Insider threats are on the rise. According to a report from the Ponemon Institute, the number of insider-led cybersecurity events increased by a whopping 44% from 2020 to 2022. Meanwhile, the average cost per incident climbed to $648,000 for malicious incidents and $485,000 for non-malicious insider threats. Over the past year alone, threats instigated by insiders have been on the rise and are costing organizations an average of $16.2M every year.
By definition, an insider threat is a person who has the potential to use their access to adversely affect the confidentiality, integrity or availability of their organization’s data or information technology (IT) systems. This includes both malicious threats, where an employee or contractor is using their access intentionally to support a goal that’s contrary to the organization’s best interest; and unwitting threats, where someone has permission to use cybersecurity exploits as part of their duties but fails to follow standard operating procedures that would mitigate the risk.
Given the high costs and the increasing rate of insider threats of both types, it’s more important than ever for organizations to understand these risks and how to defend against them.
While insider activities can be hard to detect, not all is doom and gloom. Our analysis of known cases shows that many of the defensive actions used to detect and mitigate targeted intrusion and eCrime adversaries are also effective at stopping insider threats.
Problem #1: Privilege escalation
CrowdStrike Counter Adversary Operations and Falcon Complete teams have been observing insider threats across the networks we protect for years. To get a sense of how they work, we analyzed incidents from January 2021 to April 2023 and found several insiders achieving their goals by exploiting known vulnerabilities.
More than half (55%) of insiders cause risk by escalating their privileges on their computers or the network. Insiders sought higher privileges to download unauthorized software, remove forensic evidence or troubleshoot IT systems. By attempting to escalate their privileges, these internal users wittingly or unwittingly introduced risk to the organization.
These incidents are not based on obscure knowledge known only to a few. In fact, they made use of six well-known vulnerabilities that have publicly available exploit code on GitHub and are included in a public catalog from the United States Cybersecurity and Infrastructure Security Agency (CISA).
Sometimes users exploit these vulnerabilities for obviously benign purposes. In one case an internal user used WhatsApp to download an exploit so they could escalate their privileges and install a uTorrent file-sharing application as well as unauthorized games.
In other cases, it’s more obviously malicious. For example, in late July 2022, we observed a former employee at a U.S.-based media entity, who had been terminated from the company, attempt to leverage a vulnerability (CVE-2017-0213) exploit via Windows OS to conduct unauthorized activities. The use of older vulnerabilities, some disclosed as early as 2015, underscores that vulnerabilities can remain useful to all attackers (internal or external) until patched or mitigated and highlights the importance of identity threat protection and employing next-generation security tools and technology.
Problem #2: Downloading exploits and security tools
Among the insider threat incidents, we found, 45% involved insiders who unwittingly introduced risk to their environment via the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes.
In these incidents, testing exploits and offensive tools might have been part of these insiders’ regular jobs, but they didn’t follow safe-handling procedures. For example, in February 2023, an internal user at a US-based technology entity tried to download an exploit for a Windows kernel privilege escalation vulnerability, but they used their corporate computer instead of the approved testing system (a separate virtual machine).
Malicious or not, these activities put organizations at risk. Testing exploits on unauthorized systems could disrupt operations through system crashes or other unintended negative actions. They also introduce weaknesses: An adversary that already has a foothold on the network might find these exploits or tools in place and use them to support their malicious activity. Finally, downloading such code and failing to manage its use properly can introduce backdoors that attackers can exploit.
For instance, in our analysis, we saw multiple incidents involving the unauthorized deployment of the Metasploit Framework by privileged users in the environment. This is a well-known penetration testing framework, which is often used by security teams. However, it can also provide attackers with a readily available mechanism for conducting pre- and post-exploitation activities.
Solutions for managing insider threats
The primary activity every organization should consider is investing in awareness and compliance training for employees. Educating employees on how to identify a potential insider acting in a way that puts the company at risk is an invaluable first step. Most security teams have protocols that should be followed for the safe-handling of tooling & samples so being aware and following these procedures and alerting management of their abuse/miss-use is equally important.
Companies need to understand and enforce the principle of least privilege (POLP). According to this principle, users and processes should only be given the minimum permissions needed to perform their jobs. POLP is one of the most effective practices for strengthening an organization’s cybersecurity posture, and it allows organizations to control and monitor network and data access. Enforcing POLP will help address issues of privilege escalation.
In addition, many of the vulnerabilities we saw insiders using have exploits that are publicly available on GitHub. Restricting or monitoring the download of exploits from GitHub and other online code repositories would help mitigate these threats.
Many of the vulnerabilities described in this article have also been exploited by targeted intrusion and eCrime adversaries. As a result, many of the popular defense-in-depth measures that network defenders already use to detect and prevent attacks are also useful for neutralizing insider threats.
We saw insiders use many old vulnerabilities, some disclosed as early as 2015, underscoring the fact that vulnerabilities can remain useful to all attackers (internal or external) until the company patches or mitigates them. It is critical to ensure timely vulnerability patching to protect the network and all devices connected to it. It is a painful fact that the “technical debt” carried by many IT organizations is discussed in many of the incident response engagements for both insider as well as externally motivated threats.
Thomas Etheridge, Chief Global Services Officer, CrowdStrike
