Insider threat detection

Insider threat detection is a hot topic for very a good reason: Incidents are becoming both more common and more costly. In fact, 2022 Ponemon Cost of Insider Threats Global Report reveals that 67 percent of companies experience more than 20 insider threat incidents each year, and the average annual cost to organizations for this type of incident is $15.4M!

So, it’s no wonder more and more organizations are recognizing that being able to promptly spot and mitigate threats inside their network is vital for security, compliance and business continuity. But what exactly is an insider threat, and how can you build an effective insider threat detection strategy? Moreover, how does insider threat detection fit into your organization’s larger cybersecurity and cyber resilience strategy? Let me walk you through this critical topic.

What are the types of insider threats?

To implement insider threat detection, you need to know what you’re looking for. An insider is simply anyone with valid credentials in your network, such as a business employee, an IT pro or a contractor. And the insider threat can be divided into three categories:

  • Malicious insiders
  • Negligent insiders
  • Adversaries with stolen credentials

Malicious insiders

When people think of insider threat detection, they typically picture malicious insiders — users who deliberately misuse their access rights. One common scenario is an employee stealing proprietary data on their way out the door. For example, you’ve probably read about engineers at both Apple and Google affiliate Waymo stealing IP about self-driving vehicles to take to competitors. There are plenty of similar incidents of malicious insider data theft, including at Yahoo, McAfee and Proofpoint.

But profit from data theft is not the only goal of malicious insiders. Disgruntled insiders — especially those with privileged access rights — can actively sabotage their employer. One famous example is an admin at UBS PaineWebber who was unhappy with his bonus: He tried to sabotage the company’s stock price by planting a logic bomb that unleashed malware, knocking out 2,000 servers at 400 office branches.

Moreover, cybercriminals today are actively enticing employees into becoming malicious insiders. Ransomware gangs in particular bribe employees into helping them unleash ransomware in their company’s network in exchange for a percentage of the ransom payment (or, in the case of one plot against Tesla, a flat fee of $1M!). An employee with bills to pay and no particular loyalty to their company can be quite susceptible to accepting an offer to sell their credentials and thereby become an internal access broker.

Negligent insiders

Any effective insider threat detection strategy also needs to consider negligent insiders — users who misuse their legitimate access due to carelessness. Examples include:

  • Failing to secure sensitive data — Storing critical data in unencrypted format on laptops is one cause of breaches, such as one at Lifespan Health System.
  • Phishing 84% of organizations fell victim to at least one successful email-based phishing attack in 2022.
  • Email mistakes — Accidentally emailing sensitive information to the wrong recipients is the top cyber-related cause of data breaches according to UK’s Information Commissioner’s Office. Another common error is exposing the recipients of bulk email by putting their names in the “To” field instead of the “Bcc” field.
  • Failing to follow security policies — Users who are focused on getting their work done will often bypass security controls that they consider onerous or unnecessary. For example, they’ll share data with a colleague via an insecure method if a secure option isn’t readily available.

It’s bad enough when a regular business user acts negligently — and it can be much worse when an admin or other user with elevated access privileges does so. For example, Microsoft admins inadvertently exposed login credentials that could have given adversaries access to the company’s Azure servers and other internal systems. Interestingly, it was a cybersecurity research firm that found these exposed credentials, not insider threat detection on the part of Microsoft itself. Another common mistake admins make is using their privileged account when they should be using their regular user account, which can leave their powerful credentials in a workstation’s memory for an attacker to scoop up and abuse.

Adversaries with stolen credentials

The third type of user that your insider threat detection strategy needs to address might seem counter-intuitive: adversaries from outside your organization. But the fact is, credential theft instantly transforms a malicious outsider into a malicious insider — and if you don’t have other controls in place, an adversary with stolen credentials will be able to access all the critical data and information that the account’s legitimate owner can access.

Hackers exploit a variety of attack vectors to get inside your network. For example, they still use good old-fashioned password spraying, credential stuffing and other brute-force attacks to take over user accounts. But today we are seeing more and more social engineering attacks, such as phishing and its variants such as spear-phishing, vishing and smishing. Attacks can be multi-layered; for example, adversaries used one social engineering attack to compromise the credentials of Twitter employees with access to internal systems, and then launched another social engineering campaign by tweeting from high-profile accounts and promising that all Bitcoin sent to an address they controlled would be doubled and sent back.

