An insider spy is perhaps the most significant threat to enterprise security. Monitoring their behavior is a critical component in detecting and deterring their activities.

It’s not about the 98% you catch, it’s about the 2% you miss –NSS Labs

Insider Threats –  Some Statistics

PWC  2015

  • Roughly 70% of incidents at financial institutions involved current and former employees.
  • 60% at industrial manufacturing organizations

Verizon DBIR  2015: 20.6% of breaches are characterized as “insider misuse”

Insider Threat: A malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.

Watering Hole: It is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.Muleware: Muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign. “Up until this point, cybercriminals have attained their resources by exploiting and compromising devices, but wouldn’t it be more efficient and much more profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain?” – Lancope CTO, TK Keanini

So who is attacking the Network?

Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane.

Malicious Insiders – Insiders who intentionally steal data or destroy systems.

Compromised Insiders – Insiders whose access credentials and/or computer have been compromised by an outside attacker.

How do we protect ourselves from an insider spy? The Intelligence says monitoring the behavior of employees and other insiders is critical in detecting a spy. Here’s a summary of some of the user behaviors they say enterprises should be looking for:

  1. Individuals who without need or authorization, access proprietary material not related to their work duties.
  2. Individuals who show an unusual interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors.
  3. Individuals who unnecessarily copy, store, or transmit material, especially if it’s sensitive, proprietary, or classified.
  4. Individuals who remotely access the computer network while on vacation, sick leave, or at other odd times.
  5. Anyone who disregards company computer policies regarding installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.
  6. Anyone who works odd hours without authorization or exhibits notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted.
  7. Individuals who engage in suspicious personal contacts, such as with competitors, business partners or other unauthorized individuals.
  8. Individuals who show particular concern that they are being investigated, such as installing software to monitor searches of their data files, emails, and other communications.

On the surface it may seem extreme to think we need to monitor for spies. But virtually everyone agrees that we need to be on guard for anyone who is stealing our data, regardless of what is motivating them.

An insider spy may or may not be physically inside our facilities, but today’s spies and cyber-criminals are certainly capable of remotely penetrating our insides as impostors of our own employees.

Five Sign of Insider Threat in short:

  1. Stolen Credentials
  2. Suspicious Behavior
  3. Unauthorized Access
  4. Unusual Movement
  5. Policy Violation


Insider Threat Defenses — Detection


  • Log file accesses, software installation, and USB device usage
  • Generate alerts on access to file storage services (e.g., Dropbox)


  • If implemented correctly, finds activity before it causes harm
  • Less inhibiting than full prevention


  • If implemented incorrectly, finds activity after irreparable harm
  • Requires active effort by the security team


Insider Threat Defenses -­ Prevention


  • Prevent all removable media from being used
  • Block access to personal email and file storage services
  • Block end‐users from installing software


  • Stops a technique before it can be used
  • Cheapest once implemented


  • Often clashes with a company’s office culture
  • Can inhibit department-specific productivity


The Bank Heist –  Forensic Analysis

  • File servers and internal web apps were scraped for sensitive information
  • Moved data out of organization control through USB, personal email, and printing
  • Files were locally deleted after being exfiltrated
  • The forensic timeline showed over 100 files taken and the precise times that the actions occurred

For: Data Security Tips: Quotes from Experts on Breaches, Policy, News & More

Some Resources might be helpful :

  1. C3 Cyber: CyberCrime, CyberWar, CyberTerrorism
  2. International Cyber-Security
  3. Ransomware Tips
  4. NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says

In Next article

Proactive Measure, File exfiltration, Forensic Analysis. Anti-Forensic, Policy Insider Threat


The opinions expressed in this contributor article are solely those of the author, and do not necessarily reflect those of individuals

Src : Trendmicro, WiKi, RSA


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s