Almost all data breaches involve the use of legitimate login credentials. Guarding against these ‘insider threats’ requires the ability to detect when cybercriminals are using stolen credentials. Sadly, traditional network security tools are not effective in identifying or mitigating these threats. However, a new breed of user behaviour analytics solutions has been designed for this specific purpose and is proving effective.
It’s true that employees or other insiders can often be traced to a data breach. However, the largest and most damaging data breaches are generally at the hands of outside hackers, organised crime, opposing governments, competitors or hacktivists. While they are not insiders themselves, these criminals almost always depend on obtaining login credentials belonging to insiders, especially those that have administrative privileges. The number one objective of a cybercriminal is to obtain login credentials for individuals with access to sensitive data. Once that has been accomplished, the imposter poses as a privileged insider, penetrates the system and copies the information they’re after.
Whether by outsiders or from within, the unauthorised or negligent use of insider login credentials and privileges are the common denominators in nearly all cybercrimes. Given this broader definition of insider threats, there are numerous activities related to the use of login credentials and user activities that must be monitored to guard against cybercrime.
Compromised service account. Service accounts are used by operating systems and various applications to perform automated background tasks. These accounts, usually unmonitored, own high access rights and are under constant risk of attack and compromise. Their activity should be monitored to ensure they are not accessing systems they shouldn’t be, or transmitting data to unauthorised recipients and so on.
Exfiltration attempts. Data exfiltration is a big concern in many organisations. Detecting data leaks has become more difficult as additional technologies and methods to transfer data emerge. Monitoring abnormal user behaviour such as accessing data that’s not normally dealt with by the user, or transmitting data to unusual destinations can detect data exfiltration attempts.
Credential sharing. Studies show that more than 20 percent of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.
Snooping users. In search of sensitive or valuable data, rogue insiders and malicious outsiders scan corporate systems hoping to find and access information they can sell or use for their own gain. Detecting and investigating such unusual user behaviour can ward off impending cybercrimes.
Departing employee. Employees who are preparing to leave an organisation may pose a security threat. Even though departing employees may carry a high risk of data exfiltration and even sabotage, very few tools can effectively monitor their actions and detect suspicious behaviour. Security personnel need to implement solutions designed to specifically and automatically monitor the accounts of departing employees and raise alerts if their behaviour is suspicious.
Unauthorised third party access (business partners and other suppliers). Contractors, business partners, and other service providers often have access to sensitive corporate data. However, they are not usually subject to the same security practices and policies as the hosting enterprise. As a result, applications or devices may become infected with malware designed to steal login credentials. It’s especially incumbent on the hosting enterprise to monitor the behaviour of all third party users.
Network misconfiguration. By monitoring normal user behaviour, an anomalous act can often detect an improperly configured security setting. For example, if an employee accesses a system that’s outside of their normal work pattern, it often indicates a hole in the security policies or settings. Correcting the misconfigurations in a timely manner can prevent imminent and future attacks.
Detecting insider threats is essential in today’s environment and doing so calls for the diligent use of a number of cybercrime prevention techniques. Whether it’s a malicious employee or an outsider using compromised credentials, businesses must be on alert and maintain vigilant monitoring, focusing their attention internally on user behaviour and suspicious activity to thwart potential insider attacks.