Insider Threat Methods to Look Out For


No matter how strong your organization’s security posture is, your most valuable assets are still vulnerable for one key reason: they are guarded by humans. While you can hope that your employees and affiliates have your company’s best interests at heart, there is always a risk that they will leave critical information unprotected, either on purpose or by accident. While the phrase “insider threats” typically refers to internal workers who steal, damage or expose data or systems from inside an organization, most often, insider threats are not caused by malicious actions, but rather negligent ones. For example, an employee could mistakenly open an email infected with malware, leading to a major data breach. In this scenario, the employee did not act maliciously but still made a costly mistake. 

A less likely scenario, but a possible one nonetheless, is that an employee or someone affiliated with an organization intentionally inflicts harm on their workplace for their own personal gain, or to help someone else. No matter the situation, insider threats can put companies at enormous financial and personal risks. To fight insider threats, it’s important to first know what they look like. Here are two methods of insider threats to watch out for.

Exfiltration of sensitive data 

When data is moved, stolen or shared without authorization, it is called data exfiltration. All types of sensitive data are at risk of being exfiltrated: including intellectual property, PII, financial records, customer data, etc. Unfortunately, this type of threat can be extremely hard to recognize, especially if the threat actor is a company employee who is authorized to manage the data in question. For instance, a manager who oversees sensitive customer information may be able to upload that data to a flash drive and pass it off to an external accomplice without raising any alarms. 

There are several methods that insider threats use to exfiltrate data: 

  • Using a company provided email account to gain access to email, databases, calendars, planning documents, images and other documents sent via email.
  • Using cloud storage applications like Google Drive, Dropbox or OneDrive to access files, data and information. 
  • Downloading sensitive data to unauthorized external devices such as a cell phone, personal computer, or flash drive. In this scenario, data that was once safeguarded on an authorized device becomes vulnerable to data exfil once it is downloaded on the insecure device. 

Unusual access activity

Another insider threat to look out for is unusual access activity, as this can sometimes be a red flag that something sinister is underway. Monitoring when and what sensitive data is being accessed in your organization is extremely important in mitigating cybersecurity risks.

Here are a few activities that your organization should take a closer look at: 

  • Users accessing internal resources outside of normal/scheduled business hours: Depending on your workplace, it might be unusual for employees to log in before or after a certain time of the day. If you notice user activity at odd hours, it might be worth checking out.
  • Misuse of trusted access: Internally provided access is another way for insider threats to utilize already granted permissions to access/modify data that they can use for their malicious intentions. Role Based Access Controls (RBAC) and constant monitoring of permissions can counter this by ensuring the principle of least privilege applies to all staff across the board.
  • Unauthorized privilege escalation: If the insider threat’s existing permissions do not allow the means to accomplish their goal(s), they will attempt to vertically escalate their privileges to higher authorized accounts or by modifying their existing accounts access level until they are able to access their intended target. Vertical privilege escalation, also known as privilege elevation, is where a lower privilege user elevates their permissions so they can access functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.) A 24×7 SOC/MDR team can counter this by detecting and alerting on any unauthorized privilege escalations.

Safeguard Your Company Against Internal Threats

Without effective monitoring, alerting, and reacting to the security events in your environment, you risk leaving your organization vulnerable to insider threats.

deepwatch was built to provide valuable managed security operations services to help clients safeguard their critical assets from all types of insider threats, so that both you and your employees can have peace of mind. Learn more about who we are and how we’re changing the service of managed cybersecurity or get in touch with us today.

Subscribe to the deepwatch Insider Blog