How to protect the network from insider threats

Traditional cybersecurity strategies tend to prioritize defending the network from external forces. However, focusing on the perimeter can lead to internal blind spots, which may leave organizations vulnerable to insider threats. 

In this blog post, we’ll show you how insider threats work and what you can do to protect your organization. 

What is an insider threat?  

An insider is any person who has knowledge of, or authorized access to, an organization’s resources. An insider threat is the potential harm an insider can cause with that knowledge or access. 

Insiders generally fall into one of three categories: 

• Negligent: A negligent insider puts an organization at risk inadvertently. They are not actively trying to cause damage, but their actions can unintentionally leave the organization vulnerable to compromise. Negligence accounts for more than half of all insider threats.  
• Malicious: A malicious insider intentionally seeks to damage an organization, often by stealing data or providing system access to an external party. Malicious insiders are often motivated by financial gain, lack of recognition in the workplace or job loss. Others may steal intellectual property in an attempt to advance their careers. 
• Third-party: A third-party insider is someone who has been granted some level of access to an organization’s assets, but is not a full-time member of that organization. An insider threat may damage an organization’s assets directly or expose those assets to malicious external parties.  

Ransomware gangs actively recruiting insiders 

For ransomware gangs, gaining initial access to the target is often the trickiest part of an operation. To address this bottleneck in the attack chain, many groups operate under the ransomware-as-a-service model, whereby ransomware developers recruit affiliates to infiltrate vulnerable networks in exchange for a cut of the ransom payment. 

Some ransomware groups have tried to remove the middle step entirely by leveraging insiders to gain unauthorized access to corporate networks – in other words, paying employees of large organizations to help them get their foot in the door.  

In March 2022, the Lapsus$ ransomware gang – responsible for high-profile attacks on Samsung, Nvidia and Ubisoft, among others – announced that it was recruiting insiders at major tech companies such as Microsoft, Apple, EA, AT&T who could provide access to a corporate VPN, Citrix or AnyDesk. These types of remote access tools are often used by threat actors to gain an initial foothold in the target network, after which it’s relatively easy to carry out the subsequent steps of an attack. 

Lapsus$ isn’t the first ransomware group to attempt to work with insiders. In 2021, LockBit offered “millions of dollars” to corporate insiders who could provide the gang with access to corporate RDP, VPN and email accounts.  

How to secure the network from insider threats  

Given that tech companies often have hundreds or thousands of employees – each with their own privileges, access rights and company devices – policing every single asset is a daunting proposition. 

Instead, organizations should focus on limiting access to these assets. Below are some effective strategies to help manage the risk of insider threats. 

1. Carry out a risk assessment
   Before security measures can be implemented, an organization must clearly understand what it is it’s trying to protect. As such, organizations must carry out a comprehensive risk assessment to identify and document the critical organizational assets, their vulnerabilities and the threats that could affect them. 
   Key resources that are often vulnerable to insider threats include hardware, software and communications systems, as well as data such as intellectual property, customer information, proprietary software, and internal processes. 
   This asset management guide, courtesy of The Department of Homeland Security, may be a useful resource for organizations that wish to learn more about defining and documenting important assets.  
2. Limit access
   Organizations should restrict employees’ access strictly to the systems, applications, processes and data repositories that they need to perform their core job function. This is known as the principle of least privilege. Restricting access limits the extent and impact of an attack, and minimizes the risk of sensitive data falling into the wrong hands. In 2021, About 34 percent of organizations were the target of property theft or supply chain damage due to insiders abusing their privileges, according to the European Union Agency for Cybersecurity. 
   Access should be reviewed regularly to ensure that access privileges accurately reflect people’s requirements as they move in and out of different roles within the business. Access should be removed to any resource that an employee no longer needs.
   Similarly, accounts belonging to employees who no longer work for the company should be deactivated or secured with a new password as quickly as possible. Ideally, account deactivation should be formally integrated into the company’s offboarding processes to ensure company data is secure when an employee leaves the organization.
3. Monitor user behavior
   Monitoring the behavior of users on the network can help organizations identify suspicious network activity and allow them to intervene early to minimize the impact of an insider attack. 
   User and entity behavior analytics tools, which model baseline behaviors for people and hardware within a network, can be used to identify abnormal patterns and automatically alert IT security personnel. Similarly, an intrusion detection system can be an effective way to monitor strategic points within the network and alert administrators of malicious activity or policy violations.
   According to an IBM Security X-Force Threat Intelligence report, 40 percent of suspected insider threats are detected through alerts generated via an internal monitoring tool. 
4. Secure your cybersecurity systems
   Even the most advanced cybersecurity solutions will be rendered useless if an insider has sufficient privileges to simply disable the security system. To mitigate this risk, organizations must ensure that all security controls are properly secured with an administrator password and/or multifactor authentication. This is particularly important for organizations that are responsible for managing the cybersecurity of other businesses, such as MSPs.
   Emsisoft Managment Console is secured with multifactor authentication (MFA). Emsisoft protection software can be further secured by setting an Administrator password. This ensures that even if an insider were able to gain access to Emsisoft Management Console and get the MFA code, they would still not be able to disable or delete or disable the protection software.
   