Who is at risk?

While the headlines tend to focus on incidents at large companies, it’s important to understand that the insider threat is a serious risk for all organizations, regardless of size. Indeed, attacks on small and medium businesses (SMBs) are increasing, in part because adversaries expect them to have less robust insider threat detection and protection measures in place.

Incidents at SMBs can be devastating to the victim organization, which may lack the financial wherewithal to survive the attack. But because of today’s complex supply chains, attacks on SMBs can also have a very broad impact. For example, a former VP of a medical packaging company chose to delete vital shipping data — delaying the delivery of personal protective equipment (PPE) to healthcare facilities during the COVID-19 pandemic. In other incidents, adversaries slip into an SMB’s network in order to then breach its larger customers and partners.

Which type of insider threat is the most dangerous?

As you plan your insider threat detection strategy, you might want to consider the relative frequency and cost of the different types of insider threats. According to the Ponemon study, negligent insiders are the root cause of most incidents, but credential theft incidents are the costliest to remediate. The table below provides the relevant stats from the report. It’s interesting to note that malicious insiders — the group most commonly associated with the term “insider threat” — do not actually top the list in terms of either frequency or cost of incidents.

Table Plugin

You might also want to think about trends. The number of credential theft incidents has almost doubled in the past two years, while the number of incidents due to other insider threats has held nearly steady, with only a slight increase (malicious insiders) or a slight decrease (negligent insiders).

But the good news is that when it comes to your insider threat detection strategy, you don’t really have to choose to prioritize one type of insider threat over the others; as we’ll see in a moment, many insider threat detection and prevention best practices apply to all three types.

What is insider threat detection and why is it important?

Insider threat detection is the practice of identifying insider threats, whether they are malicious insiders, negligent insiders or adversaries using stolen credentials.

Insider threat detection is critical because of the high cost of data breaches: Ponemon reports that the average cost of a data breach in 2022 was $4.35 million — a nearly 13 percent increase from 2020. The total cost includes factors across four categories: lost business, detection and escalation, notification, and post-breach response. Here are just a few of the expenses that can result from a breach:

  • Revenue losses from system downtime
  • Cost of lost customers and acquiring new customers
  • Reputation losses and diminished goodwill
  • Assessment of regulatory response requirements
  • Expenses for notifying data subjects, regulators and other third parties
  • Help desk and inbound communications
  • Services for impacted customers, such as identity protection services or product discounts
  • Legal expenditures
  • Regulatory fines

The indicators of an insider threat

Organizations do not need just any insider threat detection; they need prompt and reliable insider threat detection. Simply put, the longer it takes to detect and contain an incident, the more it is likely to cost. Here are some the key indicators to look for.

Behavior that’s unusual for anyone

First and foremost, an effective insider threat detection strategy needs to monitor for any suspicious activity. What makes activity suspicious? Well, some activity is outright suspicious, such as:

  • Account lockouts
  • Multiple failed logon attempts, even if followed by a successful logon
  • Attempts to transfer large volumes of data outside the network
  • Connection of unknown USB devices
  • Attempts to access forbidden URLs
  • Logon events outside of normal business hours
  • Access from known suspicious regions or locations where the organization has no business presence

In particular, there are clear indicators that mark the use of common hacking tools to move laterally from one machine to another or to escalate an account’s permissions. For example, your insider threat detection strategy needs to watch for:

  • Attempts to obtain a copy of the NTDS.dit file, which stores password hashes
  • Excessive LDAP queries
  • Use of Kerberos tickets with long lifetimes, which can be a sign of a Golden Ticket attack
  • Attempts to modify sensitive IT resources like the registry, security groups, Group Policy or software configurations
  • Direct assignment of administrative rights to a user account
  • Creation of new accounts
  • Attempts to change the password of a powerful or sensitive account

Behavior that’s unusual for a particular individual or group

To avoid alert fatigue, it’s important for your insider threat detection program to be able to further assess actions in the context of what’s normal for a given individual or their group. For example, if your sales teams are constantly traveling, seeing them log on from locations across their assigned region is expected, and only logins from outside that region should be deemed suspicious. But for individuals or teams who normally log on from only one particular site, any access attempt from another location could be a sign that their account has been compromised and is therefore worthy of an alert.

