Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Taking Action Against the Insider Threat
Most organizations tend to focus on external threats, but insider threats are increasingly taking center
stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional
insiders as well. Why are insider threats so common and why do they have such a significant impact? What is
the difference between the different types of insider threats and the degree of risk they can constitute?
Copyright SANS Institute
Author Retains Full Rights
Taking Action Against the Insider Threat
A SANS Whitepaper
Written by Eric Cole, PhD
October 2016
Sponsored by
Dtex Systems
©2016 SANS™ Institute
Introduction
When most organizations perform risk analysis and look at threats, they often
immediately focus on external threats. The media and cyber professionals often
overhype foreign adversaries, competitors and organized crime as the main source of
concern; however, it is important to understand which threat causes the most damage
to an organization: the insider threat.
The Insider Email Becomes the
Insider Threat
Imagine a user at his desk working before he
leaves for the weekend. An email arrives from
a potential customer, asking for additional
information about the company’s products,
with details provided in an attachment. The
user opens the attachment and realizes this
individual is looking for information about
the company’s gateway solution product.
Since this is a common request, the company
has a pre-written response. After pasting
the information into the reply, attaching the
documents and hitting “send,” the employee
resumes his previous activity.
Instead of an email from a customer with
an attachment, this scenario could have
also been an email from a supervisor
or co-worker with an embedded link or
embedded scripting. Regardless of the specific
details, this scenario happens often in most
organizations. The problem occurs when the
email is not from a customer, but an adversary
posing as a customer. When the attachment
is opened, the system becomes compromised
and the adversary can use it as a pivot point
for causing further damage.
The 2016 Cost of Data Breach Study noted that 48% of breaches were caused
by outside attackers and malicious insiders; 25% of attacks reported by survey
respondents were caused by negligent employees or contractors.1 The cost of
these breaches averaged $4 million per incident, with an 18% greater capita cost
than in 2013.2
The same report in 2015 found that malicious insiders were the source of the
most costly attacks, at approximately $144,000 per incident.
The insider threat is the silent killer for most organizations. Most people associate
insider threats with malicious/deliberate insiders; however, the greater issue is
the accidental/unintentional insider threat and cases in which an external entity
can manipulate a trusted insider. Therefore, many organizations spend a lot of
money fighting perceived threats, but not fixing those problems that damage
the organization in a very real way.
Ultimately, security is focused on controlling and protecting the data critical to
an organization. Employees and contractors have access to this data. Therefore,
adversaries have learned that targeting insiders is the easiest means of
compromising an organization.
While network security devices are important and play a key role in defense in
depth, effective security also includes studying and acting on user behavior.
There are distinct differences between legitimate, authorized behavior and
unauthorized activity. By closely understanding and tracking user behavior,
anomalies can be detected and the amount of damage caused by an insider
threat can be controlled.
The challenge with an insider email attack is that it is very easy to perform and very hard
to detect (see sidebar). The user has no idea that he has been compromised because this
type of attack bypasses most traditional endpoint and network security devices. This is
why organizations can often be compromised for more than a year and not realize it.
SANS ANALYST PROGRAM
1
2016 Ponemon Cost of Data Breach Study: Global Analysis, June 2016
2
2015 Ponemon Institute Cost of Cybercrime Study: The Threats vs. Defenses Gap, October 2015
1
Taking Action Against the Insider Threat
External vs Internal Threats
When most organizations think of security and the threats that could cause the most
damage to them, they immediately imagine these will be external threats based on the
attention commonly paid to external entities, such as foreign governments, outside
adversaries, competitors or organized crime that target and attack organizations.
But often, insider threats are just as problematic in terms of lost data and other
repercussions.
Unfortunately, many organizations cannot detect the insider threat. It is difficult for an
organization to fix a problem it can’t see. But by gaining better visibility into traffic flow,
properly controlling access to critical information and monitoring user activity, proper
protection against the insider threat can be implemented.
To really understand the scope of the problem, it is important to differentiate between
the source of a threat and the cause of damage.
Traditionally, attackers would scan the public IP address range of an organization to find
visible systems. From there, they would identify services that are opening ports, exploit
a vulnerability and break into a system that is believed to be protected. They could then
gain access into additional areas of the organization, causing more damage.
This scenario worked well many years ago, but this approach is far less effective today
because organizations have invested significant resources in locking down systems
visible from the Internet. In addition, more segmentation has been put in place to make
this a very difficult proposition for an adversary. Today, it is much easier for an adversary
to target an individual within the network, compromise the person’s system and gain
access to an organization. Why should an adversary try to break into secured, hardened
systems when he can easily target the unsecured insider? The variations of this,
malicious and unintentional insiders, will be addressed later in this paper.
