The 7 Indicators of Insider Threats

Cybersecurity experts warn businesses that detected or not there is someone lurking within their networks doing things they are not supposed to do. There are seven different insider threats that required detection to prevent data breaches like those at Equifax, Uber and the SEC.

What Types of Insider Threats does Interset Security Analytics Detect?

User and entity behavioral analytics (UEBA) utilizing advanced mathematical models and unsupervised machine learning reveals the following types of insider threats: Account Misuses, Compromised Account, Infected Host, Internal Recon, Lateral Movement, Insider Fraud and Data Exfiltration.

Insider Threats Often Precede Data Breaches

Data breaches involve multi-stage advanced persistent threats (APT)s which are difficult to detect with existing rules and thresholds based systems. Interset security analytics uncover the hidden threats at different phases of the attack cycle.

For example, security analytics detects abnormal behavior indicative of account misuse or account compromise. Typically this is followed by internal reconnaissance and likely lateral movement of data, ultimately resulting in a data breach.

Infected hosts can also be a factor in data breaches if the system has been compromised to automatically send data externally, another case that security analysts can detect.

How Does AI Help Prevent Insider Threats?

Finding signs of these insider threats and connecting the dots between them is critical to protecting enterprises and consumers from criminal minds.

An analytics-based approach checks log files for unusual access patterns, network traffic for signs of suspicious connections, data protection logs for transfers of large chunks of data and additional factors when available. Then, it runs an integrated mathematical analysis of these multiple factors together to provide indicators of such an account takeover or compromise.

The contextual correlation and analysis of data give security analytics the ability to detect threats operating inside the business.

Learn More

Insider Threat or Inside Threat?

There is a distinction between an ‘insider threat’ and an ‘inside threat.’ An insider is an entity within an organization, such as an employee. A disgruntled employee with the ability to do damage to the business from within would be considered an ‘insider’ threat. An external attacker, however, can also do damage from within a business (i.e., when malware is used to gain access to an enterprise via a phishing attack). In such a case, the attacker can gain control over a legitimate user’s credentials and move laterally within the targeted organization. The attacker is not an insider, but once penetrated, and with that level of access, the threat has moved ‘inside.’ Such an attacker often goes to some lengths to avoid raising alarms by performing any activity not already permitted by IT policy, and thus often ‘flies under the radar.’ The ability of an intruder to disguise himself or herself as a legitimate user necessitates a security analytics approach.

Impact of Insider Threats

When surveyed, enterprises shared their concerns:

  • Riskiest Insiders are regular employees (56%), Privileged IT Users/admins (55%), Contractors, Services providers and other temporary workers (42%), Privileged business users/executives (29%), and customers clients (22%)
  • Data most vulnerable to Insider Attacks are: Confidential Business information (57%), privileged account information (52%), sensitive personal information (49%) and intellectual property (32%), employee data (31%), operational infrastructure data (27%)
  • The biggest enablers of accidental insider threats are: Phishing (67%), weak/reused passwords (56%), unlocked devices (44%), bad password/sharing practice (44%), Unsecured WiFi networks (32%)
  • Biggest barriers to insider threat management: lack of training & expertise (52%0, Lack of suitable technology (43%), lack of collaboration among separate department (34%), lack of budget (34%), lack of staff (25%)
Full report available here.

Financial Fraud

Financial fraud can be detected in multiple ways. Some examples of expense-related inside threat anomaly detection models include:

  • Identification of duplicate reports or abnormal claim amounts within a time period, peer group or category (i.e. “Entertainment expenses too high”)
  • Anomalous expense entries for a venue compared to others
  • Abnormal entertainment expense claims per week compared to peer group
  • Anomalous expenses for a date compared to others.
Learn More

Data Exfiltration

Interset’s unsupervised machine learning behavioral models detect unusual data exfiltration, understanding each and every user’s normal behavior and highlighting those users sending more data via email than they normally would, or that their peer group normally would.

Learn More

What Types of Insider Threats does Interset Security Analytics Detect?

Interset reveals the insider threats obscured by rules — and threshold-based systems. For security teams building insider threat programs, or looking to extract more value from existing security tools, Interset UEBA puts the power back in the hands of the security team and helps them mitigate the impact on insider threats, data breaches, and loss of critical IP.