Giacomo Lanzi
Insider threat: identifying and fighting them
Insider threats are difficult to spot because they come from within your organization. Employees, contractors and partners require different levels of login credentials in order to perform their work. Attackers can trick these insiders into accessing them or offering them money to knowingly steal valuable information from the company.
Traditional security solutions focus on protecting the organization from external attackers. This strategy overlooks the damage that an internal resource could do to the organization, whether aware or not. With a Nextgen SIEM solution you have the ability to detect and respond to both external and internal threats, with the help of the UEBA in identifying suspicious behavior.
Insider threat, the reasons
Employees or contractors identified as at risk are linked to 60% of cases of insider threats, increasing the likelihood that such incidents result in the theft of sensitive company data. Insider threats can be divided into two groups: the distracted and the hostile.
The mechanics of an attack change significantly based on the motivations behind it. It is therefore better to fully understand which characteristics are typical of the motivations behind attacks, in order to be able to stop potential threats before they become violations.
Economic gain
It is clear to each employee how much the data that the company holds can be worth. Here, in the event of a crisis, allowing data to be leaked in exchange for money may seem like a reduced risk. This type of motive must be considered above all when, in times like the present one, an external event (the COVID-19 pandemic) still puts the workplace at risk. With the risk of an imminent layoff, the sale of data that you have access to as an employee is a more than attractive escape route.
Carelessness
Non-compliance with security rules is a very real risk and the most common cause of internal threats. Indolence in compliance with the rules costs organizations an average of $ 4.58mln per year. Threats come, specifically, from some security practices that are not respected, such as failure to log out from the system, writing one’s passwords on paper or reusing them. In this category there are also violations in the use of unauthorized software or a failure to protect company data.
The reasons behind these harmful behaviors are often, unfortunately, particularly simple: security is bypassed by an allegedly greater speed, productivity or, worse, laziness.
Distraction
One type of negligent employee is the distracted one, which is worth treating in isolation because it is more complicated to identify. While the serial behavior of violating the rules is easily identifiable, the distracted, who normally diligently complies with the regulations, is not identified before the only, unfortunate, time when his carelessness does not cost the company an attack that went to successful.
Damage to the company
Among the most subtle insider threats are those of those who have the sole purpose of damaging the company. The motive, in these cases, is usually of a personal nature: an employee who is refused a raise, a disagreement with a superior, etc. The insider then moves to discredit his company, causing damage to its image that results in frightened investors who withdraw their capital or lose customers.
Sabotage and sale of information to third parties
For companies that handle sensitive data, this type of threat is a real risk. Whether the company deals with valuable intellectual property or sensitive data of its customers, there is a high probability that there are those who are interested in having access to that data to use it to their advantage. In this scenario, the actor who wants to get hold of the data recruits an insider to steal it.
Cases that fall under the definition of espionage or media sabotage have been on the rise in recent years. Attacks start from nations such as Russia or North Korea, often involved in this type of trafficking in order to gain political advantages against Western states and organizations.
Defense against insider threats
The defense against attacks that originate from the inside is based on the analysis of the suspicious behavior of those who have access to the systems. The difficulty is found in the non-violent nature of the attacks. It is easy for insiders to not need to breach any security checks, having access from the start.
So how can we immediately catch the threats?
Monitor user access
Insiders with legitimate access choose to abuse their access privileges. Excessive access rights are often granted to reduce the effort that privilege management requires. Avoiding this type of behavior is already a first step in a proactive direction of defense.
Furthermore, with a Nextgen SIEM system it is possible to monitor users with high privilege access to databases, servers and critical applications. At that point it is easier to identify those who abuse their access.
Detect suspicious user behavior
The most sophisticated attacks are based on stealth. To this end, attackers increasingly rely on the compromise of existing internal resources. Once inside the network, they perform lateral movement and steal data under the guise of an internal user.
