish a real ‘connection’ is dwindling.

This leads to a ‘stretching’ of the organisational perimeter. We permit staff to use their own hardware in their work, thereby risking vulnerabilities at home that allow localised malware to capture keyboard inputs or screenshots. We also permit data access from anywhere, increasing the challenge to ensure that it only flows to the right places and compounding the likelihood of insider threats such as data leaks and spills. Findings of a recent Proofpoint study revealed that 72% of organizations in the UAE reported that they have experienced data loss due to an insider’s action.

During the ‘great resignation’, firms discovered that departing employee can develop an affinity for certain corporate data and take them when they leave, potentially causing serious damage to intellectual property. In the UAE, 75% of CISOs who experienced a data loss event cited employees leaving the organisation as a contributing factor. Inability to trace and control data as it flows to increasingly remote locations remains a major cause of data loss.

Existing Controls Are Failing
Many of these issues should be fixable, but our technology decisions and research & development by cyber criminals have weakened our existing control capability.

A common insider threat control is a whistle-blower hotline, where staff can report suspicious behaviour, concerns, or outlying conduct. The remote working model has massively devalued this control as staff rarely get to spend time together today, interacting just across video calls and email, thus obscuring their behaviours and opinions.

The shift to cloud-based data and various real-time communication channels stretches many data leak prevention (DLP) tools allowing sensitive data to be easily duplicated and moved without detection.

Finally, for many years, multi-factor authentication (MFA) was perceived as a powerful control to prevent identity and access compromise. Unfortunately, attackers have now developed tools such as EvilProxy to commoditise the theft and bypass of MFA, so even this trusted protection is no longer as effective as it once was.

Where Now for Insider Threat Management?
MFA remains crucial but needs to be applied dynamically for a stronger defence supported by increased levels of behavioural monitoring. While it may be challenging to define every suspicious activity, the 80/20 rule can be effective in this area, such as changing a file extension, or create a password-protected, concatenated ZIP file. Additionally, automating the collection of behavioural evidence and threat intelligence before opening a ticket would reduce unnecessary searches from SOC staff.

Finally, implementing a DLP solution tailored for the multi-cloud reality is essential. Antiquated DLP gateways will not track the unauthorised duplication and dissemination of data however each instance of untracked unauthorized data duplication serves as a red flag for potential insider threats!

The Verizon DBIR 2023 states that in the EMEA region 98% of cyber-attacks started externally, and only 2% were initiated internally and most of these attacks had a financial motive.

While the amount of malicious and negligent insider threats hasn’t changed much, the scale of the damage they can do to a digital enterprise has grown. However, the external threat actors compromising legitimate credentials on an industrial scale has changed the game entirely and pushed insider threats to the top of the boardroom agenda.