Luke Walker, Senior Threat Intelligence Analyst at Searchlight Security

September is National Insider Threat Awareness Month - an annual campaign to educate organizations about the risks posed by insider threats. This blog gives a quick overview of what insider threat is, why raising awareness of it right now is especially important, and how dark web intelligence can help organizations to spot malicious insiders.

What is an Insider Threat?

An insider threat is an employee or contractor who exploits their access within an organization to undermine its security. This might be stealing or sharing company data, giving outsiders access to company systems, or undertaking destructive actions on the organization’s network.

For security teams, someone within the organization acting maliciously creates a unique challenge because they can’t take the same approach for external threats and rely on defenses at the “perimeter”. Staff have to have access to the corporate network to do their job, so the question then becomes about how anomalous employee activity can be spotted and malicious intentions identified.

Why Are Insider Threats So Concerning?

According to Verizon’s 2022 Data Breach Investigation Report (DBIR) malicious insiders were involved in a fifth (20 percent of incidents) in the last year. While this is less than cases just involving external actors (80 percent) it is worth considering that this may be an underestimate, as many organizations would be reluctant to admit that they were attacked by an insider. Furthermore, even Verizon admits that this figure might be skewed by the fact that insiders are better at going undetected in their involvement. 

Whether that is the true figure or not, what should make organizations pay attention is the data we do have on the amount of damage an insider can do before being detected in the incidents they are involved in. Verizon found that data breaches involving insiders were on average 10 times larger than those executed by external threat actors, based on the number of compromised records.

Why Are Insider Threats Becoming More Common?

According to data from Proofpoint and the Ponemon Institute, there was a 44 percent increase in insider threat incidents between 2020 and 2022, which coincides with the COVID pandemic and the increase in remote work.

The reasons behind this are relatively common sense. Firstly, working from home makes people feel as if they are not being watched as closely, therefore employees are more likely to take risks. 

Secondly, remote work has eroded some of the implicit security protection that was in place when employees had to be on-premise to access the corporate network. For most employees, logging onto their company’s infrastructure from home is easy; they just enter their credentials into the virtual platform. Unfortunately, it is just as easy for them to hand over their credentials to a threat actor to do exactly the same thing. 

Finally, remote work has also increased the chance of an employee becoming an insider threat completely unwittingly. Many people don’t know their colleagues as well as they would in the office, and those in large companies in particular are at risk of being compromised by a cybercriminal masquerading as another member of staff. For example, Twitter’s incident in 2020 - where notable accounts were hijacked by a cryptocurrency scam - was executed by tricking an employee into handing over credentials using a voice phishing (vishing) attack.

How Do Cyber Criminals Recruit Malicious Insiders?

Some cybercriminals approach employees directly and privately but often groups openly advertise that they are looking for employees in particular organizations. The ransomware group LAPSUS$, for example, infamously posted a recruitment call on its Telegram channel for help from employees in telecoms companies, software and gaming corporations, call centers, and server hosts (see below).

Often cybercriminals offer hefty sums for information or access. For example, in this post below a threat actor offers $5 million for an insider who can ‘fetch them’ some ‘info’: 

It is important that organizations are aware that this type of offer could be being made to their employees because the number one motivation for malicious insiders (in 78 percent of analyzed attacks) was financial gain, according to the Verizon DBIR. The subsequent motivations were fostering a grudge (nine percent), espionage (eight percent), and simple convenience (six percent).

How Can Organizations Spot and Stop Insider Threat?

Somewhat counterintuitively, one of the key ways organizations should be protecting against insider threat is to look outside of their organization for signs that cybercriminals are looking for insiders within their business. 

All organizations should be monitoring marketplaces, forums, and social media channels for chatter about their company, which will help them spot warning signs of an imminent attack such as cybercriminals looking for insider knowledge, or disgruntled employees making unsavory comments. 

This monitoring has to extend to the dark web, as this is where cybercriminals typically conduct their reconnaissance on organizations, believing they are out of the reach of law enforcement and cybersecurity teams.

How Can Dark Web Traffic Monitoring Help?

In particular, dark web traffic going to or from an organization’s network can provide an invaluable early warning sign of many types of attack, not least insider threat.

Connections between a company device and the Tor network is a very reliable data point for discovering insider threat because there is virtually no good reason why an employee would be connecting to the dark web in most organizations. Traffic going from the an organization’s network to the dark web usually indicates one of only a few possibilities (spoiler alert, none of them are good):

1. An employee is engaging in illegal activity on a dark web marketplace and forum, which is potentially putting the company at risk.

2. An employee is deliberately engaging with cybercriminals through the dark web, which could include sharing data or providing access to the network.

3. The network has already been compromised and the traffic leaving the corporate network is a beacon calling back to a command and control server.

By monitoring dark web traffic, security teams can identify potentially malicious activity quickly, isolate the device and account that the traffic is coming from, and stop insider threats before the company is compromised. Most cybercriminals rely on dark web infrastructure to conduct their operations, which means that cutting off this channel can vastly reduce the chance of insider threat taking hold.

Book a demo to find out more about how Searchlight Security can help you monitor dark web traffic, marketplaces and forums, to protect your organization from insider threats.