Insider Threat Detection | 10 Effective Methods That Work

We’ve seen close to a 50% rise in insider threats in the last two years. Small and big companies alike need to set up better defenses, not to fend off outside threats – but to stop those who want to compromise them from within. For that reason, employing insider threat detection is a must.

Doing audits, employing behavior analytics, and monitoring user activity is the best way to detect insider threats. At the same time, screening candidates is a must to prevent issues from happening down the line. Training is also key to prevent negligent or accidental threats.

The first step to stopping insider threats is understanding them: there’s more than one way to compromise a company – and not all of them are intentional. At the same time, putting insider threat detection best practices in place is key to making any detection method work.

Table of Contents

Types of Insider Threats

  • Intentional. Most people think about the intentional kind when they talk about insider threats. You’ll find threat actors motivated by greed or malice in this scenario: they’ll either infiltrate an organization to steal something valuable or do so to do harm for several reasons. Sometimes, insider threats don’t come from an infiltrator but from a disgruntled employee or contractor.
  • Unintentional. Insider threats often come in the way of unintentional incidents. This type of issue could happen due to negligence or accidents: negligent employees are careless or lax about cybersecurity, allowing threat actors to act; in contrast, accidents happen when nobody’s at fault, such as an employee making a typo when they send vital data over email, making the information fall into the wrong hands.
  • Complex. Certain insider threats are not clear-cut as intentional or unintentional ones. For example, a threat actor could coerce or compromise an employee as well as look for negligent users to take advantage of. Other complex insider threats involve contractors taking advantage of certain authorization levels to harm a company from the inside.

Threat Detection Best Practices

  • Scanning. The first step to prevent an insider threat is scanning future employees. Recruiting should involve a heavy scanning process where would-be employees are screened to detect behavioral, personal, or technical indicators. However, certain people would pass a screening process with flying colors, only to cause a problem later on.
  • Monitoring. Whether an employee joined the workforce before scanning was adopted or otherwise, monitoring is key to prevent any insider threats (or mitigate existing ones). Since threat actors compromise employees, looking for unusual activity (such as unnecessary access requests or messages to third parties) is a must.
  • Education. Two out of three insider threats are unintentional (i.e., negligent or accidental). Education and training are a must to prevent anyone in the workforce from compromising your data without malicious intentions. Training is not a one-and-done activity: it should be part of the yearly schedule.
  • Documentation. Your insider threat prevention policy should be documented, so employees know where to look for when they don’t know how to act – or if management has to point out where someone went wrong. A clear-cut policy is the best way to have no gray areas (a place where threat actors thrive).
  • Evaluation. Updating your insider threat prevention policy is necessary to not fall behind hackers who continuously find new ways to infiltrate your company. Routine evaluations are necessary to update it. At the same time, evaluating employees is also necessary, so you can figure out what they need to work on.

Two Types of Tools for Insider Threat Detection

Before we look at threat detection methods, it’s important to know who or what will be in charge of employing them. A mixture of human and automated efforts is the best way to detect, mitigate, and remove insider threats.

  • Human. Insider threat is a human issue nine times out of ten. Sure, you’ll have to deal with malware and similar practices, though the root cause of these threats comes in the way of a negligent or disgruntled employee. A big percentage comes from compromised employees too (threat actors often look for tech-illiterate workers to bait). Dealing with the human element is a big part of insider threat prevention.
  • Technological. Most insider threats require an employee to happen, though that’s not the case for an attack to continue. Once a threat actor has login credentials or has infected a part of your network, the human element ceases to be the only thing to worry about. Software and hardware audits and monitoring are a must to avoid data breaches.

10 Insider Threat Detection Methods That Work

1. Activity Comparison

It’s difficult to identify insider threats on a case-by-case basis since malicious or negligent actors tend to fly under the radar. However, it’s easy to figure out who stands out if you have a broader data sample to compare different users.

For that reason, comparing users within a department is the best way to see if there’s unusual activity. In contrast, comparing someone in the IT department and someone in sales will provide no reliable data (since their behavior is different).

Activity comparison is the first step in insider threat detection: unusual behavior isn’t an admission of guilt, though it provides a list of employees you should monitor.

2. Anomaly Detection

Although activity comparison helps you find the odd one out in a group, certain scenarios will have clear-cut signs of an insider threat taking place.

Someone asking for unnecessary access requests or downloading files they shouldn’t be accessing are signs of intentional threats.

For example, someone in the HR department trying to access something related to your cybersecurity infrastructure is an anomaly. Someone in sales trying to look at your employees’ information from an HR database is an anomaly too.

These anomalies could happen due to negligence or accidents. It could also mean there’s a compromised employee within the company or a threat actor accessing your database with someone else’s credentials.

3. Automated Audits

Automated and manual audits will shed light on any issues before it’s too late. In this scenario, an automated audit will look for any unusual activity spikes that would go unnoticed by other men or machines.

For example, most employees use a certain amount of bandwidth every day. If there’s a spike in bandwidth use, it means someone is downloading more files than they usually do. That should trigger an alarm.

Automated audits of several parameters should happen 24/7. Since most insider threats don’t share the same behavior, it’s a good idea to have software auditing certain actions all the time.

This tool goes hand in hand with behavior analytics.

4. Behavior Analytics Employment

Employing behavior analytics will help you with anomaly detection and activity comparison. However, it won’t work by itself: you have to take the time to go through the data to see if there are any issues.

Fortunately, you don’t have to comb through an endless database – because AI can do it for you! Similarly to an automated audit, you can use software to go through behavior analytics to highlight if one of your employees exhibits attention-worthy behavior.

Behavior analytics is also useful for other areas of business. In fact, you can check user behavior to do performance evaluations – and look for anything unusual at the same time.

5. Employee Monitoring

Monitoring employees is a must to detect insider threats. However, you can’t accuse someone of stealing data from you because they logged in during odd hours.

Nevertheless, any abnormal behavior is reason enough to monitor an employee. That way, you’ll take a closer look at any users who could potentially be or become a threat.

Monitoring shouldn’t focus on future activity alone: those in charge of looking at suspicious employees should also take the time to research past actions to see if the company has been breached already.

6. Malicious Activity Mitigation

You can detect and shut down malicious activity to prevent insider threats from succeeding – all at once. Mitigation is all about setting up measures in place to lock down data and lock out users who are showing abnormal behavior.

You could rig your IT infrastructure to shut anyone who logs in during weird hours down. If someone logs in using privileged credentials during the middle of the night, you may have reason enough to consider it malicious activity, so shutting it down using automated tools would be logical.

However, a failsafe should be set up if you go down this route. Otherwise, your entire infrastructure would shut down during an emergency in the middle of the night.

7. Manual Audits

You can’t rely on software to do everything. Insider threats work the same way as software or website vulnerabilities: you have to manually look for issues if you don’t want to overlook anything.

Sure, you can use software to detect anomalies or abnormal behavior. However, you have to spend time monitoring the human element since most insider threats have to do with people rather than malware.

In fact, a manual audit could shed light on something software won’t detect: a threat actor could compromise an employee without them knowing, meaning a case-by-case investigation is always a must.

8. Shared Account Monitoring

Certain employees share their work accounts. Similar to reusing passwords, sharing accounts is a terrible idea if you want to prevent data breaches. However, that doesn’t mean users will stop doing it.

For that reason, monitoring the activity of shared accounts is a must. Looking at who logs in, from where, and when is a must to see if those who should use these accounts are the ones who, in fact, are using them.

Threat actors often look for shared accounts to log in – because nobody would suspect if there’s erratic behavior on a shared account.

9. Threat Hunting

Big companies have active threat hunting teams to take care of most of their insider threat management. These hunters are IT veterans who know what to look for to identify any threats before a breach takes place.

However, this approach is not feasible for small companies. In fact, it would be too costly for them since a threat hunter department is separate from every other area (to avoid compromising it).

Nevertheless, big companies (or those too susceptible to data breaches) should dedicate a big part of their budget to threat hunting.

10. User Access Management

A data breach happens when an employee or user discloses data that shouldn’t be public. Therefore, limiting the amount of information most employees can access wouldn’t be a bad idea.

How does that help with insider threat detection? Simple! When a negligent or compromised employee wants to access sensitive data (to leak it), they won’t be able to – since employing user access management prevents regular users from accessing privileged data.

At the same time, their attempt to access privileged data should raise an alarm. That way, authorities will further investigate the subject – and, eventually, figure out why an employee became an insider threat.

How Do Employees Turn Into Insider Threats?

Employees can fall prey to credential theft, malware, and phishing. Some of these incidents could be due to negligence or accident, so prevention and education are necessary to avoid issues.

Real-life cases show how much damage one employee can do: a Canadian firm lost almost 10 million records due to one employee leaking them.

However, most employees don’t know they’re doing damage. Threat actors could infect their computers using malware, steal their credentials via social engineering (looking at their social media to crack their login credentials), or obtain those credentials via phishing (setting up fake websites where employees write down vital information that a hacker will see).

Remembering threat actors will look for employees to gain insider access one way or another is key to having a tight lock between your data, helping you prevent a breach.

Conclusion

Insider threats are a huge risk for companies that store information. To prevent them from happening, companies need to perform regular audits, monitor suspicious employees, and mitigate malicious activity. At the same time, regular training is a must to prevent negligent or accidental threats.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.