Insider cyberthreats are on the rise. According to a report from the Ponemon Institute, the number of cybersecurity incidents led by insiders increased by 44% between 2020 and 2022. Meanwhile, the average cost of incidents rose to USD 648 thousand for malicious incidents and USD 485K in non-malicious insider threats. In the last year alone, intrusions led by “insiders” have increased and are costing organizations dearly, an average of USD16,2 million per year.
An insider threat is defined by the potential for an individual to use their access to negatively affect the confidentiality and integrity of an organization's data or information technology (IT) systems. This includes malicious threats, where an employee or contractor uses their access to act against the entity's interests, and unintentional threats, where someone has permission to use security features as part of their job but does not follow through. procedural standards that would reduce risks.
Due to the high costs and growth of these threats, it is essential that organizations know the risks and know how to defend themselves. While internal activity can be difficult to detect, all is not lost. CrowdStrike's case analysis shows that many of the defensive actions used to detect and minimize adversary intrusions are also effective in stopping insider threats.
Problem #1: Privileged Access Escalation
CrowdStrike's Counter Adversary Operations and Falcon Complete teams have been observing insider threats on the networks we protect for years. To get an idea of how they work, analyzed incidents from January 2021 to April 2023 and multiple internal users were found to have achieved their goals by exploiting known vulnerabilities.
More than half of insiders (55%) caused risks by increasing their access privileges on their computers or the network. Insiders sought privileged credentials to download unauthorized software, remove forensic evidence, or troubleshoot IT systems. By trying to increase their access, these users put organizations at risk, intentionally or not.
These incidents are not based on hidden knowledge held only by a few. In fact, insiders used six well-known vulnerabilities that have publicly available exploit code on GitHub and are included in a catalog of the United States CISA (Cybersecurity and Infrastructure Security Agency).
Sometimes users exploit these vulnerabilities for legitimate purposes. In one case, an insider used WhatsApp to download an exploit to increase their access privileges and install a uTorrent file-sharing application as well as unauthorized games.
In other cases, the use is obviously malicious. For example, in late July 2022, it was noted that a former employee fired from a US-based media entity attempted to exploit a vulnerability through the Windows operating system to carry out unauthorized activities.
Problem #2: Downloading exploits and security tools
Among the insider threat incidents we found, 45% involved employees who unintentionally downloaded unauthorized exploits or other security tools for testing or training purposes and brought risks to the organization.
In these incidents, testing risky exploits and tools may have been part of these insiders' job, but they did not follow safe procedural guidelines. For example, in February 2023, an internal user at a US-based technology organization attempted to download an exploit for a vulnerability test through Windows kernel privileged access escalation, but used his corporate computer instead of the approved test system (a separate virtual machine).
Malicious or not, these activities put organizations at risk. Testing exploits on unauthorized systems can disrupt operations through system crashes or other negative actions. They also create weak points: an adversary who already has an access point on the network can find these flaws or tools and use them to support their illicit activities. Finally, downloading and improperly managing this code can introduce backdoors, making it easier for adversaries to invade.
In our analysis, we saw several incidents involving unauthorized installation of the Metasploit framework by privileged users on the system. This is a well-known penetration testing framework that is often used by security teams. However, it can also provide attackers with an accessible mechanism to perform pre- and post-exploitation activities.
Solutions to manage insider threats
The main initiative that every organization should consider is investing in awareness and compliance training for employees. Instructing employees to identify a potential insider who is putting the company at risk is a critical first step to the organization's cybersecurity. Most security teams have protocols that must be followed for the safe use of tools, therefore, it is important to know and follow these procedures, in addition to alerting management in the event of abuse or misuse of these tools.
Companies need to understand and apply the principle of least privilege (POLP). According to this principle, users and processes should only be granted the minimum permissions necessary to perform their tasks. POLP is one of the most effective practices for strengthening an organization's cybersecurity and allows them to control and monitor network and data access. Applying POLP will help resolve privilege escalation issues.
Additionally, many of the vulnerabilities we've seen insiders use have exploits that are publicly available on GitHub. Therefore, restricting or monitoring the download of exploits from GitHub and other online code repositories would help mitigate these threats.
Many of the vulnerabilities described in this article have also been exploited by targeted intrusion and electronic crime adversaries. As a result, most protective measures common threats that network defenders already use to detect and prevent attacks also become useful in combating insider threats.
Insiders used many old vulnerabilities, some disclosed in 2015, which highlights the fact that vulnerabilities can continue to be used by all attackers (internal or external) until the company fixes or mitigates them. Ensuring that vulnerability remediation is done in a timely manner to protect the network and all devices connected to it is critical.
However, just making fixes is not insufficient to deal with potential threats. This is why organizations need to adhere to multiple layers of defense. Implementing Zero Trust architecture and identity protection services prevents unauthorized access to systems and networks. Additionally, analyzing user behavior is an important technique that organizations can use to detect an adversary using stolen credentials or to identify suspicious activity by an insider.
Behavior analysis begins with creating a baseline of normal behaviors for each user, based on historical data, to be able to identify suspected irregularities and prevent them before they cause damage to the organization.
Ultimately, there are countless benefits to implementing threat hunting into cybersecurity programs. Simply waiting for a threat alert is not enough; Organizations need to proactively look for unusual behavior, using the tools and techniques highlighted above to identify potential insider risks.
