We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
In 2021, the work-from-anywhere (WFA) movement took up permanent residence in enterprises across business and industry, spurred by pandemic precautions and an accelerated digital transition to cloud-based systems. The year also gave life to a new breed of cyber threat actor: the Super Malicious Insider.
The hasty shift to remote work created an array of new challenges for security and risk professionals who suddenly had to protect hundreds of thousands of “remote offices” outside of traditional, perimeter-based corporate controls. Combined with a measurable increase in employee attrition toward the end of 2021 (“The Great Resignation”), the transition created a perfect storm for insider threats.
With this in mind, we set out to examine the effect of remote work on employee human behavior that is driving a dramatic increase in damaging insider attacks. In addition to noticing a significant increase in anomalous behavior driven by WFA practices, such as odd working hours and the use of new applications, our research revealed sharp increases in industrial espionage, the theft of intellectual property (IP) and data, and other criminal acts. And it classifies, for the first time, the Super Malicious Insider, someone with the knowledge and skills (often provided by their employer) to avoid detection by accepted defensive practices. The following trends should serve as a wake-up call to security teams that traditional tools such as Data Loss Prevention (DLP), User Behavior Analytics (UBA) and User Activity Monitoring (UAM) are being avoided or circumvented by insiders.
Industrial espionage on the rise
Based on thousands of investigations conducted for hundreds of customers, our 2022 Insider Risk Intelligence and Research Report as opposed to collecting the results of a blind survey. Among its key findings:
- 2021 saw a 72% increase in actionable insider threat incidents from 2020
- Super Malicious Insiders accounted for 32% of malicious insider incidents
- 75% of insider threat criminal prosecutions were the result of remote workers
- 56% of organizations had an insider data theft incident resulting from employees either leaving or joining the companies
It’s clear that industrial espionage has hit an all-time high. Forty-two percent of actionable incidents were related to IP and data theft, including the theft of trade secrets, source code and active collusion with a foreign nexus. While some of these resulted from accidental disclosures, a significant portion was attributed to sabotage.
The increase in insider threats growing out of WFA also showed in other, somewhat less impactful ways. For example, we uncovered a more than 200% increase over 2020 in data loss associated with users taking screenshots during confidential Zoom and Microsoft Team meetings, some of which were leaked to the media or unauthorized users. On top of that, there was a 300%+ increase in the number of employees using corporate assets for non-work activities, including social media, shopping and stocks.
Profiling the super malicious
The risks from insiders can be classified in three ways. Basic insider risk, of course, covers 100% of users, any of whom could fall for a phishing attack, accidentally expose data or otherwise be compromised. Insider threats are the 1% of users with bad intent, who would actively steal data or cause harm. The Super Malicious threat comprises a subset of malicious insiders with superior technical skills and in-depth knowledge of common insider threat detection techniques.
Although they make up a very small portion of users, Super Malicious Insiders accounted for about a third of these incidents and showed skill at covering their tracks. The survey found that 96% of malicious insiders avoided using attack techniques listed in the MITRE ATT&CK framework, which tracks common adversary tactics and techniques. Some of the most common techniques used by Super Malicious Insiders, who are better able than typical malicious actors to hide their activities, include data obfuscation and exfiltration of sensitive information without detection. They made every attempt to appear to be benign, normal users, staying within their day-to-day routines. The training many of them received in cybersecurity, data loss prevention and insider threats, along with their knowledge of the organization’s cybersecurity landscape and technology stack, helped them stay within the lines.
The Super Malicious also showed the ability to use subtle social engineering techniques to manipulate others to perform actions on their behalf. With a relationship already established with the other employees, this insider could use more nuanced—and harder to detect—techniques than those used by external actors through spear phishing, baiting or pretexting.
Steps to securing your organization
Organizations should make insider risk a priority this year. It increasingly affects every sector, and recent guidance from government regulators indicates that mandates for insider threat and non-regulated data protection are likely on the way. In building a framework for an insider risk program, you can draw on resources from CISA, the National Insider Threat Task Force and other bodies, such as Carnegie Mellon University, Gartner and Forrester.
An effective step would be to keep the insider risk program outside of the security operations team (SOC), which is built to detect and investigate external threats. Insider risk is different, requiring an understanding of human behavior, psycho-social factors and trends, and feel for the abnormal. It will require inter-organizational collaboration with HR, legal, finance, technology and, of course, cybersecurity teams, so it would be best operated separately.
Remember that exfiltration of data is the last step in an attack, so an insider threat program should be looking for early indicators of malicious intent. The Insider Threat Framework describes the indicators of behaviors such as reconnaissance, circumvention, aggregation and obfuscation.
Organizations also would do well to rely not just on technology, but on people. CISA, in fact, recommends using “people as sensors against insider threats. An organization should be familiar with employee behaviors, decide which are acceptable and which are not, and positively reinforce policies that are tailored to the needs of each department. It’s also advisable for an organization to get an insider risk assessment, which are offered by a number of system integrators, consultants and vendors (some free, some for a fee).
Whether accidental, malicious or super malicious, the threat is only growing. Organizations need to act now to protect their enterprises from the inside out.
Rajan Koo is CCO and DTEX i3Lead with DTEX Systems.