SANS ANALYST PROGRAM
2
Taking Action Against the Insider Threat
External vs Internal Threats
(CONTINUED)
Types of Insider Threats
Insider threats can be organized into one of two general categories:
• Deliberate/malicious insider. When most people think of an insider threat, they
immediately think of the malicious insider. This is someone who deliberately
causes harm to an organization. Examples include Edward Snowden and Aldrich
Ames, who were deliberate, malicious insiders working as a contractor and
employee, respectively, for the United States government.
• Accidental insider. An accidental insider is someone who is tricked or
manipulated into doing something that ultimately harms the organization. Some
people further categorize the accidental insider threats into “the infiltrator” and
“the ignorant insider.” The infiltrator situation occurs when an adversary accesses
a user’s system or steals credentials to gain access to a system. The ignorant
insider is a situation that occurs when an adversary convinces the user to click
on a link or open an attachment, which ultimately causes the user’s system to
be compromised. Since both cases are caused by a user action that ultimately
results in a system or account being compromised, we group these types of
threats together.
Whether we are discussing the malicious insider or the accidental insider, in both
cases, the adversary will often install various tools on the system and try to bypass
security controls. The adversary will also access and compromise critical information.
The good news is there are distinct patterns of how these types of insider threats
work. The bad news is that most organizations have not been focused on finding and
preventing such attacks.
A More Deliberate Insider Attack
An employee can become a malicious insider threat when there is job frustration, persuasion
by a competitor who is trying to hire him or a financial motive. Based on the lack of security
and control around critical information, the malicious insider will often copy large amounts of
proprietary data either to the cloud, a USB device or a personal device. While this seems very
simple and basic, it is extremely effective and happens on a regular basis.
When concerned about the insider threat, ask yourself these questions:
• Do you know all locations where your critical data resides?
• Do you know who has access to your critical data?
• What is the probability that critical data resides on personal devices?
A second type of insider attack can occur when an
adversary finds a target within the organization. The
adversary performs extensive research to discover
specific details about the insider’s job and personal
life that can be used in a well-crafted email that
looks legitimate and contains an embedded link or an
attachment. When the user clicks on the link or opens
the attachment, the user’s system becomes infected or
the credentials are stolen. Once again, the attack vectors
are simple, but very effective.
• What is the probability that critical data resides on employees’ home devices?
SANS ANALYST PROGRAM
3
Taking Action Against the Insider Threat
External vs Internal Threats
(CONTINUED)
Insider Threat Kill Chain
To build effective defensive solutions against the insider threat, it is critical to understand
how the adversary works and operates. The insider threat kill chain shows how the
insider threat operates. See Figure 1.
STEP Reconnaissance or
information gathering
1
STEP Develop attack
model
2
STEP Determination of
attack method
3
STEP Attack/
exploitation
4
STEP Longevity/
maintaining access
5
STEP Pivoting and
internal reconnaissance
6
STEP Hiding/covering
their tracks
7
Figure 1. The Insider Threat Kill Chain
The following steps detail the insider threat kill chain:
STEP
1
Reconnaissance or information gathering.
Especially with the accidental insider threat, reconnaissance is critical for an
attack to be successful. This step involves finding a target within the organization and
gathering as much information about him as possible. This includes using social media
to identify supervisors and co-workers, as well as key projects on which the target is
working. Finding out details about the target’s personal life is also important to the
adversary.
SANS ANALYST PROGRAM
4
Taking Action Against the Insider Threat
External vs Internal Threats
STEP
2
(CONTINUED)
Develop attack model.
Once detailed information has been gathered about the target, the adversary
has to analyze the information and determine how he will attack the target. A key
component of building out the model is understanding how people respond and react
in a given situation, which is known as predictable response. Knowing how someone
will respond to a specific stimuli or situation allows the adversary to construct an attack
model in which the potential for compromise is a given because the target’s response
can be predicted based on the target being presented with certain stimuli. Most
employees, for example, always will open email from the boss.
STEP
3
Determination of attack method.
After the model is built, the specific delivery method will be determined. This is
typically an email that has an embedded link or an attachment. The method of delivery
can be as simple as sending one email message, or it can be a hybrid attack, which may
be a complex combination of physical targeting, phone exploitation and additional
social engineering.
STEP
4
Attack/exploitation.
