Countermeasures to Reduce Risks and Enhance Incident Response Efforts

For far too long data breaches and cybersecurity incidents caused by insiders have been overlooked, pushed aside and not taken seriously. Companies are often diffident to recognize, report or act against employees who have become a threat to their organization. Often, insider threat attacks have been treated as an embarrassment or just an issue for the Human Resource departments. It’s as though the insider threat is a black mark on their management processes and their reputation.

Insiders have advantages over external factors seeking to circumvent security as people within the organization enjoy significantly higher levels of trust and privileges as well as knowledge of organizational policies, processes, and procedures. The insider threat can be difficult to catch because these are people who have legitimate access to the network and/or applications. These threats can arise both from careless workers, disgruntled staff and from those who were recruited, solicited or bribed by external parties to exfiltrate data. Moreover, even business partners who compromise security through negligence, misuse or malicious access to or use of an asset may also give rise to a security threat. Detecting and mitigating such a wide array of insider threats requires a different approach compared to hunting for external threats.

20% of cybersecurity incidents and 15 % of the data breaches investigated within the 2018 Verizon Data Breach Investigations Report (DBIR) originated from people within the organization, with financial gain (47.8%) and pure fun (23.4 %) being the top motivators. These attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

DBIR analysis also flags a shift in how social attacks such as financial pretexting and phishing are used. Attacks such as these, which continue to infiltrate organizations via employees, are now increasingly a departmental issue. Furthermore, this year’s DBIR warns that C-level executives who have access to a company’s most sensitive information, are now the major focus for social engineering attacks. Senior executives are 12x more likely to be the target of social incidents, and 9x more likely to be the target of social breaches than in previous years – and financial motivation remains the key driver.

Here are some of the key countermeasures that can help reduce risks and enhance incident response efforts:

1. Integrate Security Strategies and Policies – By integrating the other 10 countermeasures (listed below), or better yet a comprehensive Insider Threat Program with other existing strategies such as a Cyber Security Policy, Risk Management Framework, Human Resources Management and Intellectual Property Management can help strengthen efficiency, cohesion and timeliness in addressing insider threats.

2. Conduct Threat Hunting Activities – Make effective investments in threat intelligence, dark web monitoring, behavioral analysis and threat hunting to search, monitor, detect and investigate suspicious user and user account activities, both inside and outside the enterprise.

3. Perform Vulnerability Scanning and Penetration Testing – Leverage vulnerability assessments and penetration tests to identify gaps within the infrastructure and application components, including potential ways for insider threats to maneuver within the enterprise environment.

4. Implement Personnel Security Measures – The implementation of Human Resource Controls (such as background verification checks, employee identity lifecycle management processes), Least-Privilege Principles and Security Awareness Training can mitigate the number of cybersecurity incidents associated with unauthorized access to enterprise systems.

5. Employ Physical Security Measures – Employ physical methods for access such as identity badges, security doors and guards to limit physical access as well as digital access methods including card swipes, biometric access control mechanisms, motion detectors and cameras to monitor, alert and record access patterns and activities.

6. Implement Network Security Solutions – Implement network security solutions, such as firewalls, intrusions detection/ prevention systems, gateway devices and Data Loss Prevention (DLP) solutions to detect, collect and analyse suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity as well as the use of remote connections. Effective network segmentation controls are another very important in limiting the adversarial lateral movement and unauthorized access to resources.

7. Employ Endpoint Security Solutions – Employ robust endpoint security controls/solutions, such as anti-malware solutions, critical asset inventories, removable media policies, whole disk encryption, File Integrity Monitoring (FIM) tools, User Entity Behavioural Analytics (UEBA) and Endpoint Detection and Response (EDR) solutions to deter, monitor, track, collect and analyse user-related activity.

8. Apply Data Security Measures – Apply data ownership, classification and protection, as well as data disposal measures to manage the data lifecycle and maintain confidentiality, integrity and availability with insider threats in mind. Consider data encryption, truncation and tokenisation approaches for applying data centric security controls.

9. Employ Identity and Access Management Measures – Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment by leveraging Identity and Access Management (IAM) solution. This can be taken to the next level by employing a Privileged Access Management (PAM) solution for privileged level access.

10. Establish Incident Management Capabilities – Establishing an incident management process to include an Insider Threat Playbook with trained and capable incident handlers, will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.

11. Retain Digital Forensics Services – Have investigative response retained resources available which can conduct a full-spectrum of deep-dive investigations ranging from the analysis of logs, files, memory, disk and network forensics, in often intricate insider threat related incidents.

By Ashish Thapar, Managing Principal and Head - APJ Region, Verizon Business Group