External attackers and hacker groups are obviously highly feared sources of threats by organizations.
However, internal threats should not be overlooked, particularly in terms of their objective and capacity and depending on their function and the access rights they have.
The nuisance capacity of an internal threat is significant, given their potentially important view on the entire information system of the organization. In addition, compared to external sources of threat, insiders already have access to the internal network of the organization and can easily do without the reconnaissance team due to their knowledge of the technological environment.
So, insiders don’t need to conduct noisy reconnaissance, they don’t need malware and they’ve learned to disguise their activities like outside attackers. These advanced, persistent insiders can take their time to find valuable corporate IP or monetizable data. They can then use their access to exfiltrate without being noticed.
How to protect your organization?
Build Your Strategy and Your Governance Model
Before looking at technical measures, the establishment of an information security governance framework is an essential foundation that will allow the organization to have a strategy and a basis on which to implement adequate security controls.
This governance framework is based in particular on the definition of information security rules to be considered at all levels of the organization, which can be formalized within specific policies.
To go further, the development of a security strategy requires the implementation of a cybersecurity program that establishes a roadmap and a projection of the level of maturity to be reached. This vision is essential to know where we are, where we need to go and how we get there.
Furthermore, defining and implementing a risk-based approach makes it possible to address critical weaknesses within the organization and to prioritize where it makes sense. This risk management must be part of a global approach where information security risks (including but not limited to ICT risks) are intimately linked to the business consequences that would result from them.
In more advanced approaches, the cyber risk assessment can also be quantified in terms of potential financial loss (quantification of cyber risk) in order to be able to express the direct and indirect financial consequences of a cyber security incident.
Know where is your data and their criticality
Knowing where the organization’s data is seems like a simple principle, but it is actually often complex to have a data mapping and to determine where this data is present within its information system.
Having this visibility is essential in order to determine what types of data are considered essential and critical for the continuity of the business or the level of confidentiality required.
From the moment this mapping is established, it is then possible to identify potentially sensitive data which is stored in areas of the information system which do not have the adequate level of security. This can also induce a wider access to this data at the level of the internal population.
The notion of criticality of information also implies knowing the defined level of classification and determining the security measures resulting from this level.
From a malicious insider’s point of view, if a lack of control over data management is significant, its ability to harm will necessarily be greater since it will be able to have access to a greater amount of data and therefore confidential information to which he would not have a priori the authorization.
Access Control and Management of Privileged Access Rights
The principle of least privilege remains an essential principle to be considered and deployed at the level of the access allocation model. These models are a cornerstone of access rights management in order to enable a user to be assigned the right access rights according to his roles within the organisation and the context in which he wishes to access the data.
However, in many organisations, the principle of “access similar as” is still too often used, with the resulting risks and excessive access rights.
Along the same lines, a separation of tasks at the level of privileged access (networks, databases, systems) also prevents an insider from being able to carry out a number of important sensitive tasks.
For IT administrative work, Microsoft recommends a least-privilege administrative model. This may involve giving administrative access only on select machines — rather than for the entire domain — and then limiting the ability of these “local admin” accounts to be taken over by attackers or insiders.
The analysis of toxic combinations in terms of access rights also makes it possible to identify whether people would have the capacity, for example, to carry out malicious activities and to erase traces or remove monitoring rules. It is therefore essential, as much as possible, to have rules on the combinations of access rights that cannot be cumulated.
Ability to Detect and React to Limit the Consequences
Having the ability to record the different activities within the systems is crucial to be able to detect abnormal activities and to be able to react quickly. The correlation of these events within an SIEM makes it possible to go further and determine whether previously defined use cases are matched (change of admin domain, creation of an account with a certain type of rights, etc.). A SOC then becomes our best friend to be able to monitor and react before it is too late.
Sneaky insiders access internal certificates, use encryption software and create shadow accounts as part of their tactics — their behavior profiles are still different from normal users. Software based on behavioral “threat models” is better fine-tuned to find the patterns that insiders typically fall into but is not necessarily alerted by standard intrusion or malware detection software.
As an example of extreme behavior changes, ransomware copies and encrypts a massive number of files in a short time with a user’s credentials. A threat model that targets this particularly noisy behavior can alert IT staff to take immediate action and disable the user account running the ransomware. For a more subtle example, an employee with access to an executive’s mailbox could read sensitive emails and mark them as unread to hide their behavior. The executive would never know unless they proactively watch for these activities.
As with external attackers, the key is to make their project as complex as possible. Once isolation and separation measures are in place, it will be more difficult for a malicious insider to act. Then, the monitoring and detection of abnormal activities, on the basis of well-identified tasks or behavioral analysis, will make it possible to react as quickly as possible and limit the impact of this incident.