Data Exfiltration – Insider Threat Indicators and Prevention

Traditionally, security teams long focused on external threats, which can make it easier for instances of insider threats to go unnoticed. This can be particularly true for over-extended security teams or those working with fewer resources. The concern for both CISOs and business leadership is that data exfiltration or insider theft incidents have risen rapidly and these insiders are committing more sophisticated and blatant data theft.  

Threats coming from within the organization add layers of complexity, because these are individuals and parties who have been vetted and trusted. Although non-malicious insider data exfiltration may occur unintentionally with little or no indicators, malicious data theft often leaves indications that something is going on. 

This piece details new driving factors behind serious insider data theft and provides best practices to help recognize behaviors and detect patterns in an effort to mitigate risk from insider threats. 

What is an Insider in your Organization? 

An insider is an individual who belongs to your organization with legitimate access to confidential and secured data, including parties with high-level credentials to data and technology. Insider theft can originate from individuals within sales, finance, customer service, IT, R&D, third parties or leadership—anyone who holds knowledge or can influence company decisions. 

While many insider threat actors have nefarious intentions and agendas, that’s not always the case. Individuals can fall victim to phishing and other threats putting the organization at risk. Either way, a data exfiltration breach can result in serious damage, theft, fraud, financial harm or even physical safety for the organization’s members. 

Trends Driving the Increase in Insider Data Theft   

The events of the past three years have significantly changed the landscape of how organizations operate. For instance, 1 in 4 employees are working remotely or in a hybrid model. Additionally, many more are resigning to take jobs with higher pay or more flexible benefits. Both of these developments in the labor market have made insider data theft easier to commit. 

These factors, coupled with incentives like advanced information access methods and high stakes data make insider data theft more lucrative. It often takes the form of strict monetary gains or the securing of a competitive advantage over a particular firm (or putting another firm at a disadvantage), either by a current or a disgruntled ex-employee. 

Remote Work Security Risks 

At the outset of the pandemic, many IT teams pivoted rapidly to work-from-home structures to maintain productivity. As a result, employee/insider security protocols seriously lapsed. Statistics suggest roughly 60% of employees don’t follow protocols when working at home, versus working in the office. Compounding this issue, remote employees can become lax, making BYOD a higher risk and direct target by threat actors.  

High Labor Turnover Increases Data Vulnerability 

A tumultuous job market where firms continue to see an unusual level of turnover also contributes to the prevailing insider threat problem. 

With employees leaving in higher numbers, statistics suggest there is a 1 in 3 chance departing employees will take intellectual property with them. These somewhat removed or short-term employment stints can leave employees feeling disconnected, with blurred lines of data or intellectual property ownership. With no investment in their jobs, many resigning insiders feel they have nothing to lose by exploiting their former employer’s data. Plus, insiders are increasingly taking these valuable assets with them to competitors, or worse, selling them to threat actors for profit. 

Insider Threat Profiles - Malicious and Non-Malicious   

Insider data theft and exfiltration incidents fall into two categories: non-malicious and malicious. However, each type poses significant risks to the organization. 

Non-Malicious Data Exfiltration 

Although most employees are not malicious, unintentional employee actions can have a huge impact on organization’s security. Errors like mishandling data or opening a phishing email can produce many types of cyberattacks including ransomware, business email compromise and other data breaches and fall into these categories. 

• Employee error - Individuals expose, delete or corrupt data by mistake. 
• Lack of training - Employees may be unaware of or not fully understand cybersecurity protocols. 
• Scams - Individuals who fall for social engineering or are otherwise tricked into exposing data, allowing entry to systems or granting of unauthorized access. 

Read: Six Common Social Engineering Attack Methods

Malicious Data Exfiltration 

Malicious data exfiltration has become more common in recent years. Malicious insiders are not always easy to spot within an organization and are able to do a lot more damage that is difficult to mitigate quickly. Insiders can sell sensitive data, assist hackers with ransomware attacks or perform industrial espionage—all for profit.  Malicious insider data theft falls into the following groups: 

1. Disgruntled employees - Unhappy current or former staff members who look for revenge or “justice.” 
2. Inside agents - Individuals are placed inside an organization with the intent of stealing data or committing industrial espionage for competitors. 
3. Spiteful insiders - Employees who misuse permissions to steal or harm data to do the company harm or sell data for profit. 
4. Recruited insiders - Hackers are increasingly recruiting insiders for ransomware attacks for profit. 

