• Subscribe to our feed
  • Like us on Facebook
  • Follow us on Twitter
  • Join Us on LinkedIn

3 Types of Insider Threat and How to Spot Them

by Christine Meyers on September 12, 2012

Insider threats—the most challenging for organizations to address—are often difficult to spot and pose huge risks for your organization. While many of the motivations are the same, there are three distinct types of fraudulent insiders. Read part one of our series to understand who commits fraud. Part two will focus on what to look for and how to spot trouble before it starts.

You’re probably familiar with this classic bad-guy image: A disgruntled employee enters a building in secret under cloak of night and begins to steal trusted information from a business. This image may even have kept you awake at night. In this scenario, the individual in question has privileged access to proprietary data and enough knowledge and intent to defraud the organization.
As widespread as this image is, the true risks from insiders come from a few different areas and are often far less dramatic.

The policy violator
Despite the commonly accepted vision we all have of nefarious actors within our systems, individuals misusing company resources are, for the most part, not doing so with the intent to harm. Frequently, they are motivated to “just get the job done.” In this way, good employees may be breaking policies and creating risk without ever meaning to.
Consider, for example, the well-meaning employees who exploit a back door in a legacy system in an effort to move through their workflow more efficiently. Surely they mean no harm, but without visibility to those actions, these employees may be introducing risk that not only threatens data integrity but also leaves no trace. That activity could go undiscovered until the day something goes dramatically wrong.
Making internal actors aware of these risks is an important part of mitigating insider misuse. Gaining visibility into such activity, especially at the application layer, is essential. Taking steps to reduce misuse and error has the added benefit of protecting against more harmful insider threats as well.

The low and slow fraudster
The most common type of fraud today is not the headline-grabbing theft of millions of credit card records. It’s the small crimes of opportunity that occur quietly, steadily, and repeatedly at the hands of your most trusted insiders—your employees, vendors, consultants, and contractors. This type of fraud occurs daily, and often goes undetected for weeks or months at a time.
When it comes to actual fraud inside an organization, businesses might be surprised at the profile of the typical fraudster. According to research conducted by the CERT Insider Threat Center of Carnegie Mellon University’s Software Engineering Institute, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes. They are often trusted employees or managers who experience a life-changing event.

This study, funded by the Department of Homeland Security Science and Technology Directorate, examined 80 fraud cases that occurred between 2005 and 2012 to identify technical and behavioral patterns. The result? The study found that those individuals that operated “under the radar” escaped detection for longer periods of time and cost the target organization an average of $382,000 or more depending on how long they were able to operate without detection.

Commenting on the study, Randy Trzeciak, the technical lead of the Insider Threat Research Team, stated, “We also found that nearly 93% of fraud incidents were carried out by someone who did not hold a technical position within the organization or have privileged access to organizational systems.” In short, anyone in the organization has the potential to do harm.
So, how do you address the issue of good employees gone bad? Again, visibility is the key. By being able to baseline an employee’s behavior over time and identify changes or spikes in activity that is different, you can spot this type of fraudster. Correlating this data over time and across multiple data channels can be difficult for humans. In these cases, where you need to manipulate “big data,” technology purpose-built for fraud and anomaly detection can give you an edge.

The imposter
Insider threat committed by imposters is a reality. Every organization has a mix of employees, consultants, management, partners, and complex infrastructure and that makes finding and handling insider threats a challenge. Motivated by money or revenge, these insiders do commit fraud and steal valuable information. To make matters worse, these individuals do not want to be found. In an effort to operate undetected, they will often steal credentials and operate as if they were someone else. In short, you’ve just met the imposter. The problem is, you might not recognize her.
An individual using someone else’s credentials can be very difficult to discover, track, and ultimately shut down. Their activity can remain hidden or even besmirch the reputation of a valued and honest employee. With all the machine data rattling around in the system, you may find the wolf. But could you tell if it was cloaked in sheep’s clothing?
What if you could correlate data from multiple sources and compare the results to create a more comprehensive user profile. In an instant you could correlate access data with other sources. Imagine using technology to draw out these answers. Why is Janie at work? She didn’t scan her badge and her payroll record has her marked as taking a sick day, for example. Or, why is Bob accessing unusual data after hours from a machine or IP address that isn’t one he normally uses? Doesn’t that strike you as odd? It might be explainable behavior, but it’s probably worth investigating.

Your reality
Insider threats are hard to detect. The traditional methods of identifying and alerting on outside attacks such as network perimeter security is useless when you are dealing with a privileged user or stolen credentials that permit an attacker to masquerade as something they are not. Even a good layered defense can be vulnerable to insiders if you’re not taking the time to examine the risks from an inside attack.
Think about the levels of control you have in place today. You’ve probably done a good job hardening your defense from the outside in. You likely have policies, procedures, and technical controls to help keep your core assets safe. But without visibility—the ability to see beyond logs and really understand what your machines are telling you—can you really tell the good guys from the bad guys? Can you see the difference between accidental policy violations from persistent fraud? Probably not.

Next time, we’ll show you how some of the world’s leading institutions do it.