   To set an Administrator password, navgiate to:MyEmsisoft > Workspace > Protection Policies > Password toggle > Administrator password.The above step ensures that only those with Administrator privileges can change Emsisoft protection settings. After setting an Administrator password, limit the number of users with Administrator privileges by setting device-level access to ‘Basic access’:
   MyEmsisoft > Permission Policies > ‘Administrators’ group > Level > Basic access.See this blog post for more information on how to secure your antivirus software. 
5. Segment your network into subnet
   Network segmentation involves dividing a network into multiple segments or subnets, which each acts as its own small network. 
   The flow of traffic between segments can be tightly monitored and controlled, allowing organizations to limit unnecessary lateral movement. For example, a company’s development department may never need to access applications, files or network shares belonging to the marketing team, and vice versa. 
   Walling off parts of the wider network hinders insiders from pivoting to adjacent environments and can help reduce the impact of an attack.  
6. Physically limit access
   Access to important physical assets should also be limited. Access controls such as locks, security gates and turnstiles can be used in conjunction with key card entry systems, PIN codes, passwords and biometric readers to prevent insiders from accessing critical IT objects such as server rooms.
   Video surveillance systems with motion sensors should be used to monitor areas of interest, while geofencing can be useful for detecting when someone enters or leaves a predefined virtual boundary (e.g. the property, the building, or a zone within the building).
   Old hardware and documentation should be securely deleted or recycled in a way that renders their data irrecoverable. Old hard disks and other IT devices that used to contain particularly sensitive information should be physically destroyed to ensure the data they contained is gone for good. 
7. Include an insider threat awareness module in staff security training
   Organizations should provide regular training that focuses on educating personnel on the signs of potential malicious activity within the company. Common indicators of malicious insider activity may include:
   • Repeated attempts to access or download sensitive data.
   • Attempts to bypass established security procedures.
   • Remotely accessing the network at irregular hours.
   • Moving files to unusual locations.
   • Requesting access to resources unrelated to their primary job.
   • Transferring data outside of the company’s usual communications channels.
   • Working irregular hours without authorization.
   • Undue interest in matters unrelated to their main duties.
   • Closely watching another employee’s work screen over their shoulder.
   • Listening in on conversations or meetings.
   • Unusual requests. 
8. Work with HR to develop insider threat cybersecurity processes
   Organizations should aim to foster a positive culture for reporting and ensure every member of the team understands who to talk to in the event of a suspected incident.
   IT security personnel and HR should work together closely to develop strong termination and offboarding processes to ensure that all accounts are locked and company-owned devices are surrendered immediately when an employee leaves the organization.
   Depending on resources and company size, organizations should also consider establishing a threat management team to assess and, if necessary, intervene in potential insider threats. 

Further reading 

Please note that this article should be considered more of an overview of insider threats than an exhaustive guide. For more comprehensive resources, please see the Cybersecurity and Infrastructure Security Agency’s threat mitigation strategies.