The success of an attack is predicated on proper reconnaissance and planning.
If the prior steps were executed correctly, the adversary should now have access to an
account or system at the target organization. The ultimate goal of an attack is to gain
access and compromise critical data by data aggregation and exploitation. During the
attack, the adversary is targeting key data and exploiting it in some manner. This could
include modifying, deleting or copying the data.
STEP
5
Longevity/maintaining access.
A typical adversary does not want to exploit a system for a short period of time.
The attacker wants to stay in the network as long as possible, constantly monitoring
and exploiting information. Therefore, after the initial compromise, the adversary will
create backdoors or additional methods for readily gaining access to the organization,
providing multiple points of entry and alternatives in the event the target organization
fixes or closes the initial vulnerability.
SANS ANALYST PROGRAM
5
Taking Action Against the Insider Threat
External vs Internal Threats
STEP
6
(CONTINUED)
Pivoting and internal reconnaissance.
In many attacks, the initial point of compromise is not the ultimate target. A
backend database might not be accessible to the adversary, for example, which means
the adversary must break into a client system and, once inside the network, use that to
pivot deeper and deeper until he ultimately finds the target system.
STEP
7
Hiding/covering their tracks.
An adversary does not want to get caught. Therefore, once he breaks in and
causes harm, he will want to hide any traces of his activities to make it harder for the
target organization to detect him. This includes deleting logs and modifying files so
there is no evidence of the attack left on any system within the network.
Based on this knowledge of how the adversary works and operates, this information can
be used to build effective defenses for combating the insider threat.
Dealing with the Insider Threat
To combat the insider threat, organizations need to implement a different type of
solution. Firewalls, IDS, IPS and security information and event management (SIEM) are
good for detecting certain types of attacks, but those devices have several problems,
including the following:
• They look for signatures or set patterns of attack. If the adversary is always
changing how he attacks, which includes launching unique attacks—one of which
is the insider threat—many of these technologies will fall short.
• They are looking for attacks that are occurring on the network. The challenge with
an insider threat is that the person committing the act is a trusted insider who is
utilizing his privileges in an authorized manner. Accessing data is not deemed an
attack because the actions of the attack are based on those normal users perform,
but it is also exactly how the adversary works.
• Firewalls, IDS, IPS and SIEM are looking for external attacks and may not see activity
on the endpoint. Copying data to an unsecured USB is an example of an insider
threat that cannot be detected with those controls.
SANS ANALYST PROGRAM
6
Taking Action Against the Insider Threat
External vs Internal Threats
(CONTINUED)
Dealing with the insider threat, then, requires a combination of context, user behavior,
tracking anomalies and detection, as seen in Figure 2.
CONTEXT
Understand the surrounding
activity and the reason why certain
actions are being performed.
DETECTION
Preventing an insider threat
is very difficult; the goal is early
detection to control damage.
USER BEHAVIOR
A baseline of user behavior
is critical in order to understand
“normal” behavior.
ANOMALIES
Anything that differs from
“normal” behavior or is unusual
needs to be tracked.
Figure 2. The Keys to Addressing Insider Threats
Detect, Control and Minimize the Insider Threat
The following are effective measures that can be used to detect, control and minimize
the damage caused by an insider threat:
Data visibility.
The difference between a minor attack and a major attack is the amount and crucial
nature of the data that was exploited. Ultimately, any insider threat will be looking
for critical data and exploiting it. Therefore, gaining an understanding of where all
the data is located and the access patterns are key indicators that can be used to find
an insider threat.
Understanding vulnerabilities.
Many insiders already have access to and understand the environment in which
they operate, including detailed knowledge of vulnerabilities or weakness that can
be exploited. Most security teams run regular vulnerability scans that are accessible
internally. For deliberate/malicious insiders, this could provide valuable information
not only for exploiting systems, but also for bypassing monitoring to launch an
attack undetected.
SANS ANALYST PROGRAM
7
Taking Action Against the Insider Threat
External vs Internal Threats
(CONTINUED)
Baseline behavior(s).
An insider threat is a person or an account acting on behalf of a person performing
actions on a computer or across a network. Most employees’ behaviors are similar
day to day and week to week. When an insider either becomes rogue (malicious
insider) or has his credentials compromised (accidental insider), his behavior
patterns will be different because the mission has changed from performing his job
in a routine way to causing harm. Only by having a baseline of “normal” activity can
potential deviations be detected. Anomaly detection is such a powerful technique
for detecting an insider threat that it is covered in detail in the next section.
Develop clear metrics.
