What practical steps can be taken to manage insider threats? In our first blog post, we provided a baseline for understanding insider threats, how they’ve evolved and why they persist. Next, let’s review strategies for risk reduction and successful technology implementation to help reduce the risk created by an insider.
Insider Threat Strategy
Combatting insider threats is not a trivial task. Organizations are taking longer than two months on average to contain threats, and are expending more resources then in previous years to address the challenge. A layered approach is needed, combining the right tools, processes and human expertise.
The foundation begins with broad visibility into data. This means:
- Collecting and parsing information from data sources into useful and descriptive human-readable text – this is metadata. Metadata also needs to be catalogued and indexed for detections, advanced analytics and fast, flexible searching.
- Enriching metadata with global threat intelligence and useful business context to effectively make sense of threats and contextualize them within the business environment.
Data then needs insight, especially within the context of insider threats. That is achieved with three major components:
- Signature-based detections identify known threats that have a particular data pattern.
- Example: Detecting known credential dumping malware on endpoints, command and control communication leaving the network, or a known exploit attempt on a production server.
- Behavior-based detections identify unknown or suspected attacks that do not have a particular data pattern but represent abnormal or suspicious behavior.
- Example: An excessive number of files being transferred or a user logging into an abnormal system.
- Threat hunting identifys sophisticated attacks based on targeted use cases which are not identified by signature or behavior-based detections.
- Example: A phishing email successfully delivered to a cloud-based email service which directs a user to a malicious website. The user unknowingly downloads and installs a small encrypted executable file. The executable runs in-memory and traverses file systems to find relevant financial data that is exfiltrated as encrypted PDF’s through SFTP, which is allowed under the organization’s policies.
The right human expertise is also critical to detect and respond to insider threats. This includes the right education for the SOC team, like threat hunting best practices and a sound strategy for incident response that includes automation. It also means the right technical implementations of products and security awareness training for the workforce.
Figure 1: Key insider threat risks and questions that are addressed by data visibility sources
Data visibility is a crucial foundation to insider threat strategy, but without the necessary context from the business and layered threat intelligence, there is little additional value. Business and threat context enables prioritization, asset and identity enrichment, and signal reduction from known-bad threats. This is the power that SOC analysts need to exercise to inform decisions when analyzing risks.
After establishing capacity to see the data you care about and enrich it with context, you need to unpack useful insights into data patterns, anomalies and trends to help drive decisions by an analyst.
Driving Insight with Advanced Analytics
Advanced analytics and machine learning (ML) are an evolution of traditional detection that layers deeper computer science and mathematical principles alongside traditional detection. In the context of insider threats, this drives critical insight into behavior-based detection. This is quickly becoming one of the best ways to predict insider threats. In fact, more than 50% of businesses address insider threats with some type of ML or User and Entity Behavior Analytics (UEBA) system.
A cybercriminal posing as an employee using compromised credentials
When attackers gain access to a new system, they must orient themselves to the system, surroundings and determine the goals of their intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. By monitoring and modeling the use of these tools, we can detect the intrusion before it causes further damage to the business.
If an attacker continues their attack, they would likely attempt to connect to multiple systems with the same stolen credentials and attempt to dump additional credentials with tools on any system they were able to access. These attacks usually have an end goal of data theft, so the attackers would be searching for, and collecting, as many files and as much data as possible.
Figure 2: Example of a use case for advanced behavior analytics detecting an insider threat attempt
Response is the crucial component after detection. Aligning tools, processes and expertise provides the ability to stop insider threats before they impact the business. Security orchestration, automation, and response (SOAR) is a critical component to the security fabric. In our next and final blog, we’ll explore response and seamless orchestration within the SOC in the context of an insider threat. We can achieve maximum threat mitigation with the proper automation, tying each component together to reach optimal reduction in mean-time-to-detection and response.