Insider threat

Overview

Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls; rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets.

An insider may attempt to steal property or information for personal gain or to benefit another organization or country. The threat to the organization could also be through malicious software left running on its computer systems by former employees, a so-called logic bomb.

Research

Insider threat is an active area of research in academia and government.

The CERT Coordination Center at Carnegie-Mellon University maintains the CERT Insider Threat Center, which includes a database of more than 850 cases of insider threats, including instances of fraud, theft and sabotage; the database is used for research and analysis. CERT's Insider Threat Team also maintains an informational blog to help organizations and businesses defend themselves against insider crime.

The Threat Lab and Defense Personnel and Security Research Center (DOD PERSEREC) has also recently emerged as a national resource within the United States of America. The Threat Lab hosts an annual conference, the SBS Summit. They also maintain a website that contains resources from this conference. Complimenting these efforts, a companion podcast was created, Voices from the SBS Summit. In 2022, the Threat Lab created an interdisciplinary journal, Counter Insider Threat Research and Practice (CITRAP) which publishes research on insider threat detection.

Findings

In the 2022 Data Breach Investigations Report (DBIR), Verizon found that 82% of breaches involved the human element, noting that employees continue to play a leading role in cybersecurity incidents and breaches.

According to the UK Information Commissioners Office, 90% of all breaches reported to them in 2019 were the result of mistakes made by end users. This was up from 61% and 87% over the previous two years.

A 2018 whitepaper reported that 53% of companies surveyed had confirmed insider attacks against their organization in the previous 12 months, with 27% saying insider attacks have become more frequent.

A report published in July 2012 on the insider threat in the U.S. financial sector{{Citation

The US Department of Defense Personnel Security Research Center published a report that describes approaches for detecting insider threats. Earlier it published ten case studies of insider attacks by information technology professionals.

Cybersecurity experts believe that 38% of negligent insiders are victims of a phishing attack, whereby they receive an email that appears to come from a legitimate source such as a company. These emails normally contain malware in the form of hyperlinks.

Typologies and ontologies

Multiple classification systems and ontologies have been proposed to classify insider threats.

Traditional models of insider threat identify three broad categories:

• Malicious insiders, which are people who take advantage of their access to inflict harm on an organization;
• Negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk; and
• Infiltrators, who are external actors that obtain legitimate access credentials without authorization.

Criticisms

Insider threat research has been criticized.

• Critics have argued that insider threat is a poorly defined concept.
• Forensically investigating insider data theft is notoriously difficult, and requires novel techniques such as stochastic forensics.
• Data supporting insider threat is generally proprietary (i.e., encrypted data).
• Theoretical/conceptual models of insider threat are often based on loose interpretations of research in the behavioral and social sciences, using "deductive principles and intuitions of subject matter expert."

Adopting sociotechnical approaches, researchers have also argued for the need to consider insider threat from the perspective of social systems. Jordan Schoenherr said that "surveillance requires an understanding of how sanctioning systems are framed, how employees will respond to surveillance, what workplace norms are deemed relevant, and what ‘deviance’ means, e.g., deviation for a justified organization norm or failure to conform to an organizational norm that conflicts with general social values." By treating all employees as potential insider threats, organizations might create conditions that lead to insider threats.

References

References

1. "FBI Counterintelligence: The Insider Threat. An introduction to detecting and deterring an insider spy". Fbi.gov.
2. "The CERT Insider Threat Center". Cert.org.
3. "Insider Threat Blog". CERT.
4. "Insider Threat Blog". ThreatLab.
5. "Voices from the SBS Summit". ThreatLab.
6. "Verizon 2022 Data Breach Investigations Report (DBIR)".
7. (2021-05-10). "The fight for your data: mitigating ransomware and insider threats".
8. "Insider Threat 2018 Report". Cybersecurity Insiders.
9. (2017-09-04). "2018 INSIDER THREAT REPORT".
10. (2009). "Insider Risk Evaluation and Audit". Department of Defense Personnel Security Research Center.
11. (2005). "Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations".
12. [https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/insider-threat-report.pdf Insider threat report] fortinet.com
13. (2022). "Counter Insider Threat Research and Practice".
14. (2020). "2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)". 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).
15. (2010). "Insider threat and information security management. In Insider threats in cyber security (pp. 45-71)". Springer, Boston.
16. (2020). "Understanding Surveillance Societies: Social Cognition and the Adoption of Surveillance Technologies". IEEE ISTAS 2020.