A system such as that offered by SOD’s SOCaaS allows, among other things, to quickly identify suspicious accounts by detecting abnormal user behavior compared to normal base patterns and the activity of colleagues.
The advantages of a modern system
Shorter response time
Using behavioral analysis it is possible to identify abnormal actions so that we can investigate very quickly.
Advanced behavioral analysis: with the UEBA system (included in SOCaaS), security analysts are able to monitor access and activity of users to the most important resources of the company, allowing to find internal threats with the minimal noise for fast detection and response.
Rapid recognition of users at risk
To enable rapid detection of insider threats, security teams need the ability to link a user’s accounts together to create a universal user profile. This is possible with a Nextgen SIEM system. The analysis of user behavior is also compared to that of a group of peers, to identify anomalous behaviors with greater precision, understanding how a user’s activity is different from that of his colleagues.
The threats that start from within the company perimeter are perhaps the most risky due to their low noise nature. Fortunately, with systems increasingly capable of detecting suspicious behavior and aggregating large amounts of employee data, it is possible to take effective countermeasures to combat this type of attack.
Useful links:
Share
RSS
More Articles…
- From Secure Online Desktop to Cyberfero: rebranding of the leading cybersecurity company
- NIS: what it is and how it protects cybersecurity
- Advanced persistent threats (APTs): what they are and how to defend yourself
- Penetration Testing and MFA: A Dual Strategy to Maximize Security
- Penetration Testing: Where to Strike to Protect Your IT Network
- Ransomware: a plague that brings companies and institutions to their knees. Should you pay the ransom? Here is the answer.
- Why IT audit and log management are important for Cybersecurity
- Red Team, Blue Team and Purple Team: what are the differences?
Categories …
- Backup as a Service (18)
- Acronis Cloud Backup (11)
- Veeam Cloud Connect (4)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (22)
- Conferenza Cloud (4)
- Cyberfero (15)
- ICT Monitoring (5)
- Log Management (2)
- News (25)
- ownCloud (4)
- Privacy (7)
- Security (203)
- Cyber Threat Intelligence (CTI) (8)
- Deception (4)
- Ethical Phishing (11)
- Netwrix Auditor (2)
- Penetration Test (11)
- Posture Guard (3)
- SOCaaS (65)
- Vulnerabilities (84)
- Web Hosting (15)
Tags
Unknown Feed
Full Disclosure
- User Enumeration in IServ Schoolserver Web Login September 11, 2025Posted by naphthalin via Fulldisclosure on Sep 10“I know where your children go to school.” The web front end of the IServ school server from IServ GmbH allows user enumeration. Responses during failed login attempts differ, depending on if the user account exists, does not exist and other conditions. While this does not pose a […]
- Re: Apple’s A17 Pro Chip: Critical Flaw Causes Dual Subsystem Failure & Forensic Log Loss September 11, 2025Posted by Matthew Fernandez on Sep 10Can you elaborate on why you consider this high severity? From the description, it sounds as if this behaviour is fail-closed. That is, the effects are limited to DoS, with security properties preserved.
