Imagine a scenario where an employee receives an email from a colleague, asking for login credentials to a valuable application within their organization. The recipient, perhaps busy with other tasks or not fully paying attention, quickly replies with the needed credentials. However, the sender was not actually a colleague, but a threat actor posing as a colleague. As a result, the now-compromised credentials enable the threat actor to launch a subsequent attack on the organization.
This kind of scenario is becoming all too common, especially as the use of web-based applications and reliance on many different sets of credentials grows within modern-day organizations. Threat actors know one of the simpler paths into an environment doesn’t involve complicated sequences of code but instead relies on stealing credentials from users.
This increasingly common scenario has given rise to a dangerous risk point in cybersecurity: insider threats.
What are Insider Threats?
An insider threat is a cybersecurity threat that originates with users who are inside or connected to an organization, and who have privileged access to or information about that organization. These insiders can include employees, contractors, business associates, and even customers who have access to privileged data, applications, or regularly correspond with users that do.
While insider threats make up a minority of all cyber threats that lead to incidents, they continue to be a pain point for organizations and shouldn’t be downplayed. Arctic Wolf’s annual survey of organizations around the globe found that 61% of organizations had identified an insider threat, and in 29% of those cases, the threat resulted in a security incident. Verizon also identified a similar pattern, noting in its 2024 Data Breach Investigations Report that 34% of reported breaches involved internal actors.
Insider threats fall into two main categories: malicious insider threats and negligent insider threats.
Malicious Insider Threats
A malicious insider threat occurs when a current or former user intentionally misuses access to vital applications, systems, or data for disruption, financial gain, or both.
While some malicious insiders work independently, they can also work with or be recruited by an external threat actor, often with the promise of financial gain. While malicious insider threats are rare compared to other threats like vulnerability exploits, they can be just as damaging. According to IBM’s 2024 Cost of a Data Breach report, malicious insider attacks are the most expensive, costing organizations an average of $4.99M (USD).
Negligent Insider Threats
A negligent insider threat occurs when a user creates a security threat through ignorance, carelessness, or even inaction. The phishing scenario from above is an example of a negligent insider threat, where the user did not fully investigate the email for signs of fraud, and instead willingly gave away vital credentials. Phishing is one of the more common ways threat actors take advantage of negligent insiders, often with great success. In 2024, nearly 73% of business email compromise (BEC) incidents investigated by Arctic Wolf® Incident Response began with a phishing attack.
Other examples of negligent insider threats include bypassing security controls, losing a physical device such as a laptop, sending sensitive information to the wrong individual, falling victim to a form of social engineering, or even failing to apply stringent access protections, such as complex passwords or multi-factor authentication (MFA) to devices.
Whether intentional or not, there are a few ways security teams can recognize and neutralize insider threats before they result in security incidents.
Indicators of Insider Threats
If an insider threat is occurring in your organization’s environment, whether it’s malicious or negligent is secondary. What’s most important is to recognize that it’s happening and swiftly mitigating it. Insider threats fall into four main categories: unusual behavior, access abuse, data downloads, and unauthorized access attempts.
Specific indicators of an insider threat include:
- Unusual data movement, including spikes in data downloads, file movement between applications or folders, or unusual outbound data flows
- Use of unsanctioned software or hardware, including new application downloads, the use of unsecure software, or an organization-wide growth in shadow IT
- Access of files or applications at unusual times or from new or unusual geographic locations
- Requests for escalated privileges, permissions, or file and application access that is unusual or unnecessary for that user’s job role
- Users accessing data that falls outside their core job functions
- Users accessing or attempting to access data or applications post-termination or departure from the organization
While these indicators are helpful for security teams looking to detect insider threats, just one of them on their own is not a strong indicator of serious security threats. These behavior-based indicators should be combined with other telemetry or thoroughly investigated to better understand what is occurring and subsequently act on the threat.
How To Mitigate Insider Threats
As users come and go, applications are deployed and deactivated, and security and business goals evolve, preventing insider threats is an ongoing process for any organization.
There are steps organizations can take, from the behavioral to the technical, that actively reduces the risk of insider threats.
Organizations can mitigate insider threats by:
1. Employing a security awareness training program. Conducted frequently if not on an ongoing basis, such a program should educate and test users on best practices that reduce insider risks, including how to spot phishing emails, password hygiene best practices, the risk of using unauthorized applications, and more. Negligent insider threats often occur because users simply aren’t aware of the risk they are creating, so fostering awareness and providing consistent education can help.
2. Implementing identity and access management (IAM) best practices. If your organization follows IAM best practices, such as use of MFA, the use of the principle of least privilege access (PoLP), strong password policy enforcement, and continuous monitoring of identity sources, your assets and applications will not only be more secure, but security teams will also be alerted if unusual user behavior occurs.
3. Deploying 24×7 monitoring across the environment, including identity sources of telemetry. Arctic Wolf found in its 2024 Security Operations Report that 45% of alerts are generated on weekends or after hours, and identity systems were the most common source of early detection. That means not only is monitoring those sources critical for preventing threats from turning into incidents, but also that monitoring needs to occur at all hours.
4. Continually improving identity security within your organization. Whether that comes from evaluating current access controls, adding MFA to all endpoints, fine-tuning identity-based alerts on your security monitoring software, or improving Active Directory security, security teams should continually work to harden the identity attack surface, which in turn reduces the risk of insider threats.
Preventing Insider Threats with Arctic Wolf
Arctic Wolf understands how users and identities are both integral to IT environments and also a rising risk. Through our security operations approached, powered by the Arctic Wolf Aurora™ Platform, Arctic Wolf ensures that identity is not only a key source of telemetry in threat detections, but also that your security team is continually taking proactive steps to reduce insider threats.
From having our Concierge Security® Team work with your security and IT team to identify and close security gaps that may lead to insider threats, to offering Arctic Wolf Managed Security Awareness®, which educates users on current threats and reduces your organization’s human risk, Arctic Wolf ensures that insiders are a key consideration in your organization’s security strategy.
See how insider threats may be manifesting themselves in your environment with our 2024 Human Risk Behavior Snapshot.
Explore how a curated, micro-learning focused security awareness training program can reduce your human risk and stop negligent insider threats.
