September is National Insider Threat Awareness Month. An initiative of the US government, the goal is to promote awareness of the issues organizations face as a result of insider threat. Cybersecurity has become more of a priority for organizations than ever, yet insider threat incidents have risen 44% over the past two years1.
What makes insider threats so difficult to detect is the fact that the threat actor is already in the network. No firewalls or MFA can stop someone with full access to a network. However, there are ways to protect against insider threats, as we will discuss below.
What is National Insider Threat Awareness Month?
NITAM is held annually in September, and it is a national platform for increasing insider threat awareness to promote safety, economic stability, and national security within public and private sector organizations. The month is an initiative of The National Counterintelligence and Security Center (NCSC), the National Insider Threat Task Force (NITTF), the Office of the Under Secretary of Defense Intelligence and Security, the Defense Counterintelligence and Security Agency, and the Department of Homeland Security.
These bodies establish an annual theme for NITAM. The DOD theme for NITAM 2022 is “Critical Thinking in Digital Spaces”. The relevance of this year’s theme is centered on society’s growing reliance on technology and the threats that this reliance poses to the security of our personnel, information, resources, and mission capabilities.
How to Prevent, Detect and Defend Against Insider Threat
Despite being an incredibly difficult cybersecurity issue, there are security solutions for insider threats. These solutions range from having a robust security architecture to out-of-the-box solutions like CounterCraft’s cyber deception campaigns. Below you’ll see 4 ways to prevent insider threat. With costs per insider threat incident exceeding $15 million, is your organization doing everything it can to protect itself?
1) Train the workforce.
Having a workforce that is aware of the risk of insider threat is essential in detecting any suspicious activity. When insider threat is perpetrated by a rogue employee, that employee often exhibits key traits and characteristics that can be recognized by those that work in close proximity. Train your organization’s employees to recognize these signs. Training can also minimize incidences of ‘accidental’ insider threat, such as clicking on phishing emails.
It is also important to give them the tools to respond should they recognize the signs of insider threat. Ensure personnel can respond to the threat effectively by having a reporting procedure in place and making company policy known to all.
2) Employ a robust zero trust policy.
The Zero Trust approach is a fantastic way to create a stopgap for insider threat activity. It assumes the inevitability of a data breach, aiming to keep damage limited if a breach were to occur and build a system that is resilient and can quickly recover. With the Zero Trust model in place, an organization compartmentalizes resources and only grants the minimum access needed to members. Implementing a zero trust strategy means vulnerabilities no matter where they may come from, making it a great way to defend against insider threat. Find out how deception technology supports zero trust strategy.
3) Put a Confidential Information Access deception campaign into place.
Cyber deception is one of the absolute best security tools for detecting insider threat. Why? Cyber deception is especially apt at detecting threatening behavior without relying on known malicious patterns, signatures, baselines or other big data. In fact, deception is virtually the only way to detect insider threat behavior when the attack comes from within a network via someone with access credentials. This is done by creating decoys (breadcrumbs that range from files to programs) that have no real reason to be accessed. Contact us to learn about the different campaigns and techniques for defending against insider threat.
CounterCraft’s internal lateral-movement campaign
A Confidential Information Access campaign can help detect insider threat by setting off alarms when anyone touches confidential information in a production environment. By definition, this is information no one should be accessing, meaning that there are zero false alarms. Step one is to seed the corporate environment with breadcrumbs connected to a deception campaign, such as Microsoft Office documents. These are distributed in different points across the network.
We instrument these breadcrumbs so that, when opened, they send out a call home signal, alerting our deception hosts that they have been opened. They report to the deception director, and you receive notification that someone is accessing these documents in an unauthorized manner.
4) Beware of open source package use and supply chains.
Incorporating a third party into your organization’s activities always increases risk. An attack vector that is becoming more and more common is that of external threat actors inserting malicious code into open source packages, hoping to compromise data or systems. Developers are at risk of unknowingly incorporating a compromised package into software they are building for their organization. Be wary when it comes to open source usage. This may require investigating the overall online presence and reputation of developers that contribute to an open source package. Keeping close tabs on components and packages used in your organization’s software and supply chains is a must.
As you can see, there are many ways to defend against the insidious insider.
1 https://www.proofpoint.com/us/resources/threat-reports/cost-of-insider-threats