- Defense in depth -- the Microsoft way (part 92): more stupid blunders of Windows' File Explorer September 8, 2025Posted by Stefan Kanthak via Fulldisclosure on Sep 08Hi @ll, this extends the two previous posts titled Defense in depth -- the Microsoft way (part 90): "Digital Signature" property sheet missing without "Read Extended Attributes" access permission and Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the […]
- Critical Security Report – Remote Code Execution via Persistent Discord WebRTC Automation September 8, 2025Posted by Taylor Newsome on Sep 08Reporter: [Taylor Christian Newsome / SleepRaps () gmail com] Date: [8/21/2025] Target: Discord WebRTC / Voice Gateway API Severity: Critical 1. Executive Summary A proof-of-concept (PersistentRTC) demonstrates remote code execution (RCE) capability against Discord users. The PoC enables Arbitrary JavaScript execution in a victim’s browser context via WebRTC automation. […]
- Submission of Critical Firmware Parameters – PCIe HCA Cards September 8, 2025Posted by Taylor Newsome on Sep 08*To:* support () mellanox com, networking-support () nvidia com *From:* Taylor Christian Newsome *Date:* August 20, 2025 *Dear Mellanox/NVIDIA Networking Support Team,* I am writing to formally submit the critical firmware parameters for Mellanox PCI Express Host Channel Adapter (HCA) cards, as detailed in the official documentation available here: […]
- SEC Consult SA-20250908-0 :: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution (Mifare) September 8, 2025Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Sep 08SEC Consult Vulnerability Lab Security Advisory < 20250908-0 > ======================================================================= title: NFC Card Vulnerability Exploitation Leading to Free Top-Up product: KioSoft "Stored Value" Unattended Payment Solution (Mifare) vulnerable version: Current firmware/hardware as of Q2/2025 fixed version: No version numbers available CVE number:...
- FFmpeg 7.0+ Integer Overflow in FFmpeg cache: Protocol (CacheEntry::size) September 8, 2025Posted by Ron E on Sep 08An integer overflow vulnerability exists in the FFmpeg cache: URL protocol implementation. The CacheEntry structure uses a 32-bit signed integer to store cache entry sizes (int size), but the cache layer can accumulate cached data exceeding 2 GB. Once entry->size grows beyond INT_MAX and new data is appended, an […]
- FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol September 8, 2025Posted by Ron E on Sep 08A vulnerability exists in the FFmpeg UDP protocol implementation ( libavformat/udp.c) where the dscp parameter is parsed from a URI and left-shifted without bounds checking. Supplying a maximum 32-bit signed integer (2147483647) triggers undefined behavior due to a left shift that exceeds the representable range of int. This results […]
- FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option) September 8, 2025Posted by Ron E on Sep 08A signed integer overflow exists in FFmpeg’s udp.c implementation when parsing the fifo_size option from a user-supplied UDP URL. The overflow occurs during multiplication, which is used to compute the size of the circular receive buffer. This can result in undefined behavior, allocation failures, or potentially memory corruption depending […]
- FFmpeg 7.0+ LADSPA Filter Arbitrary Shared Object Loading via Unsanitized Environment Variables September 8, 2025Posted by Ron E on Sep 08The ladspa audio filter implementation (libavfilter/af_ladspa.c) in FFmpeg allows unsanitized environment variables to influence dynamic library loading. Specifically, the filter uses getenv("LADSPA_PATH") and getenv("HOME") when resolving the plugin shared object (.so) name provided through the file option. These values are concatenated into a filesystem path and passed directly into […]
Customers
Twitter FEED
Recent activity
-
SecureOnlineDesktop
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
-
SecureOnlineDesktop
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
-
SecureOnlineDesktop
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
-
SecureOnlineDesktop
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
-
SecureOnlineDesktop
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF
Newsletter
{subscription_form_1}Products and Solutions
Partners
Cloud Models
News
- From Secure Online Desktop to Cyberfero: rebranding of the leading cybersecurity company May 6, 2024
- NIS: what it is and how it protects cybersecurity April 22, 2024
- Advanced persistent threats (APTs): what they are and how to defend yourself April 17, 2024
- Penetration Testing and MFA: A Dual Strategy to Maximize Security April 15, 2024
- Penetration Testing: Where to Strike to Protect Your IT Network March 25, 2024
Google Reviews
Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Ottimo supportoread more
E' un piacere poter collaborare con realtà di questo tiporead more
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
About
© 2024 Cyberfero s.r.l. All Rights Reserved. Sede Legale: via Statuto 3 - 42121 Reggio Emilia (RE) – PEC [email protected] Cod. fiscale e P.IVA 03058120357 – R.E.A. 356650 Informativa Privacy - Certificazioni ISO