Zach Lahey

Establishing an Insider Threat Program for Your Organization

Blog Post created by Zach Lahey Employee on Oct 10, 2016

Whether employees realize it or not, they can wreak havoc on internal and external security protocols. Employees' daily activities (both work and personal) on their work devices (computers, smartphone, and tablets) or on their company’s network can inflict damage. Often called “insider threats,” employees’ actions, both unintentional or intentional, are worth paying heed to whenever possible. Gartner’s Avivah Litan reported on this thoroughly in her “Best Practices for Managing Insider Security Threats, 2016 Update,” where it is made clear that businesses aren’t on their own in regards to responding to this growing, often unpredictable and unmitigated challenge.


Avivah recommends four strong approaches you should consider when developing an insider threat program, which she reinforces with analysis, data, and additional content. In the hopes of expanding this list and providing even more thoughts, Rapid7’s security experts, inspired by the four outlined approaches in the report, got together to provide some additional approaches. Where applicable we have also provided links to resources, both product and research, that can help your team combat insider threats. After all, we’re in this together!


Recommendation #1: “Start insider threat programs with a risk assessment, in order to prioritize efforts. Deploy business processes and technologies that prevent many insider threats in the first place.”


Yes, but be wary of risk assessments not tied to your business objectives and limitations. While a risk assessment is a solid starting point, any miscues could do more harm than good. For example, poor risk assessment will actually overload the security team and create paralysis unless it is relevant, actionable, and sustainable. Some risk assessment services use both people and technology to examine your own technologies, people, and processes. But they are not all created equal and it is important to review the way they will measure risk and what tools they might use.


It’s important to consider two types of risk assessment: a one-off audit done by a third party (like a penetration test or a cybersecurity maturity assessment), as well as continuous assessment and good security hygiene. One thing we often see are risk assessments using tools from the CVSS-only scoring world of legacy vulnerability management players. In this world you are ultimately left with a list of hundreds of ‘critical’ vulns, which is a list you’ll never get through to even start thinking about insider threats. Even many penetration tests / external risk assessments fall into the trap of providing a list of problems without context and focus on what attackers really care about. It’s important for teams to do this risk assessment, but do it in a way that properly prioritizes this beyond CVSS and takes into account the age of the vulns, exploitability, and more.


Our solutions can help:

In case you didn’t know, our solutions, Nexpose and Metasploit, let you go beyond “vulnerability assessment” to exactly what Gartner is suggesting – a RISK assessment. Because Nexpose prioritizes vulnerabilities by the ease with which they’d be used in an attack, our risk scores are a true picture of how susceptible a system is to a breach, whether insider or external. Nexpose vulnerability checks include checks for default passwords, and limiting these vulns make it more difficult for insider threats to access systems they shouldn’t. Metasploit lets you conduct simulated phishing attacks on your employees, and it lets you test their ability to spot not just suspicious links but suspicious requests for information.


Recommendation #2: “Combine technical methods with nontechnical controls, such as security awareness training linked to employee monitoring, for the most successful results in your insider threat program.”


Don’t dehumanize the employee experience. People are the key for sure here and security awareness training should run the gamut from overall education to phishing exercises. It’s critical for businesses to iterate to employees that although there will be monitoring for security purposes, their privacy can continue to be respected.


For a more successful deployment, executive staff and the security team must ensure that employees have transparency and trust into the process. One of the best alerting mechanisms in every organization isn't technology, it's the employees. If users worry about being under the user behavior magnifying glass after they report something, they're likely to stop speaking up when weird stuff happens. A best practice is to have an authority outside of security, such as a risk or privacy officer, explicitly define who has access to the technology, to what information, and ensure that the policy is regularly reviewed and enforced. During security awareness and compliance training, the security team has an opportunity to share the importance of identifying anomalous behavior, since compromised credentials has been a top attack vector behind breaches (Verizon Data Breach Investigations Report) for five years running.


Our solutions can help:

New technology, such as User Behavior Analytics, can correlate the millions of actions taken on the network to the users and assets behind them. This can expose risky user behavior, whether it be unintentional negligence or malicious insider threat. When InsightIDR is first deployed in a customer environment, the technology starts to create a baseline of typical user behavior. Many organizations immediately improve their security posture and validate existing controls by identifying non-expiring passwords, shared accounts, and administrators they otherwise did not know about. From there, InsightIDR highlights notable and anomalous behavior that may be indicative of a compromised or rogue employee account.



Recommendation #3: “(For technical insider threat programs) Start with readily available data, such as directory data and access logs, to achieve quicker results. Increase the types of information ingested over time, recognizing analytics can only be as good as the data they consume.”


Yes and YES. This is something we truly believe in, and we think that you can not only get a lot out of the data you already have, but you can do it more easily than ever before. If you want to identify insider threats, you need to first understand what is normal behavior for your users and the first step is to tie the majority of events back to those users. This requires Active Directory, to provide details on who is logged into each device at any given time, and it requires DHCP, to know which IP address is assigned to these devices. The next big step is to obtain endpoint data, such as local event logs and process details, to increase the types of behavior you can see.


Ultimately, start with basic data analytics to look for known patterns of malicious behavior and look for solutions that have automated the collection, unification, and correlation of your data. It is also smart to add on top of that folks who have done this before in order to get immediate benefit for any security analytics program.


Our solutions can help:

In general, insider threats are a risk to an organization, whether they’re intentional or unintentional. Rapid7 combines both technology, with our InsightIDR solution, and a team of incident responders constantly understand what the highest risk users and assets are in the organization. This evaluation is not just a look at the technological systems, but it’s also a deep understanding of the business. This allows the team to be more targeted in their hunting for threats later and to put policies in place to minimize insider threat risk later on. The time up front makes it easier to mitigate risk through prioritization of what’s most important to the organization. The deep knowledge the team has of attacker behavior and user behavior helps them better identify insider threats.



Recommendation #4: “Start with basic data analytics to look for known patterns of malicious behavior. Graduate to more advanced analytics like anomaly detection once your organization is able to manage the results.”


Analytics reign supreme. This is where the focus of analytics needs to be more automated. Let’s assume you’ve done all the above, and did it right, the last thing you now want to do is learn how to write or even manage analytics. Focus on automating the analysis as much as possible. This isn’t about just having a library of analytics created with an attacker’s mindset, it also needs to be considered in how log search is performed and visualized. It’s no longer acceptable to spend time data splunking around when your goal is to find that insider threat before it hurts you.


Our solutions can help:

If you don't have log aggregation in place, this is a great start, as it will save you lots of time and headaches during incident investigations, and is an integral part of meeting today's compliance standards. Most log aggregation tools come with the ability to create custom alerts, which can help solve basic use-cases and provide visibility into the environment. InsightIDR works by creating a User-IP-Asset link from integrating with Active Directory, DHCP, and Endpoint Data, as well as an existing network and security stack. What takes InsightIDR beyond just analyzing logs are Intruder Traps, such as Honey Pots and Honey Credentials, which reliably detect intruders earlier in the attack chain.


Ultimately, there’s a lot of methods to consider when developing an insider threat program. But as can be seen above, not all approaches are made equal. It’s imperative to be thoughtful and conscientious about how insider threats are approached and handled.