Insider threats can be classified as non-malicious (the result of an oblivious or negligent insider) or malicious (the result of an insider looking to gain financially or make a statement). Within the malicious category, professional insiders are a unique type of insider threat within organizations. Think of this insider as one who is making a first – or second – career of launching cyber attacks for monetary gain.
Types of Professional Insiders
There are several different types of professional insiders:
- Criminal agents pose as a legitimate candidate and secure work in an organization with the sole intent of causing harm and/or stealing information.
- Moonlighters are disloyal employees who have essentially contracted with a buyer of specific information. The buyer could be a competitor, the media, criminal organizations, or the government. Moonlighters can also initially be recruited by a cyber criminal to collect sensitive data. A recent McAfee report specifically cites the healthcare industry as one that is plagued by this kind of insider threat.
- Planted insiders – or moles – are insiders who are planted within an organization, often for purposes of government and industrial espionage. Intellectual property is often of keen interest to the mole.
Identifying a Professional Insider
Possible indicators that a professional insider may be at work within your organization include:
- A large volume of data being downloaded, or an employee amassing a large collection of sensitive data for no legitimate business reason.
- Data being emailed out of the network, especially to a personal account.
- Several broad descriptors of insiders at risk of becoming a threat are greed/ financial need, unexplained financial gain, compulsive and destructive behavior, ethical “flexibility”, and reduced loyalty.
Job role and timing also play a factor when identifying possible insider threats. Researchers from the CERT program at CMU’s Software Engineer Institute found that theft of intellectual property, or industrial espionage involving theft of trade secrets like scientific information, engineering information, source code is typically committed by scientists, engineers, or programmers. Most of the theft of intellectual property occurs within thirty days of the insider’s resignation.
Protecting Against Professional Insiders
Here are several tactics to help protect against the professional insider:
- Establish a baseline of expected behavior. Determine what proper behavior is across your organization in order to promptly detect anomalies and block high-risk actions.
- Monitor employees’ online activity. As mentioned earlier, attacks typically occur within 30 days of an insider submitting their resignation. Security teams should ensure thorough online monitoring during this period. As an example of what to monitor during this 30-day window, the researchers from CERT note that when somebody emails data off a network or is burning disks to remove information, this activity is usually preceded by a data download to the user’s computer. Listening for this download and alerting on the download allows the security team to catch the insider before data leaves the organization.
- Monitor and respond to suspicious or disruptive behavior. The IT security team and human resources should work together to monitor such behavior. The indicators mentioned previously, such as greed/financial need and unexplained financial gain, could signal a need for enhanced vigilance and online monitoring.
- Use a policy of least privilege. Ensure that the right people have access to data. Consider the difference between protecting the data and seeing the data, as well. For example, your IT team may be charged with protecting intellectual property, but it’s unlikely they need to see the actual content.
- Deprovision users when they move from one role to another or when they leave the organization. Most disgruntled employees end up leaving, whether voluntarily or not, and a failure to deprovision gives them the means and the motive to steal data.