For too long, data breaches and cybersecurity incidents caused by internal people have been overlooked, neglected and not taken seriously. Companies are often difficult to recognize, inform or act against employees who have become a threat to their organization. Often, internal threat attacks have been treated as a shame or simply a problem for Human Resources departments. It is as if the internal threat was a black mark in its management processes and reputation.
Experts have advantages over external factors that seek to evade security, since people within the organization enjoy significantly higher levels of trust and privileges, as well as knowledge of the organization's policies, processes and procedures. The internal threat can be difficult to catch because these are people who have legitimate access to the network and / or applications. These threats may arise from both careless workers, discontented personnel and those who were recruited, requested or bribed by external parties to filter data. In addition, even business partners that compromise security through negligence, misuse or malicious access or use of an asset can also result in a security threat. Detecting and mitigating such a wide range of internal threats requires a different approach compared to the search for external threats.
20% of cybersecurity incidents and 15% of data breaches investigated in the Verizon Data Violation Investigation Report (DBIR) 2018 originated from people within the organization, with financial gains (47.8%) and Pure fun (23.4%) as the main motivators. These attacks, which exploit internal data and access privileges to the system, are often only found months or years after they take place, which makes their potential impact on a business significant.
The DBIR analysis also signals a change in the way social attacks are used, such as financial pretext and phishing. Attacks like these, which continue to infiltrate organizations through employees, are now increasingly a departmental problem. In addition, this year's DBIR warns that C-level executives who have access to the most confidential information of a company are now the main focus of social engineering attacks. Senior executives are 12 times more likely to be the target of social incidents and 9 times more likely to be the target of social violations than in previous years, and financial motivation remains the key factor.
These are some of the key countermeasures that can help reduce risks and improve incident response efforts:
1. Integrate security strategies and policies – By integrating the other 10 countermeasures (listed below), or better yet, a comprehensive Internal Threat Program with other existing strategies, such as a Cyber Security Policy, a Risk Management Framework, Human Resource Management and Intellectual Property Management , can help strengthen efficiency, cohesion and punctuality in addressing internal threats.
2. Perform threat hunting activities – Make effective investments in threat intelligence, dark web monitoring, behavioral analysis and threat search to search, monitor, detect and investigate suspicious user activities and user accounts, both inside and outside the company.
3. Perform vulnerability scanning and penetration tests – Take advantage of vulnerability assessments and penetration tests to identify gaps within the infrastructure and components of the application, including possible ways to maneuver internal threats within the business environment.
4. Implement personnel security measures – The implementation of human resources controls (such as background checks, employee life cycle management processes), minimum privilege principles and security awareness training can mitigate the number of cybersecurity incidents associated with Unauthorized access to business systems.
5. Employ physical security measures – Use physical methods for access, such as identity credentials, security gates and guards to limit physical access, as well as digital access methods that include cards, biometric access control mechanisms, motion detectors, and cameras to monitor, alert and register patterns and access activities.
6. Implement network security solutions – Implement network security solutions, such as firewalls, intrusion detection / prevention systems, gateway devices and data loss prevention (DLP) solutions to detect, collect and analyze suspicious traffic potentially associated with internal threat activities. This will help to highlight any activity outside unusual hours, volumes of outgoing activity, as well as the use of remote connections. Effective network segmentation controls are another very important to limit adverse lateral movement and unauthorized access to resources.
7. Employ endpoint security solutions – Use solid endpoint security solutions / controls, such as antimalware solutions, critical asset inventories, removable media policies, full disk encryption, File Integrity Monitoring (FIM) tools, User Entity Behavior Analysis (UEBA) ) and Endpoint Detection and Response (EDR) solutions to deter, monitor, track, collect and analyze user-related activity.
8. Apply data security measures – Apply ownership, classification and data protection, as well as data deletion measures to manage the data life cycle and maintain confidentiality, integrity and availability taking into account internal threats. Consider data encryption, truncation and tokenization approaches to apply data-centric security controls.
9. Employ identity and access management measures – Use identity, access and authentication management measures to manage the limit and protect access to the business environment by taking advantage of the Identity and Access Management (IAM) solution. This can be taken to the next level using a privileged access management (PAM) solution for privileged level access.
10. Establish incident management capabilities – The establishment of an incident management process to include a Manual of insider threats with trained and capable incident handlers will make cybersecurity response activities more efficient and effective in addressing internal threat activities.
11. Retain digital forensic services – Have available the investigative response available resources that can carry out a full spectrum of deep immersion investigations ranging from the analysis of records, files, memory, disk and forensic analysis of the network, in intricate incidents related to internal threats.
By Ashish Thapar, Managing Director and Chief – APJ Region, Verizon Business Group