Insider Threat or Intruder: Effective Detection Doesn't Care

Last updated at Tue, 25 Apr 2023 21:38:22 GMT

For various reasons, I have recently had a lot of conversations about insider threats. What is the best solution for them? How can they be detected? Does InsightIDR detect them?

Rather than answering these questions with more questions, here is what I say: when you are detecting the malicious activity properly, the precise actor is unimportant. It is extremely important for the follow-up investigation and response that you know whether the person with hostile intentions is a legitimate member of your organization or someone that manipulated his way through the perimeter via social engineering or other commonly-used tactics, but detecting the indicator of compromise should only focus on the actor when determining if more intelligent analysis is needed to cover them all.

Let me break down the similarities and differences of these two types of actors to explain my point a bit (with the help of a couple of my favorite 90s movies):

Intruders

Despite what we all learned from Trinity in "The Matrix", intruders are not going to ride a motorcycle into your organization's building and shoot everyone on a direct path to the central computer. I think that behavior might raise enough suspicion within your physical security team to send a brief note over to the incident response group. Typically, real world attackers will use stolen credentials as a way into an organization, either through a combination of LinkedIn research and spearphishing or buying compromised credentials from the type of black market website where such purchases are widely available. However, once Trinity was at the keyboard of the "master computer", she did use nmap to scan the network to determine her next move. This realistic reconnaissance of the network needs to be detected if you want to spot an attack in its infancy. An intruder's next move is to continue stealthily moving to different systems using whatever legitimate passwords (or hashes) she has obtained along the way. Eventually, some privileged stolen credentials will enable access to an important system where monetizable data resides.

Insider Threats

Now, "Office Space" has both the most depressing representation of the product manager role and the campiest example of malicious insiders of any movie in my mental catalog, but if Peter, Michael, and Samir were going to manipulate their organization's financial accounts today, they would not simply walk into the server room and run an executable from a 3.5" floppy disk. Even the newly-promoted Peter would not have the ability to run an application on that well-guarded system. They would instead need to gain access to the accounts with privileges to access these kinds of critical systems. To find these accounts, they would start accessing other endpoints and servers on the network where the privileged users may have authenticated, just as an intruder would. This also assumes that your insider threat has a preexisting knowledge of (a) the actual systems with valuable data, (b) the users that would have access to them, and (c) the standard evasion tactics and the kinds of tools necessary to obtain and reuse credentials. In reality, the vast majority of insiders disgruntled enough to seek retribution or accept a bribe are going to be poking around in the dark with much less sophistication than an experienced attacker, i.e. broadly scanning the network, crawling every page on a wiki site, or locking themselves out of systems by misusing credentials.

As you can see, once inside the organization, intruders behave very much like a malicious insider. Outsiders will generally explore the network more to learn where the valuable data is, but the vast majority of malicious insiders also do not know where the valuable data resides. In both cases, the malicious actor du jour needs to use someone else's credentials in a manner that differs from the norm. Despite being physically located in vastly different places, the intruder and the insider are both accessing privileged accounts or critical systems from internal assets and accounts. If you are focused on spotting the point when a legitimate user starts to do things that are out of character and concerning, you will detect both.

I highly suggest that you test the user behavior analytics in InsightIDR against both scenarios, as we have, and take a look for yourself. To get the process started, please visit our solution page. I'm confident that you will see how we will help you detect both types of malicious actors.

P.S. Please accept my apologies for failing to use any references to "Superman III" or "Real Genius".