Insiders are undoubtedly one of the most concerning threat actors when it comes to establishing a solid cybersecurity posture as they are not easily identifiable by patterns, baselines or known behavior. This makes them the most difficult threat actors to catch. By definition, they have inside knowledge of network architecture, legitimate credentials to make their way to their objectives, and plenty of time to ponder over what next action is to be taken.

According to the Verizon 2019 Data Breach Investigations Report, 34% of all breaches in 2018 were caused by insiders in the USA, but less than 20% had defined incident response scenarios for insider threats.

An insider with trusted access can have high impact with a relatively low execution cost, meaning they can affect organizations of all sizes and industries. This is inevitable— organizations need to trust their employees, to a certain extent. This trust spreads over a number of roles from temporary workers and contract staff to IT administrators, individual contributors, lawyers, auditors, third party contractors, and employees both current and past…all of them can turn into a malicious insider.

What is an Example of Insider Threat?

Insider threats take many guises:

  • Extortion where the insiders claim they will disclose sensitive stolen data if a monetary demand is not met.
  • Nation-state sponsored economic espionage for profit and strategic reasons related to intellectual property theft.
  • Sabotage in combination with extortion where the attacker claims to have the capacity to cause damage to internal systems, data or critical services.
  • Stalkers at the workplace using their account access to find personal employee information such as salaries, emails, credentials, sensitive customer files, contracts, blueprints. While the stakes may seem lower, this can represent a substantial loss of sensitive data.

The impact of an insider can be devastating for organizations of all sizes.

What are Common Indicators of Insider Threat?

There are a number of leading indicators of this risk:

  • an employee knowing that is going to be fired for having a poor performance assessment
  • disagreement with company policy causing activist behavior
  • anger at managers
  • financial distress that pushes the attacker to sell sensitive or valuable information
  • an employee simply leaving the company

Some signs that insiders may be actively attacking the network or performing illicit actions could be (but are not limited to) employees:

  • working at odd hours
  • accessing the premises outside of normal hours with or without justified authorization
  • experiencing unexplained financial gain
  • traveling to foreign to countries which are not typically a tourist destination

What is the Solution to Insider Threat?

Now taking all above into consideration, how can deception serve as an advantage in defining an early detection strategy for insider threats? Deception is especially apt at detecting threatening behavior without relying on known malicious patterns, signatures, baselines or other big data. Deception relies on insiders identifying themselves by interacting with decoy servers and files deployed specifically for this purpose. These decoys have no business needing to be accessed. Therefore anyone interacting with the decoys is by definition, snooping somewhere they shouldn’t be. In fact, deception is virtually the only way to detect insider threat behavior when the attack comes from within a network via someone with access credentials. This is done by creating decoys (breadcrumbs that range from files to programs) that have no real reason to be accessed. Therefore anyone that trips them up is, by definition, snooping somewhere they shouldn’t be.

Here at CounterCraft, we wanted to automate the ability to create these realistic decoys. Our system leverages ActiveLures™, a Proprietary Breadcrumb Technology that can be deployed across multiple endpoints, servers or even on internet based platforms such as PasteBin, GitHub and Shodan to detect activities outside the bounds of normal duties, such as reconnaissance scans or unapproved access.

Fake credentials, active documents, active file systems and ActiveSense Environments acting as high interaction decoys where all activity is collected and analyzed for real time alerts and forensic purposes. This is the only way to detect insider activity that goes undetected by traditional security solutions. The deception campaign should ideally be adapted to each organization to obtain the best results and make a proactive defense against insider threats.

Conrado Crespo is the Senior Sales Engineer for Countercraft, with expertise in IAM, EDR, and cyber security integration and is on LinkedIn.