Insider Threats: The Danger Within

Cyberattacks by hacking groups using ransomware and other tactics dominate the headlines, but the risks posed by individuals within an organization can be just as, if not more, damaging. CISA defines an insider threat as the possibility that authorized personnel will use their access, either intentionally or unintentionally, to harm an organization’s mission, resources, information, systems, or other assets. 

The impact of insider threats can be devastating, including data breaches, sabotage, espionage, and reputational damage. Some notable insider threat incidents include leaks at Tesla in 2023 and Microsoft in 2022. 

Not All Insiders are Created Equally: Malicious and Accidental Threats

Insider threats are categorized into two main types: 

• Malicious Insiders: These individuals intentionally harm the organization, driven by personal gain, revenge, or ideological motives. 
• Negligent or Accidental Insiders: These individuals unintentionally cause harm due to carelessness, lack of awareness, lack of training, or unclear policies. 

A typical malicious insider threat attack usually follows a process that involves: 

• Access: The insider gains access to sensitive information or systems through their legitimate role within the organization. 
• Motivation: The insider develops a motivation to act, which could stem from financial gain, revenge, ideological beliefs, or simple negligence. 
• Action: The insider takes action, such as stealing data, sabotaging systems, or sharing information with unauthorized parties.
• Concealment: The insider tries to conceal their actions to avoid threat detection. 

Negligent and accidental insider threat attacks lack the motivation step in the process, given that their incidents occur unintentionally. In these cases, the action step is categorized by the mistake or oversight that results in leaked data or damage to a system. Negligent and accidental insiders will sometimes conceal their mistakes to avoid potential consequences. 

Insiders Exposed: Insider Threats in the Spotlight

In August of 2023, electric automaker Tesla disclosed that two former employees leaked personal data from 75,735 other employees to a German news outlet. The leaked information included names, addresses, Social Security numbers, and salary information. Tesla notified regulators of the breach and filed lawsuits against the former employees. Though the news outlet did not publish any leaked information, the incident highlighted the risk employees can pose as insider threats, even after they depart an organization. 

In 2022, Microsoft employees exposed login credentials to the company’s infrastructure on the software developer platform GitHub. The leak appeared to be accidental but included sensitive data like usernames, passwords, and API keys for Microsoft services and GitHub itself. Three of the exposed credentials were still active when a third party discovered the leak. Microsoft confirmed that the leaked credentials were not accessed or misused, but the incident highlighted the risk of accidental exposure from insiders. 

Prevention Tips

While insider threats can be challenging to detect and prevent, organizations can take several proactive steps to mitigate the risks: 

• Access Controls: Adhere to the principle of least privilege to ensure individuals can only access the information and systems they need to perform their jobs. 
• Monitor for Signs of Threats: Tools like Devo SOAR and UEBA  can help monitor signs of insider threats by using machine learning to understand baseline user, host, and network behavior, as well as creating playbooks to hunt for abnormal activities that indicate potential insider threats automatically. 
• Security Awareness Training: Regularly train and educate employees about the risks and the importance of data security, including best practices for protecting sensitive information. 

It’s just as important to be on the lookout for internal threats as external threats, so organizations must prioritize putting in security measures to mitigate the risk of these kinds of attacks, too. The impact of insider threats can be just as severe, but they can fly under the radar more easily. Contact our experts to learn how Devo can help you monitor for suspicious activity.