A key component of baselining user behavior is determining metrics that can
be used to track and monitor behavior. Login time, logout time, number of
files accessed and type of information accessed can also be used to detect
unusual behavior.
Understand the context.
With external attacks, the line between good and bad activity is very clear. An
external entity should be accessing your web page, for example, but should never
be running software that tries to log in with 500 different passwords in a short time.
Therefore, typical preventive measures are very effective. With an insider threat, a
user performs a normal set of actions, but the context in which the user executes
them is quite different.
As an example, one user could be accessing files for project A because she is actively
working with the client. This is quite different than the user who is accessing files
for project B, a project he has not worked on for several months, then immediately
copies the information to a USB drive. In both cases, the access is similar, but the
context makes these very different situations.
Determine the risks.
The driving factor for any threat is the overall risk to the organization. If there is
activity that is suspicious but no critical information is accessed, no further action
might be required. But if a user is accessing very critical information, worth a
significant amount of money, immediate action is required.
In reality, it is impossible to prevent all attacks, especially when the individual who
presents a threat to the organization has access and the means and methods to commit
the attack. Therefore, timely detection is the key to controlling damage with an insider
threat. Effective incident response will play a key role in determining what happened,
helping practitioners learn what went wrong and minimizing the chances of it
happening in the future. Your incident response plan should clearly address the vectors
of attack used by the insider threat.
SANS ANALYST PROGRAM
8
Taking Action Against the Insider Threat
Behavioral Analytics and Context
When an endpoint or user credentials become compromised, there are distinct
differences in the sequence of activities a normal user performs and those activities an
adversary would perform. By carefully monitoring, watching and tracking any changes
in behaviors—which include data access, applications, services and network activity—
distinct differences can be detected to indicate a compromise has occurred.
When using behavior analytics tools, it is important to track both host- and networkbased anomalies because both provide value. In addition to anomalies, analytics can
help provide correlations between or insights into the sequence of events performed
by a user. Looking at single data points has some initial value, but the real benefit of
increased accuracy and reduced false positives is derived when anomalies and event
sequences are used together.
Accessing a file, for example, is a normal user activity. Just because a user accesses a
file, it does not mean they are an insider threat; however, by looking at all of the other
actions that have been performed by this user, these varied actions can be put in proper
context to determine if there is indeed a threat and whether action is required.
From a host-based activity perspective, it is important to carefully monitor what is
happening on the system and detect subtle differences in activity or behavior. Files
and applications that open at system boot are critical to track. One of the goals of an
adversary is to maintain persistence. This is achieved by running malicious code when
the system starts. Because there are only a finite number of ways that programs can run
during boot up, this is an easy area to monitor and track.
From a network perspective, a compromised system will often establish a command
and control (C2) channel for the adversary so he can continue to monitor the system
and cause additional harm. These connections are often fully encrypted and go to IP
addresses that are not associated with legitimate or normal sites and often are not
tied to any domain names. Therefore, by carefully monitoring network connections,
including DNS lookups, suspicious activity can be detected.
SANS ANALYST PROGRAM
9
Taking Action Against the Insider Threat
Behavioral Analytics and Context
(CONTINUED)
This general activity of looking for compromised systems is referred to as hunting.
Threat hunting is the act of aggressively tracking and eliminating cyber adversaries as
early as possible and is a key component of mitigating damage. There is no such thing
as an invisible adversary. By carefully monitoring and tracking the system, the dwell
time—or the amount of time an adversary is on a system—can be reduced, helping to
limit any damage.
While host- and network-based analytics provide value, the real value is derived when
this information is combined with analytics related to data access. Because the ultimate
goal of an adversary is exploitation of data, building analytics and looking for anomalies
is a key way to stay one step ahead of the adversary.
Catching the Insider with Behavioral Analytics
With both a deliberate insider and an accidental insider, there are clear differences in behavioral patterns. By
monitoring the analytics behind the behavior, organizations can do a more effective job detecting and minimizing
the damage caused by the adversary. The most damaging part of an attack is the compromise of critical or sensitive
information. Therefore, the best analytics focus in on metrics around the successful and failed access attempts
to critical information. In performing these types of analysis, there are three behavioral patterns that drastically
change when an insider becomes an insider threat:
• Number of objects accessed
• Number of failed access attempts
• Amount of data accessed
A typical user will access 50 to 60 files a week, for example, and have two or three failed attempts. This could vary
based on the specifics of a job, but these numbers are fairly typically and used as an example. However, if the user
becomes an insider threat, one of the first things that is done is internal reconnaissance and data harvesting to
see the information to which the compromised account has access. In these types of cases, the number of access
attempts will now be 50,000 and the number of failed access attempts will be 5,000. In addition, the amount of
data access will also dramatically increase. This is because all of the data stores are being accessed, or the insider
threat is attempting to access them. Clearly, there is a big difference in the metrics when a normal insider becomes
an insider threat. By monitoring and tracking behavioral analytics of data access, organizations can perform early
detection of an insider threat.