Similarly, individuals and teams tend to have a regular pattern in what data and applications they use. If a user suddenly downloads far more files than usual or accesses content their team rarely uses, you have good reason to suspect they might be exfiltrating data to take to a competitor or sell to the highest bidder. Requests for access to additional sensitive resources can be another indicator of an insider threat.

The most common methods of insider threat detection

The core of insider threat detection is auditing activity in the IT ecosystem: collecting, consolidating, normalizing and analyzing huge volumes of event data. Many organizations invest in a security information and event management (SIEM) solution to help, but those tools can be expensive to deploy and maintain, and they often generate so many false positive alerts that security teams can be overwhelmed.

For more targeted insider threat detection, you need a software solution that employs user behavior analytics (UBA) to establish baselines of normal user behavior and flag true threats with far more accuracy. Moreover, you need an Active Directory auditing solution that covers your entire hybrid environment and automates many of the core tasks involved.

Of course, another key part of an insider threat detection program is being prepared to quickly investigate threats and respond appropriately. You need to be able to quickly determine where a breach originated, how it unfolded, and exactly what systems and data were involved. That way, you can quickly take steps to block further damage, remediate improper changes and other activity, and hold individuals accountable for their actions.

But not all insider threat detection involves technical controls. You should also be on the lookout for signs that employees are poorly trained, inattentive or disgruntled. For example, consider it a potential security threat if employees exhibit evidence of:

  • Overwork or burnout, which can lead to errors
  • Unhappiness with their salary or working conditions
  • Drug or alcohol abuse
  • Financial difficulties

Preventing and recovering from insider threats

It’s vital to be able to promptly detect threats insider your IT environment — but it’s even better to prevent them in the first place. And it’s also crucial to be able to quickly recover from insider threats, whether that’s quickly reverting a single change to a user’s permissions or restoring your entire Active Directory forest. Let’s look briefly at both of these key areas that complement insider threat detection.

Insider threat prevention

To mitigate your risk from insider threats, it’s important to follow best practices for securing your IT environment. In particular, be sure to:

