We mark National Insider Threat Awareness Month by providing five ways organizations can spot malicious employees operating outside of their network.
Insider Threat Awareness Month
We have published a new report Combating Insider Threat with Dark Web Intelligence to time with Insider Threat Awareness Month, a national campaign which aims to “help prevent the exploitation of authorized access from causing harm to your organization”.
Malicious insiders remain a persistent challenge for security professionals. They sit inside the perimeter, they need to have access to sensitive documents and data to perform their roles, and they have unique power to undermine the security of the organization from within.
Indeed, we regularly observe evidence of insider threats on the dark web. Employees post on forums to attract buyers in the cybercriminal community, cybercriminals try to recruit insiders, and those that have already done so advertise their “innys” for other cybercriminals to use for a fee. However, this activity on the dark web – where cybercriminals believe they can act with impunity – provides security teams with an opportunity to identify and stop insider threats.
For a full brief on how to combat insider threat with dark web intelligence, click here to download the full report. Or read on for a quick overview of five ways you can spot insider threats outside of your network:
1. Monitor Dark Web Forums For Malicious Insiders
Security teams should be monitoring for employees using dark web networks such as The Onion Router (Tor) to communicate with the wider cybercriminal underworld or to leak data.
Typically, we observe malicious insiders using dark web hacking forums to:
- Advertise their employment at a company to attract cybercriminals interested in insider threat services.
- Offer initial access into a corporate environment for cybercriminals to bid on.
- Sell data or intellectual property that the malicious insider has already stolen from the company.
- Ask for guidance from cybercriminals on how they can exploit the company.
- Buy malware or other tools to execute an attack on the organization.
By monitoring dark web forums, organizations can identify indicators that it is their organization is being targeted, such as their brand name being used, leaked company data, or corporate email addresses. They can also gather intelligence that could help them in their investigation of a malicious insider, such as employee contact details or an indicator of which department the employee is in.
2. Monitor for Recruitment Posts Targeting Your Employees
Organizations should also be monitoring the dark web for cybercriminals who are stalking the underworld of the internet to recruit insiders for their operations. Cybercriminals routinely post adverts on dark web forums offering handsome payouts to employees who can provide them with privileged access. This is a major source of insider threat as, according to the Verizon 2023 Data Breach Investigation Report, 89 percent of malicious employees are motivated by financial gain.
3. Monitor for Tor Traffic to and from the Company Network
Connections from the company network to the Tor network is a very reliable data point for discovering insider threat because – in most organizations – there is virtually no good reason why an employee would be connecting to the dark web. Traffic going from an organization’s network to the dark web usually indicates one of only a few possibilities:
- An employee is engaging in illegal activity on the dark web, which is potentially putting the company at risk.
- An employee is deliberately engaging with cybercriminals through the dark web, which could include sharing data or providing access to the network.
- The network has already been compromised and the traffic leaving the corporate network is a beacon calling back to a command and control server.
Each of these justifies immediate investigation from the security team and should be seen as one of the clearest signals of a potential malicious activity.
Click here to find out more about monitoring dark web traffic.
4. Monitor Clear and Deep Web Hacking Sites
Organizations should also be monitoring for signals of insider threat on clear and deep web hacking websites (such as BreachForums or Cracked), as well as messaging services such as Telegram. These sites are more accessible for users with less technical capability so are popular for malicious insiders conducting “lower level” cybercrime such as fraud. However, more serious cybercriminal operations also use these sites to find malicious insiders who might not frequent the usual dark web forums where they operate.
Click here to read our recent blog on Telegram, which covered how cybercriminals use the messaging app to advertise their insiders at banks, insurers, and telecoms companies.
5. Build Threat Models, Run Table Top Exercises, and Threat Hunt
Beyond identifying incidents that specifically relate to them, monitoring externally for insider threats can help security teams to build out their threat intelligence and improve their readiness for attacks.
Threat hunting teams concerned about insider threat can proactively use the intelligence gathered by monitoring the dark web to investigate on the assumption that the insider is within their business. For example, they could pivot on the profile of an insider advertising their access within an organization to identify whether this is one of their employees. Alternatively, threat hunters could pivot on the profiles of the cybercriminals that interact with the post to identify their capabilities based on their wider dark web activity.
Even if companies aren’t resourced to conduct threat hunts, the dark web posts could be leveraged as inspiration for table top exercises. For example, taking the scenario: “what is the employee in this post was within our business? How would we respond to this incident?” Having a predefined game plan in place can have a major impact once a real-life threat is identified.
Finally, many security teams have to consider malicious insiders with privileged access as part of their threat model and collect intelligence on the hypothesis that they have an insider threat. Standing intelligence requirements for this threat model could include:
- Identifying the assets that malicious insiders are likely to target.
- Identifying areas of weakness – such as uncontrolled access – and possible countermeasures.
- Identifying the adversaries that are likely to target their sector and how they might communicate and use insiders.
- Identifying potential trigger events for an attack – such as employee layoffs.
- Learning from previous incidents and public reporting of insider threats and leveraging that understanding to inform defense and detection capabilities.
Click here to read our blog on how to build a threat model.
Combating Insider Threat With Dark Web Intelligence
The dark web is used by employees and cybercriminals to try and communicate with each other, and undermine the security of an organization from within. However, with this knowledge, security teams can take a proactive approach to monitor for and identify signs of insider threats, before they have an opportunity to take hold.