How to Detect an Insider Threat
Most threat intelligence tools focus on the analysis of network, computer and application data while giving scant attention to the actions of authorized persons who could misuse their privileged access.
Compromised account
Infected host
Account misuse
Data staging
Low and slow attack
Unauthorized print job
Fileless malware
Zero-day attack
For secure cyber defense against an insider threat, you have to keep an eye on anomalous behavioral and digital activity.
Behavioral Indicators
There are a few different indicators of an insider threat that should be looked out for, including:
- A dissatisfied or disgruntled employee, contractor, vendor or partner.
- Attempts to circumvent security.
- Regularly working off-hours.
- Displays resentment toward co-workers.
- Routine violation of organizational policies.
- Contemplating resignation or discussing new opportunities.
Digital Indicators
- Signing into enterprise applications and networks at unusual times. For instance, an employee who, without prompting, signs into the network at 3am may be cause for concern.
- Surge in volume of network traffic. If someone is trying to copy large quantities of data across the network, you will see unusual spikes in network traffic.
- Accessing resources that they usually don’t or that they are not permitted to.
- Accessing data that is not relevant for their job function.
- Repeated requests for access to system resources not relevant for their job function.
- Using unauthorized devices such as USB drives.
- Network crawling and deliberate search for sensitive information.
- Emailing sensitive information outside the organization.