Indicators of Malicious Insider Data Exfiltration 

With the focus on detecting external threats, organizations may not have the adequate safeguards or detection mechanisms in place allowing insiders to circumvent safeguards designed for outsiders, empowering them to slip in and out without notice. Common malicious insider data theft techniques include:   

• Creating backdoor accounts 
• Establishing hidden servers 
• Installing malware or unauthorized software 
• Changing all passwords 
• Installing a modem or remote network admin tool to gain external access 
• Deleting history files 
• Disabling system logs 
• Accessing unauthorized areas of systems 
• Disabling security software or changing security settings

Common Malicious Insider Data Exfiltration Behavior   

To mitigate threats and take immediate action, look for the following behaviors and patterns to determine if you’re facing a serious insider threat. 

1. Unusual logins - When employees log in each day, a generalized pattern emerges. Strange logins from unrecognizable remote locations, during odd hours or outside the norm, can indicate something nefarious is occurring. Look for repeated “test” or “admin” user attempts that fail. 
2. Use or repeated attempted use of unauthorized applications – Most organization’s access to critical areas of the system is assigned to designated personnel who have a “need to know.” If it appears unauthorized users are suddenly in areas they aren’t assigned, this signals a problem, and it’s time to re-check permissions. 
3. An increase in escalated privileges - Insider threat activity can originate from individuals with trusted permissions. A pattern of permission requests for new access privileges is problematic, since non-authorized people in your organization could be accessing confidential data. 
4. Excessive downloading of data - Your organization should routinely use a steady rate of bandwidth. If a sudden uptick in downloading patterns occurs, especially during odd hours with no logical explanation, check for sensitive data downloads/access. 
5. Unusual employee behavior – Employees who suddenly display a decrease in performance, have disagreements, act fidgety, show signs of financial distress or other unusual behaviors might be involved in suspicious activities. This is worth exploring, especially if a staff member quits unexpectedly. 

READ: Insider Data Exfiltration - Threats and New Challenges

Intentional or Unintentional Data Exfiltration Prevention   

Depending on their motive, level of technical skills, knowledge of the company’s cybersecurity system and privilege levels, insiders can use their abilities to cause substantial harm. Use these best practices to help prevent data exfiltration.

Prevent Data Theft from Remote Workers   

1. Use a reliable cloud service. 
2. Prohibit employees from working using public or unsecured Wi-Fi. 
3. Invest in VPNs for employees to use. 
4. Keep hardware and software consistently updated. 
5. Assign devices to employees you can monitor and control. 
6. Require complex passwords. 
7. Install a good firewall 
8. Educate yourself and your team members about cybersecurity. 

Prevent Data Theft from Departing Employees 

1. Implement a zero-trust methodology. 
2. Revoke system access immediately when employees are terminated or resign. 
3. Audit recent activity in systems’ access. 
4. Accelerate activity monitoring for departing employees. 
5. Instill USB device management. 
6. Block data egress points. 
7. Ensure IDs, key cards, laptops, portable storage devices and other materials are turned in before departure. 
   

Building an Insider Threat Mitigation Program 

To prevent insider attacks, it’s important to look at methods to mitigate the risks associated with insider threats. 

1. Classify and restrict information on a “need to know” basis. 
2. Carefully issue privileges and, most especially, limit high-risk admin account access. 
3. Keep sensitive information (e.g., addresses, credit cards, etc.) segregated and with limited access. 
4. Encrypt sensitive data across your systems. 
5. Immediately revoke access for former employees (and those departing). 
6. Set restrictions on BYOD policies and install a mobile device manager. 
7. Monitor data-related actions conducted by employees. 
8. Track any unusual network traffic. 
9. Monitor for malicious activity so it can be stopped sooner rather than later.

Insider threats are an unfortunate reality all organizations face. Understanding the behavior, motivations and indicators of insider threats will help your teams come up with protocols and preventative tools to eliminate insider threats. 

Knowing your people, identifying your organization’s assets, prioritizing risks and using proven methods to detect threats can help significantly reduce data exfiltration events from occurring. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.