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.
  • Rigorously enforce the least-privilege principleLeast privilege is one of the most fundamental cybersecurity best practices. Simply put, insiders cannot steal data or damage systems, either negligently or maliciously, if they cannot access those IT assets. Provision each account with only the permissions required for the user’s role and review all rights assignments regularly. In addition, be vigilant about removing accounts that are no longer needed, since threat actors often try to take over such accounts to avoid detection.
  • Implement attack path management and mitigation It’s vital to think about not only the access that each account currently has, but the access it could easily acquire. Unfortunately, in most IT environments, a malicious insider or an adversary with stolen credentials is quite likely to be able to elevate their rights from ordinary user to Domain Admin in just a handful of steps, by taking advantage of factors like nested group membership. Fortunately, you can map out attack paths and identify the choke points you need to mitigate in order to reduce your risk from insider threats.
  • Pay particular attention to privileged accounts — Groups like Domain Admins, Enterprise Admins and Account Operators provide their members with enormous amounts of privilege in your IT environment, so it is critical to minimize membership in these powerful groups. In addition, it’s important to implement both technical and procedural controls to limit where and how administrative credentials are used. Administrators should never use their privileged accounts to log into workstations, not even their personal machines, because doing so leaves their password hash in memory for attackers to steal; privileged accounts should only log into secure privileged account workstations (PAWs).
  • Don’t forget about service accounts — The accounts used to run IT services often have far more privileges than they actually need, so be sure to follow service account best practices. In particular, regularly assess their permissions and delete any service accounts that are no longer needed. Whenever possible, use managed service accounts (MSAs), either standalone MSAs (sMSAs) or group MSAs (gMSAs); MSAs provide automated password rotation and are restricted from being used interactively, limiting their value to an adversary who compromises them. And don’t allow admins to use their personal accounts as service accounts.
  • Protect Group Policy — Administrators use Group Policy to manage users and computers across the domain. By modifying a single GPO setting, a malicious or negligent admin could make it easy for adversaries to steal valuable data, deploy malware and even destroy the evidence of their activity afterwards. Effective Group Policy management includes cleaning up your GPOs so they are clear and well organized, understanding where they are linked, and carefully reviewing them both on regular schedule and any time there are significant changes to your IT ecosystem. In addition, it requires building approval-based Group Policy workflows to help ensure all changes are both authorized and accurate, as well as using a solution that can prevent anyone from changing your most critical GPOs.
  • Begin (or continue) your Zero Trust journey — A Zero Trust security strategy begins with acceptance of the fact that there are already insider threats in your network. After all, remember that even well-intentioned business users and admins can become insider threats through negligence! By implementing Zero Trust best practices like unified identity management, context-based multifactor authentication (MFA), Azure AD Conditional Access policies, segregation of duties (SoD) and network segmentation, you can dramatically reduce the risk from both negligent and malicious insider threats.
  • Protect your endpoints — Credential theft often begins on endpoints. Check out this blog to learn about mitigating insider threats impacting endpoint security.
  • Provide regular, relevant cybersecurity training — Ensure that everyone in the organization attends regular cybersecurity training. Ideally, the training should be relevant to an individual’s role; for instance, examples about leaking information to clients and partners will not resonate particularly well with employees whose roles don’t involve interacting with those people. Be sure to teach everyone how to spot and report suspicious activity, as well as to measure the success of your training through regular testing, such as simulated phishing email campaigns.

Backup and recovery

It’s also crucial to be prepared in case your insider threat detection and prevention measures do not block or contain all threats. Indeed, backup and recovery is a key pillar not just for defending against insider threats but for cyber resilience: keeping your IT environment up and running as much as possible — and getting it back up and running quickly when a disruption does occur. For a true enterprise backup and recovery strategy, you need both quick granular restoration of individual objects and attributes, as well as fast recovery of your entire forest in case of a disaster.

Insider threat detection is everybody’s job!

While you might have come to this article believing that insider threat detection and prevention is the exclusive responsibility of IT cybersecurity teams, I hope you now know otherwise. In particular, it’s clear that business users play a vital role in reducing incidents related to negligence. They need to pay close attention to cybersecurity training and not succumb to the temptation to bypass security controls. If a security control seems unnecessary or overly complicated, ask about it. Remember that cybersecurity pros are tasked with the tough job of balancing security and productivity, and they are usually open to feedback — if they can provide a secure approach to meeting the needs of users, they will be highly motivated to do so, since that will reduce the likelihood of breaches from user workarounds.

Leadership teams are also vital. Indeed, building a cybersecurity-centric culture requires the enthusiastic support of the C-suite, not just for funding, but for ensuring that everyone takes the problem seriously. They also can shift how IT success is measured. Too many organizations are laser-focused on the “five 9s,” or 99.999% uptime. Leaders have to build a culture that accepts some downtime in exchange for getting security done right. For example, prompt patching of zero-day threats is critical even though it can sometimes be an inconvenience, and automating response to threats carries some risk of disrupting business processes but is still worth doing. It’s up to IT teams to communicate the risks and benefits clearly, and to provide metrics that enable leaders to understand the success of the efforts they’ve funded and championed.

By working together, organizations can dramatically reduce the risk from all three kinds of insider threat.

Cybersecurity risk management for Active Directory

Learn how to achieve continuous cyber resilience lifecycle defenses for your Active Directory and Office 365 environments that map to the NIST Cyber Security Framework.

See How

About the Author

Bryan Patton

Bryan Patton is a Principal Strategic Systems Consultant at Quest Software. For nearly 20 years he has helped customers shape their Microsoft environments. With particular emphasis on Active Directory and Office 365 environments, Bryan specializes in Identity and Access Management, Data Governance, Migration, and Security, including Certified Information Systems Security Professional (CISSP) certification.

Related Articles