Very much like privacy concerns, insider threats may not be the first issue to come to mind when building an enterprise cyber resilience plan. However, they should be. Here is why: because as we noted in the first piece of this series, you want to be able to bend while others break. An insider threat is uniquely positioned to make you break in ways no other threat can.

The Insider Is the Most Feared

In Taylor Caldwell’s 1965 “A Pillar of Iron,” a novel about Cicero and Rome, there is a passage stating how a nation cannot survive treason from within. Below is a play on that passage, showing how the insider can be the most feared threat to resilience.

An organization can survive its fools, and even the ambitious. But it cannot survive deceit from within.  A malicious actor outside the network is less formidable, for that threat is known and the tactics, techniques and procedures can, at times, be identified. But the insider moves amongst those within the network and the organization freely, the insider’s sly actions crawling through the network, and even gaining trust of colleagues from within the organization itself. For the insider appears not as a malicious actor; the insider speaks in accents familiar to his victims, wears their face and their arguments, understands the intricacies of the organization’s operations, and appeals to the baseness that lies deep in the hearts of all within the organization … 

The insider so dangerous because they know organization’s ways. They know exactly how to hurt you if they are determined enough, regardless of motivation, often driven by one or more of money, ideology, compromise or ego. Few threats have the ability to gnaw away slowly and methodically to the point where your organization comes crashing down all at once.

The Many Ways Insider Threats Can Cause Harm

Think of all the ways a malicious insider can hurt you:

  • Infect the system with malware? Check.
  • Steal valuable intellectual property? Check.
  • Misconfigure a system or leave it vulnerable to compromise on purpose? Check.
  • Social engineer colleagues? Check.
  • Change results, findings and protections to give you a false sense of security? Check.
  • Spread rumors, with a baked-in ‘kernel of truth’ to give off a sense of credibility, but with intent to damage the reputation of the organization? Check.

It is hard to find another single threat that can cause so much damage at one time. The insider needs time, determination, patience, reconnaissance, knowledge of inner workings and knowing when to strike. These qualities differ little from nation-state actors and their advanced persistent threats (APTs).

In essence, the successful insider is the black swan event: the low probability, high impact event. If you think it cannot happen, there are a few government agencies and large enterprises that may think otherwise.

So, how do we minimize risk from insiders? Well, it is a matter of both carrot and stick. Going too far one way can have the exact opposite intent and create an entirely new breed of insider threats you never planned for in the first place. Therefore, balance your reaction based on awareness, culture, operational needs and, of course, risk tolerance.

Turning the Insider Into a Partner

The insider threat that is lazy, clumsy and stupid is not your worry. Yes, they could cause damage along the way, but won’t do a lot of harm. For insiders like this, you will likely turn to technology and automation to detect odd behavior. And the tech will likely do a good job. All of these protective actions fall within your identity and access management, data loss prevention and your user behavior analytic strategies.

When it comes to insider threats, these solutions are actually the ‘easy’ ones. They require:

  • Leadership support
  • Financial support
  • People support, to both deploy and maintain
  • Patience, for training and configuration
  • Staying up to date with current trends.

Of course, you understand why the word easy is in quotes. But with real support and some good frameworks and guidance, you can make some major progress protecting against insider threats.

The ‘hard’ solutions are much less focused on tech. Instead, they focus on culture, emotions, awareness, incentives and even discipline. Therefore, improving your cybersecurity and organizational resilience posture requires turning prospective and even active insider threats into partners. Put another way: give them a reason not to become a threat.

Empathy May Be the Key

Some employees love their job so much they’ll go through a wall to protect the company, no matter what the sacrifice. They are true believers. Others may just be there for the paycheck, know what the gig is all about, will go through the motions and, if it does not work out, they’ll move on to some other place. Perhaps not the best employee, but not exactly a threat.

Then there is everyone in between. This is the group to be concerned with, as instances and emotions can affect them in unknown ways. Someone you had for 20 years may suddenly feel slighted, and all that pent-up energy will be directed at their workplace.

The key: never make your staff feel cornered and alienated. Make them feel valued and part of something more. If you sense something is off, have the people skills to be able to reach out to them. Empathize. Remember, cybersecurity is not, and can not, be just about tech skills. Respect their privacy also. Keep in mind, an employee will not take any harmful action unless there is a reason. Try to make sure to limit or entirely get rid of those reasons.

Approaching the End of the Line

We present this series as a journey because security and resilience decisions and actions cannot be made in isolation. Our speed of light business efficiency has created a whole bunch of dependencies that we did not calculate well for. Remove those dependencies and suddenly everything comes to a screeching halt.

One last stop on our journey – a total polar opposite from insider threats – focuses on geopolitical pressures.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…