As governments and organizations ramp up their protections of data and infrastructure in response to federal whistleblower cases, what danger do malicious and negligent insiders constitute and what kind of insider threats exist? How do you tell the difference?
Defining malicious vs. negligence
According to the computer emergency response team (CERT) at Carnegie Mellon University, a malicious insider is a current or former employee or contractor who deliberately exploited or exceeded the authorized level of network, system or data access in a way that affected the security of the organization’s data, systems or daily business operations.
Only a fraction of insider incidents are intentionally planned and executed. Many incidents are caused by negligence. This might be an employee who unintentionally exceeds authorized access levels, possibly enabling others to act on their behalf, and thus harming the organization. An outside or malicious inside party can then be the culprit behind the final incident. In a 2019 survey by Forrester Research, 57% of respondents attributed their internal attacks to malicious intent, 35% to inadvertent misuse, and 7% to a combination of these.
Recently we have seen cases where outsiders try [and fail] to exploit insiders through bribery and other means. In mid-2020, a Russian national offered a Tesla employee $1 million to plant malware into the IT network of the company’s electric vehicle subassembly factory near Reno, Nevada.
According to the FBI, once the malware was planted, the Russian national and his associates planned to access Tesla’s internal files, exfiltrate data and blackmail the company into paying a ransom. The perpetrators reportedly even gave the employee a burner phone, instructing him to leave it in airplane mode until after the money was transferred. But the employee, who had direct access to the company’s network, instead contacted the FBI to help nab the alleged culprits.
In the case of malicious insiders, the goal is very often destruction, corruption or theft. While theft often has monetary benefit, destruction and corruption can originate from disgruntled employees and can be directed against the organization as a whole or against specific coworkers. In short, it’s all about intent.
For example, a disgruntled insider decides to steal the credentials of a coworker and log on with these credentials to view questionable websites. The ultimate goal is to discredit the coworker by having IT notice the violations and report them to human resources or the coworker’s manager. As simple as this example seems, it contains a number of common patterns of preparation and execution that can be found in many insider threat cases. They are often revealed and observed by employing technology.
The first stage is exploration and experimentation during which the disgruntled insider figures out how to steal the credentials, such as through Google web searches. Next, the insider tries several extraction methods to make sure they work in the local environment.
After a workable method is chosen, the insider goes into execution mode by stealing and using the coworker’s credentials. The final step is escape or evasion by deleting and erasing evidence that could lead back to the disgruntled insider. The whole process looks shockingly similar to the approach an external threat actor would use.
This next example shows that a disgruntled insider can act on behalf of an outside party to inflict significant damage to a company.
An outside party solicits the system administrator of a small technology company to install monitoring software inside the organization’s network in exchange for money. The recently demoted system administrator decides to install the software before leaving the company for another job.
Again, the insider first explores and experiments by installing the software on a test machine to gauge its network footprint and detectability in the network. Convinced that the software cannot be easily discovered or traced, the insider installs it using a coworker’s account and erases the evidence.
The negligent insider isn’t actively stealing information, and will not directly benefit from their actions, whereas the malicious insider will.
How serious is the threat coming from inside organizations?
Interestingly, the most frequent categories of insider incidents involved unintentional exposure of sensitive data by a negligent insider and the theft of intellectual property by a malicious insider.
In the light of these numbers, if you still think your organization is safe, keep in mind that 87% of all office workers will take data with them when they switch jobs, and organizations typically have a yearly turnover rate of about 3%.