SANS ANALYST PROGRAM
10
Taking Action Against the Insider Threat
Conclusion
Security is all about understanding managing and mitigating risks to your critical
assets and how those risks could impact your organization. An effective insider threat
mitigation strategy will help reduce risk, as well as financial, legal and other potential
damage to the organization.
In assessing the impact the insider threat has on an organization, the following
questions must be asked:
• What information would an adversary target?
• What systems contain the information that attackers would target?
• Who has access to critical information?
• What would be the easiest way to compromise an insider?
• What measures or solutions can IT use to prevent/detect these attacks?
• Does our current budget appropriately address insider threats?
• What would a security roadmap that includes insider threats look like for our
organization?
Insider threat is a problem that is not going away, and all indications show that it is only
going to get worse. Visibility is key. By carefully monitoring user behavior and network
activity, you can quickly detect the malicious insider. It is also important to note that
many organizations’ networks were designed primarily to detect external threats with
minimal to no protection against insider threats.
The bottom line is that insider threats will continue to cause damage when continuously
ignored by an organization. Organizations that focus on insider threats and build out an
appropriate program will defend themselves against this threat.
SANS ANALYST PROGRAM
11
Taking Action Against the Insider Threat
About the Author
Eric Cole, PhD, is a SANS faculty fellow, course author and instructor who has served as CTO of
McAfee and chief scientist at Lockheed Martin. He is credited on more than 20 patents, sits on several
executive advisory boards and is a member of the Center for Strategic and International Studies’
Commission on Cybersecurity for the 44th Presidency. Eric’s books include Advanced Persistent Threat,
Hackers Beware, Hiding in Plain Sight, Network Security Bible and Insider Threat. As founder of Secure
Anchor Consulting, Eric puts his 20-plus years of hands-on security experience to work helping
customers build dynamic defenses against advanced threats.
Sponsor
SANS would like to thank this paper’s sponsor:
SANS ANALYST PROGRAM
12
Taking Action Against the Insider Threat
Last Updated: July 12th, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
Security Awareness Summit & Training 2017
Nashville, TNUS
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio 2017
San Antonio, TXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Hyderabad 2017
Hyderabad, IN
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MAUS
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Prague 2017
Prague, CZ
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS New York City 2017
New York City, NYUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UTUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Virginia Beach 2017
Virginia Beach, VAUS
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS Adelaide 2017
Adelaide, AU
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Chicago 2017
Chicago, ILUS
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS San Francisco Fall 2017
San Francisco, CAUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Tampa - Clearwater 2017
Clearwater, FLUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Network Security 2017
Las Vegas, NVUS
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS Dublin 2017
Dublin, IE
Sep 11, 2017 - Sep 16, 2017
Live Event
Data Breach Summit & Training
Chicago, ILUS
Sep 25, 2017 - Oct 02, 2017
Live Event
Rocky Mountain Fall 2017
Denver, COUS
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS SEC504 at Cyber Security Week 2017
The Hague, NL
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS Baltimore Fall 2017
Baltimore, MDUS
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS London September 2017
London, GB
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS Copenhagen 2017
Copenhagen, DK
Sep 25, 2017 - Sep 30, 2017
Live Event
SANS DFIR Prague 2017
Prague, CZ
Oct 02, 2017 - Oct 08, 2017
Live Event
SANS Oslo Autumn 2017
Oslo, NO
Oct 02, 2017 - Oct 07, 2017
Live Event
SANS Phoenix-Mesa 2017
Mesa, AZUS
Oct 09, 2017 - Oct 14, 2017
Live Event
SANS October Singapore 2017
Singapore, SG
Oct 09, 2017 - Oct 28, 2017
Live Event
SANS AUD507 (GSNA) @ Canberra 2017
Canberra, AU
Oct 09, 2017 - Oct 14, 2017
Live Event
Secure DevOps Summit & Training
Denver, COUS
Oct 10, 2017 - Oct 17, 2017
Live Event
SANSFIRE 2017
OnlineDCUS
Jul 22, 2017 - Jul 29, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced