April 14, 2023
Malicious insider attacks are a complex challenge for cybersecurity professionals. Because these attacks rarely involve malware, it is essential that security teams have technology in place that can help detect malicious behaviors, not just malicious content. This is necessary to help identify insiders who may be a threat.
Insider threats are usually associated with employees or contractors within an organization who have malicious intent or are simply careless in their online behaviors. Likewise, bad actors that enter the network through a compromised credential attack might also be considered a malicious insider after the fact.
Objectives of an Insider Attack
- Monetary Gain
- Business Disruption
- Stealing Confidential Information
Bad actors intentionally abuse their privileged access to steal information or degrade systems for financial, personal, and/or malicious reasons. These malicious users are often assumed to be valued employees performing daily tasks based on their roles and access levels.
Why Insider Threats Are Successful
Source: 2022 Cost of Insider Threats Global Report (Ponemon Institute)
Collectively, these three attack types cost financial services organizations $21.25 million annually, according to the same report.
Apathy and Poor Cyber Security and Data Protection Practices Cause Weak Links
The impact of negligent employees is significant, and usually the result of their apathy and poor security practices that either cause immediate harm or create opportunities to be exploited by an outside source.
More than half of the attacks studied were caused by employee or contractor negligence. It cost on average $484,931 per incident. Many times these incidents occurred due to improper employee training and awareness. Likely, the employee did not ensure their devices were secured, did not follow company security policy, or forgot to patch and upgrade.
Who are Insiders with Malicious Intent?
Bad actors and vengeful employees are intentional in their actions and try to stay “under the radar” to execute a specific plan of attack without generating any suspicion. In any case, these malicious users are assumed to be valued employees performing daily tasks based on their roles and access levels. And since there is usually no malicious content that can be detected, security teams must focus on detecting behavioral anomalies.
A former JP Morgan Chase Bank employee was sentenced to four years in prison for selling customer account information. He would also use that information himself to make unauthorized withdrawals from customer accounts. The employee’s scheme was uncovered when he sold this information to a confidential informant and to an undercover law enforcement officer. The United States Attorney said the employee abused his position by victimizing unsuspecting customers.
A Canadian financial services firm, Desjardins, suffered a massive data breach in 2019, caused by an employee who stole the personal information of more than 4 million users. Desjardins said the employee leaked that information, which included social insurance numbers, addresses, and banking habit details. Desjardins reached a $157 million settlement with plaintiffs.
A trader at a major financial services organization and a retired financial professional were charged in December 2022 with running an extensive insider trading scheme based on stolen confidential trade information from that organization. The government said they made tens of millions of dollars in profits. The U.S. attorney said the trader betrayed the trust and confidence of his employer.
Read More: How to Protect Against Undetectable Attacks
In a SOC where security teams rely on a legacy SIEM, this kind of attack can be virtually undetectable. These systems don’t easily analyze user behaviors, so compromised accounts and malicious insiders trigger very few results. Cybercriminal groups know this. That’s why some have begun actively recruiting corporate insiders and sharing illicit profits with them. Financial institutions are a compelling target because they typically have robust perimeter defenses that take time and effort to overcome. The financial services industry is also attractive to bad actors because it’s worth $20.49 trillion worldwide and makes up approximately 20-25% of the global economy.
Top 5 Activities of Malicious Insiders
When the Ponemon Institute studied insider threats, 74% of respondents said malicious insiders relied primarily on corporate email to steal sensitive data. These are the top five tactics they used.
- Emailing sensitive data to outside parties
- Scanning for open ports and vulnerabilities
- Accessing sensitive data not associated with the role or function
- Downloading or accessing large amounts of data not relevant to the role or function
- Using unauthorized external storage devices like USBs
Insider threats are one of the most challenging security threats in the financial sector. Once attackers compromise a privileged account, they can move laterally through the organization, escalate their privileges, and exfiltrate data.
Cost of a Malicious Insider Attack
In an analysis of more than 6,800 insider incidents, malicious insiders caused 26% of incidents at an average cost of $648,062 each. The largest costs are the impact of business disruption (23% of total cost) and technology (21% of total cost).
The annual cost of overall insider-related incidents varies based on the size of the organization. Financial services have the highest average activity costs at $21.25 million, followed by services (such as law, consulting, and accounting firms) at $18.65 million.
Insider attacks are not just costly, they are time-consuming for an organization’s security team. One insider security incident can take about 85 days to contain. Companies spend the most money on containment, followed by investigative costs.
Signs Your Organization Is At Risk
The Ponemon Institute released the 2022 Cost of Insider Threats Global Report, outlining five signs an organization is at risk for a malicious insider attack:
- Employees are not trained to fully understand and apply laws or regulatory requirements related to their work and that affects the organization’s security.
- Employees are unaware of the steps they should take at all times to ensure the devices they use are secured at all times.
- Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.
- Employees break your organization’s security policies to simplify tasks.
- Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions.
How to Reduce Risk and Impact with Insider Threat Detection and Mitigation
User and entity behavior analytics (UEBA) has become an essential technology to help reduce the risk and impact of insider threats. Next-generation SIEMs, such as those from Exabeam, integrate this essential UEBA intelligence within their platforms. Whenever a user, device, or database starts to behave in a way that breaks its established norm, it is assigned a certain score. When that score accumulates beyond a certain threshold, an alarm is triggered and an investigation begins. With a properly tuned SIEM, security teams can often gain insights into suspicious user behaviors before the bad actor or vengeful employee can achieve its objectives.
Read more: Cyber Attacks on Banks: 5 Growing Threats in 2023
Traditional cybersecurity approaches are not effective against malicious insiders for two main reasons:
- Technologies that focus on prevention are not feasible. Security teams cannot lock people out of systems they need access to for their job.
- Malware detection technologies can’t detect unauthorized activity. SIEM 1.0 technology has no way of analyzing the intent of a privileged user based purely on their actions. From this perspective, business activity and malicious activity look practically the same.
Customers place a great degree of trust in financial institutions. Protecting customer accounts from malicious insiders is an implicit condition of that trust. Advanced SIEM capabilities and XDR-powered threat mitigation can help finance organizations earn that trust.
Read more: How to Implement a Proactive Cybersecurity Strategy in the Banking Industry
Third-Party MDR Services Can Help Detect Insider Threats
Castra can help you deploy UEBA technology and protect your financial institution from malicious insiders. As an expert-managed detection and response partner, we specialize in using best-in-class SIEM technologies like Exabeam and USM Anywhere to catch and prevent malicious insiders in complex enterprise environments.
Schedule a demo to find out how Castra can enhance your security posture and detect an insider attack before it happens.