What is an example of an insider threat in cybersecurity?

by
What is an example of an insider threat in cybersecurity

Insider threats refer to when someone within an organization intentionally misuses access or compromises data and systems. Insider threats can come from employees, contractors, or business associates who have authorized access to an organization’s network, systems, or data but use that access inappropriately. Insider threats are a significant concern for cybersecurity as insiders often can bypass security measures and their access and knowledge of internal systems can enable more extensive damage.

What makes insider threats dangerous?

There are several factors that make insider threats a major security risk for organizations:

  • Insiders have authorized access – Unlike external attackers, insiders already have legitimate credentials and access to gain entry into systems and databases. This makes it much easier for them to improperly access and exfiltrate sensitive data undetected.
  • Insiders know where the “crown jewels” are – Long-term employees especially have intricate knowledge of an organization’s most valuable systems and databases that contain critical IP, customer data, financial info etc. This makes it easy for malicious insiders to target the most sensitive assets.
  • Insiders can bypass many security defenses – Firewalls, IDS and other perimeter defenses are intended to stop external attacks but are less effective against internal actors. Insiders can bypass many of these security layers.
  • Detection is difficult – Strange activity that could signal an external attacker often stands out. But insider misuse often appears like normal activity, making it much harder to detect.
  • Damage can be extensive – The combination of access, knowledge and ability to evade defenses means insiders can often cause significantly more damage than external attackers before being detected.

For these reasons, the threat of insiders abusing their access is a leading concern for security professionals.

Common examples of insider threats

Some of the most common examples of insider threats include:

  • Data theft – Insiders stealing proprietary information and giving it to competitors. This could involve stealing source code, product designs/plans, customer lists or financial information.
  • IP theft – Employees, contractors or business partners stealing intellectual property like patents, copyrights, source code or trade secrets to benefit another company or themselves.
  • Credentials abuse – Using administrator or other elevated credentials to improperly access confidential systems and data for unauthorized purposes, such as snooping on employee or customer records.
  • Data destruction – Maliciously deleting or manipulating business-critical data and systems, such as wiping databases, destroying backups or interfering with systems.
  • Fraud – Exploiting internal systems and access to embezzle money or commit financial fraud.
  • Sabotage – Deliberately disrupting IT systems and business operations, such as taking down corporate networks or production systems.

While insider threats can stem from a variety of motives – greed, vengeance, ego or ideology – the unifying theme is leveraging authorized access to negatively impact the confidentiality, integrity or availability of the organization’s assets and operations.

Real-world examples of damaging insider threats

Some notable real-world instances of insider threats include:

Edward Snowden (NSA)

In 2013, NSA contractor Edward Snowden used his access to copy and leak highly classified information about NSA surveillance programs. The breach was one of the most damaging in NSA history. Snowden was able to exfiltrate thousands of classified documents, exposing sensitive NSA methods.

Chelsea Manning (U.S. Army)

U.S. Army intelligence analyst Chelsea Manning leaked nearly 750,000 classified and sensitive military and diplomatic documents to WikiLeaks in 2010. The breach included battlefield reports as well as diplomatic cables. It represents one of the largest breaches of classified data in history.

Aaron Swartz (JSTOR)

As a guest user at MIT, technologist and internet activist Aaron Swartz improperly downloaded 4.8 million articles and documents from JSTOR in 2011, accounting for a major portion of the JSTOR library. The breach brought down JSTOR servers and led to federal hacking charges against Swartz.

Zhou Yongkang (Chinese Government)

Zhou Yongkang, a former top official in the Chinese Communist Party, secretly leaked classified information and Party secrets to other organizations according to the Chinese government. Zhou was accused of forming an insider threat group within the government to undermine rivals.

Morgan Stanley Data Theft

In 2008, a Morgan Stanley financial advisor allegedly stole account data for 350,000 clients and tried to sell it to a securities firm competitor for $5 million. He used his insider access to download massive amounts of sensitive client data onto his own servers.

Insider threats in action: Case study at MobiliPay

A realistic example of a damaging insider threat occurred at the fictional company MobiliPay, a mobile payments processor that handled billions in transactions:

The threat

Harold Jenson had worked at MobiliPay for 5 years as a server administrator. But when he was passed over for promotion, Harold decided to steal corporate secrets to benefit a competitor. Since Harold had intimate knowledge of MobiliPay’s systems, he knew where sensitive data lived on the servers.

One evening Harold used his admin access to log into a database server that held customer transaction records, account info, and payment logs. He copied transaction logs for the past 12 months onto a USB drive. Harold then deleted the activity logs to cover his tracks before logging out.

The next day, Harold resigned from MobiliPay stating he was leaving for personal reasons. The following week, he contacted OceanPay, one of MobiliPay’s biggest rivals, and offered to sell them MobiliPay’s transaction data for $100,000.

The detection

MobiliPay noticed a spike in database read I/O the evening Harold stole the data, but nothing appeared unusual in the activity logs since Harold had deleted them. Upon investigating the server further, however, the MobiliPay security team discovered the deleted yet still recoverable log entries showing Harold’s unauthorized database access and file copies.

Checking access records, MobiliPay also found Harold had accessed employee records he had no legitimate business need for. When Harold resigned unexpectedly, MobiliPay put two and two together and realized they likely had suffered a data theft.

The response

MobiliPay immediately notified authorities and launched an incident response plan. They were able to implement data access controls to block any further unauthorized access by Harold. They also reached out to OceanPay and were able to negotiate a agreement not to purchase MobiliPay’s data.

In the aftermath, MobiliPay implemented more stringent data access controls and logging. They also added additional monitoring and alerts to better detect insider threats in the future. Though the damage was minimized, the incident underscored the importance of safeguards tailored to insider risks.

Best practices for mitigating insider threats

Organizations can apply various best practices to help minimize the risks and potential impacts of insider threats:

Limit and monitor access

  • Employ the principles of least privilege and data minimization when granting access and permissions.
  • Implement separation of duties to divide privileged roles.
  • Use data loss prevention (DLP) monitoring to detect potential unauthorized data exfiltration.
  • Log and monitor user activity on critical systems to catch abnormal behavior.

Watch for warning signs

  • Profile normal user behavior patterns through analytics to more easily detect anomalies.
  • Watch for signs of disgruntlement, such as complaints about pay or lack of promotion.
  • Beware changes in user behavior, such as arriving early/leaving late or downloading lots of data.

Implement deterrent controls

  • Use tool sets that monitor, detect and respond to insider threats.
  • Regularly communicate policies and controls to employees.
  • Require robust multifactor authentication for data access.
  • Encrypt data at rest and in transit to minimize impact if stolen.

Conduct training

  • Train employees on security policies, proper data handling and employee monitoring.
  • Conduct insider threat awareness programs to deter malicious activity.
  • Offer ethics training regarding proper data use and handling.

Implement workplace policies

  • Enforce separation procedures for employee termination.
  • Develop incident response plans specially tailored to insider threats.
  • Incorporate insider risk considerations into hiring screening practices.

Using technology to combat insider threats

In addition to policies and processes, organizations can leverage technology solutions to help combat insider threats through detection, monitoring and response capabilities:

  • User behavior analytics (UBA) – Analyzes normal user patterns to detect abnormal activity that could signal insider misuse.
  • Deception technology – Sets up decoys and traps to detect unauthorized access attempts to sensitive resources.
  • Privileged access management (PAM) – Provides controls and monitoring around administrative access to critical infrastructure.
  • Data loss prevention (DLP) – Scans and monitors data flows to detect potential unauthorized exfiltration.
  • Endpoint detection and response (EDR) – Monitors and records activity on end-user devices to identify suspicious use.

These technologies provide added visibility and controls tailored specifically to combating insider threats. When paired with strong policies and processes, organizations can develop robust defenses against malicious insiders.

Insider threat case study: Rui Pang at DuPont

A notable and damaging insider threat case occurred when scientist Rui Pang stole trade secrets from the DuPont corporation to benefit a competitor Chinese company:

Background

Rui Pang worked for U.S.-based DuPont as a research scientist specializing in titanium dioxide technology. DuPont had invested decades of research and hundreds of millions of dollars developing proprietary methods for manufacturing titanium dioxide – a highly profitable pigment with over $14 billion in annual sales.

The insider threat

Shortly after being terminated by DuPont in 2011, Pang began communicating with Pangang Group, a state-owned Chinese chemical company seeking to enter the lucrative titanium dioxide market. Pang offered to provide Pangang with DuPont’s proprietary methods.

Leveraging his insider knowledge, Pang stole DuPont’s titanium dioxide production methods and engineering designs. He then sold this trade secret information to the Pangang Group for $29 million dollars, providing Pangang with the technology to build their own titanium dioxide production line.

The fallout

The theft of trade secrets enabled Pangang Group to produce over 30,000 metric tons of titanium dioxide annually without having to invest substantial R&D resources like DuPont. DuPont estimated the loss of their intellectual property cost the company over $400 million.

Pang was convicted in U.S. court of stealing trade secrets and served over 5 years in prison. DuPont also filed civil litigation against Pangang Group ultimately winning a $935 million judgement, though collecting from the Chinese company has proven difficult.

Lessons learned

The case highlights the immense damage insiders can cause when stealing proprietary information. Companies like DuPont must balance open access needed for R&D with controls to protect critical IP. This case underscores the importance of comprehensive insider threat programs to protect valuable intellectual property from theft.

Insider threat indicators and user behaviors to monitor

Organizations can detect potential insider threats by watching for indicators and changes in user behavior:

Technical indicators

  • Attempts to gain higher data access permissions
  • Unapproved changes to access controls or permissions
  • New administrator accounts created
  • Elevated activity outside normal hours
  • Large bulk data transfers
  • Data exfiltration or encryption
  • Disabling of security tools
  • Access or activity from abnormal devices or locations

User behavioral indicators

  • Employee disgruntlement or complaints about pay or lack of promotion
  • Threats or signs of anger regarding termination
  • Statements indicating loyalty to outsiders
  • Job dissatisfaction or laziness
  • Disregard for security policies
  • Drug or alcohol abuse
  • Signs of increased stress or changes in personality

Using tools like analytics, monitoring and forensic audits, organizations can detect these potential insider threat indicators and behaviors to respond before damage occurs.

Conclusion

Insider threats represent one of the most significant cybersecurity risks for organizations today. Trusted insiders often have easy access to an organization’s most valuable systems and data, bypassing many of the technical defenses aimed at external threats. Insiders’ intimate knowledge of internal operations and processes allows them to cause extensive damage through theft or destruction from the inside.

By implementing layered security controls tailored to insider risks, organizations can deter, detect and respond to malicious insiders before they impact operations or profitability. Technical controls should be augmented with strong policies around access, monitoring, training and incident response. With robust defenses guarding the inside of an organization, companies can develop effective protections against the serious cybersecurity threats posed by trusted insiders.