Lessons in Threat Detection for Insider ThreatsThe Risk of Insider Threats Is Growing, But So Are Methods to Detect Them
An employee who used an app to escalate privileges in a bid to download a torrent client onto a work computer. A programmer who ran code from GitHub and ransomed his own machine. An internal user who tried to troubleshoot a Linux host machine rather than going to IT - and used a local privilege escalation vulnerability to do so.
See Also: The Ultimate Guide to Insider Threats
Those are just some of the insider threats CrowdStrike said it detected from January 2021 through April in a Thursday blog post characterizing what it said is the growing threat of cyber incidents caused by insiders.
Whether because they're malicious, oblivious to company rules or outsmarted by hackers, insiders pose a mounting degree of risk to companies. A recent survey found that the average cost of an insider threat incident ranges between about $500,000 and $700,000, depending on whether it was instigated by negligence or a criminal insider. Earlier this year, a federal judge ordered one insider hacker to pay $1.6 million in restitution to his former company (see: Ubiquiti Insider Hacker Sentenced to 6 Years in Prison).
It turns out that hunting for outside hackers offers lessons for companies that want to avoid the embarrassment and monetary loss that comes from an insider, said Thomas Etheridge, CrowdStrike chief global professional services officer, in an interview with Information Security Media Group.
"A lot of the same principles for threat hunting and looking for specific tactics and techniques that we would see from an adversary" apply to insiders, he said. Improved managed detection and response, he said, is able to detect insider activity - revealing the risk more clearly than before. "We're seeing a lot more of that activity be uncovered."
Like outside threat actors, insiders take advantage of known vulnerabilities to escalate privileges. Some of the vulnerabilities detected by the cybersecurity company date from as long ago as 2014 and 2015.
"I'm not kidding you when I say to you that I talk to organizations almost weekly about tech debt and unpatched vulnerabilities," Etheridge said.
Eight in 10 adversary and insider incidents have an identity management component, Etheridge said. An individual credential may have access to more than it should have, or an attacker may able to elevate its permissions. "Threat actors really don't care what access was intended for, they just want to know what it can do. And the same risk applies to insiders."
Companies should be able to detect when a credential normally used to access human resources systems suddenly pops up in a financial system, he said. The model no longer can be "trust but verify"; it needs to be "verify, then trust." A credential logging on from an unusual IP address might be another trigger for secondary challenge, such as multifactor authentication.
Not every insider hacker is malicious. "In some cases, individuals are looking for easier ways to do things, or they're looking for ways to become more efficient."
"What we've historically seen is: There's always a gap between the security organization, the IT organization and the business units," Etheridge said. Into those gaps, insider threats may flow.