7 insider attacks behavior analytics detects

Frequent types of commonly executed insider attacks UEBA detects.

eliminate insider threats 1
Thinkstock

Call me Captain Obvious. Insider threats are not going away any time soon. According to analyst firm Forrester, insiders are responsible for more than half of organizations’ data breaches. The three main types of insider threats being malicious insiders (those intentionally trying to cause harm), non-malicious insiders (those who innocently click on that link they are not supposed to click on), and repeat offenders (those who continue to click on links even after being warned many times).

A fourth type of insider threat that falls a bit outside the scope, and we expect to see more of considering big breaches like Equifax and Yahoo!, is compromised credentials. The threat begins with outsiders trying to break in, but once they use employees’ login credentials to get inside, they stick around for a while, masquerading as legitimate employees while stealing sensitive data.

To detect and stop these threats before it’s too late, companies must monitor users’ behaviors and understand what’s normal, what’s abnormal but okay, and what’s abnormal and dangerous. User and Entity Behavior Analytics (UEBA) enables companies to do just that. Here are seven types of commonly executed insider attacks UEBA detects:

1. Slow and low

Many enterprises already have traditional cyber security tools in place to detect, for example, if an employee emails a batch of customer credit card numbers to their private email account a certain number of times. Traditional tools work on basic thresholds meaning if an insider does the same thing more than “X” amount of times, it will raise a red flag.

Malicious insiders know this and act in a way that flies under the radar. Using the credit card example, they send small pieces of credit card numbers once a day to their private email account during an extended period. UEBA can detect that reoccurring behavioral pattern.

2. Collusion

Let’s say a group of employees is planning on leaving a company to start their own competing one. To get off the ground running, they plan to steal their current employer’s customer list. To stay under the radar, each employee sends a small batch of customer names and contact information to their personal email account. UEBA can flag each employee’s abnormal behavior and point out that several are doing the same thing which may be collusion.

3. Hiding in the noise

In mortgage banking, for example, a group of employees is assigned to print mortgages, which contain sensitive customer information such as social security numbers. Big banks particularly hire thousands of employees handling sensitive mortgage documents with personally identifiable information on them.

A malicious insider may use those thousands of employees to their advantage. Aiming to steal troves of social security numbers, they print mortgages alongside the mortgage banking unit, hoping their actions are buried in the business-as-usual activities. UEBA can catch that one person who normally does not print mortgages and alert investigators.

4. “Door jigglers”

The typical workplace consists of cubicles in the middle and office doors along the perimeter. If you are sitting in your cubicle and see someone walking along the perimeter jiggling doorknobs, you most likely would confront the person or call human resources. After all, jiggling doorknobs is not a normal behavior for most employees.

In the digital world, no one sees door jigglers, who are often non-malicious insiders. They are the employees who try visiting a website, only to get blocked because it’s against policy, but then try visiting another website that’s also against policy. These are the insiders who repeatedly click on suspicious links that launch ransomware attacks. UEBA combined with targeted security awareness training detects and mitigates these behaviors.

5. Persistent exfiltration attempts

These kinds of insider attacks are like door jigglers however they are typically executed by malicious insiders. For example, an outside criminal steals an employee’s login credentials and breaks inside a company, pretending to be the employee. The criminal is looking for intellectual property data, such as the company’s plans to design a new product. They obtain the design plans and are now trying to send them to their partner on the outside.

First, they try emailing the data, but they’re blocked. They then try uploading the data to cloud storage on their personal site but again are blocked. They try to save the data on a USB stick, but again are blocked. UEBA can piece these abnormal behaviors together, verify the employee is actually a bad actor, and stop them at the door.

6. Checking out

Glassdoor recently published a report that shows 35 percent of hiring decision makers expect more employees to quit over the next 12 months. When employees quit, it elevates the risk of insider threats – malicious and non-malicious. In some cases, an employee may try to take private corporate data to start their own competing business. In other cases, employees may mentally check out prior to physically leaving, not thinking or caring about best security practices. UEBA identifies behavior changes that are consistent with others who are/were preparing to leave the company before sensitive corporate data slips out the door.

7. Gold prospectors

Employees who are burned out or disgruntled, may start sniffing around looking for whatever “gold” they can find. They try logging into various applications and databases, seeing which data they can get their hands on. UEBA can detect these insiders by identifying that their behavior is abnormal compared to themselves, their peers and their overall business unit.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart