Know Your Enemy: How to Prepare and Respond to Insider Threatsby@immuniweb

Know Your Enemy: How to Prepare and Respond to Insider Threats

by Ekaterina Khrustaleva, COOApril 5th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Recent studies have shown most incidents related to malware, phishing, or insecure browsing are caused by a small group of employees and, of those people, far too many are repeat offenders. Here's how to protect your business and data from insider threats.....
featured image - Know Your Enemy: How to Prepare and Respond to Insider Threats
Ekaterina Khrustaleva, COO HackerNoon profile picture

When it comes to cyber protection, organizations should pay attention to many digital risks, not least of which is an insider threat. Recent studies have shown that most incidents related to malware, phishing, or insecure browsing are caused by a small group of employees - and those individuals tend to be repeat offenders.

The research found that 4% of employees clicked 80% of phishing links. 3% were responsible for 92% of malware events. While 96% of staff never experienced a malware incident. Meanwhile, 12% of users made repeated attempts to visit websites that violate their organization’s browsing policy.

Interestingly, offenders responsible for phishing incidents, malware events, or illicit browsing are not necessarily the same people. According to the report, 9% of users exhibited high risk in only one category, and as little as 0.052% of employees fell into the high-risk category for all three activities.

Even federal agencies like NASA that should be able to counter the most advanced cyber threats are not immune to insider risks. An audit by NASA’s Office of Inspector General (OIG) revealed that, while the agency has implemented an insider threat program that covers classified systems, the vast majority of the agency’s IT systems (including many containing high-value assets or critical infrastructure) are not covered by the program, which puts them at “a higher-than-necessary” risk.

What is an insider threat?

An insider threat is a security risk that originates from within an organization. This could be from employees, former employees, contractors, business partners, or vendors who have legitimate access to the organization’s systems, networks, and data.

Nobody is safe from the wide spectrum of malicious insider activities. Security measures such as the four-eyes principles, anomaly detection, role-based access to sensitive data, two-factor authentication, continuous monitoring, and employee vetting can reduce those risks, but not eliminate them. Many organizations trust their employees and tend to ignore internal automated security alerts. Often, employees are tricked by cybercriminals to help them get inside corporate networks.

Two types of insider threats

1. Malicious insider

There are two main types of insider threats. A malicious insider is someone who misuses their access to the company’s systems to steal data for financial or personal motives. Malicious insiders may work alone or in cooperation with external parties, such as competitors or hacker groups. Insider threat statistics show that 29% of malicious insiders commit theft for financial gain, while 9% are driven by the desire to commit sabotage.

2. Negligent insider

The other type is a careless (negligent) insider or innocent user who unknowingly exposes the system to outside threats. Employee negligence is one of the most common types of insider threats. This includes users who usually exhibit secure and compliant behavior, but occasionally make mistakes and don’t realize that until it’s too late.

The term “careless insider” also refers to users unresponsive to cybersecurity awareness training who exhibit risky behaviors that pose a danger to their organization.

Recent research suggests that negligent users were the root cause of 56% of insider threat incidents. Costing on average $484,931 per incident, while malicious insiders were behind 1 in 4 incidents (26%) at an average cost per incident of $648,062.

Over the past two years, the number of insider threat incidents has seen a 44% increase, with costs per incident up more than a third to $15.38 million.

What motivates insider attacks?

Insider threats can lead to significant reputational damage and financial loss related to data breaches, intellectual property theft, or as mentioned above, sabotage.

Furthermore, employees’ desire to earn money could even threaten state security, as was in the case of Israeli technology firm NSO Group’s former employee who stole the company’s intellectual property, including source code for the Pegasus spyware, and tried to sell it for $50 million over the Darknet. This incident is a glaring reminder to businesses of why it’s imperative to deprovision employees facing dismissal and protect assets.

In another incident, a former Cisco employee received a two-year prison sentence in December 2020 after he accessed the Cisco Systems cloud infrastructure without authorization and deployed malware that deleted over 16,000 user accounts and caused $2.4 million in damage.

Hacker attacks pose the most risk to organizations. But sometimes, they may be a smokescreen to conceal sophisticated insider threats. One such case involved a financial company that fell victim to a web security incident allegedly carried out by a well-known hacktivist group. That financial organization contacted our team at ImmuniWeb to investigate the incident. One of the company’s web portals was defaced with insulting slogans, criticizing the company for globalization. All the website content that the attackers had access to was wiped out.

The first internal notification about the incident came from a web administrator working at the company for 15 years. It contained a link to a zone-h defacement mirror saying that hacktivists compromised and backdoored the server, urging server re-installation from scratch. As the attackers were known, he recommended skipping the formal investigation process to reduce the downtime of the server. His management gave a green light to move forward without proper system mirroring for further forensics investigation.

Although it was obvious to the company’s IT team who the perpetrator behind the breach was, some inconsistencies discovered during our investigation suggested that the incident was not as simple as it seemed at first sight. Digging further, we found that the real culprit was a web administrator who worked at the company for 15 years and was considered a loyal employee.

It was discovered that a few months before the incident the administrator had been approached and offered an attractive price to sell corporate data. Under the pretense of going to a security conference, he crossed the border to a neighboring country and selected a discreet place without video surveillance to connect to public Wi-Fi. He then ran a security scanner on the web application to simulate pre-attack probing.

The next day, when everybody else had left the office, he logged into the web application admin interface (without passing via the public WAF gateway) and carried out a “deface”. Then he made a defaced mirror and locally erased all the content of the web root directory and web server logs. As he already had permission from his company to do so, as a trusted employee, he used those permissions to reinstall the virtual machine with the webserver making further forensics almost impossible.

The insider threat is a long-standing problem in all companies and organizations. It is exacerbated by the complexity and cost of security controls and remedies: protecting your internal systems from malicious authorized employees is very complicated compared to defense from external attacks. Many enterprise systems do not have security controls that can be integrated to prevent malicious insider activities or innocent human mistakes.

One of the available solutions is continuous monitoring of employees’ abnormal activities. Machine Learning and AI technologies can simplify this task. For example, they can notice when someone is accessing too many CRM records at once or downloading datasheets of a colleague. But, it is unlikely that this will prevent companies’ employees from reading confidential data belonging to customers if they are authorized (but not required) to do so.


Only a few years ago, sophisticated cybercrime-related theft committed by insiders was a new and emerging trend we didn’t observe a lot in the past. But as the scope of digital attacks, their vectors and complexity grow, so too does the insider threat. Based on this, it’s good to remember that corporate cybersecurity is not rocket science and can be managed pretty well using a common-sense approach.