Six archetypes of insider exfiltration
Published 07/02/2015
By Susan Richardson, Manager/Content Strategy, Code42
With all the talk about insider threats and the potentially dangerous brew of nomadic employees and data-to-go, there’s no time like the present to identify behaviors that come before a data leak.
Here are the top six:
- The Ship Jumper: Frequent absences, unexplained disappearances or unexpected medical appointments point to an employee who’s unhappy, distracted or looking to jump ship. Workers who have accepted a new job are the most likely to give data to a competitor. In what must be the most common insider threat scenario, a sales representative leaves the company for a competitor, taking sales opportunities with him. Concern over defectors leaving with data is prevalent in organizations of all industries and sizes, especially in competitive markets. Stealing customer data and leads is not only difficult to detect because it occurs on unsanctioned corporate applications, but it is also incredibly detrimental to the business.
- The Unhappy Camper: An employee who has been reviewed poorly or put on a performance improvement plan may seek revenge. When a bad performance review has been delivered, HR and IT should communicate so both can heighten monitoring. In a case where an IT employee was disgruntled, the hosting service Code Spaces was forced to go out of business when an attacker gained access to their Amazon Web Services (AWS) control panel and deleted customer data and backups.
- The Spendthrift: When an employee talks excessively about money, gets calls from collection agencies or takes a second job it may be a clue that he or she is experiencing financial problems. Be wary: these folks may steal data or sabotage company systems for personal gain.
- The Angler: When employees engage in “atypical” computer behaviors like taking their computer home for the first time, trying to exfiltrate CRM data, changing their computer configurations, repeated attempts to access privileged folders on the Intranet or shared drive, or the sudden appearance of external drives to back up data, it may be a tell that company data is being exfiltrated.
- The Uploader: If employees are using personal clouds, it’s highly likely they’re uploading files to take home (or elsewhere). Also, if the free space on an employee’s computer increases he may be deleting files to cover his tracks.
- The Ex: When office romance goes bad, some scorned lovers may seek to access personnel files or other personal information to “stalk” ex-lovers. Watch for increased failed password attempts. Other acts of revenge may be far more serious, like this one reported in the Harvard Business Review:
A manager complained to his superior about the person in question—a systems administrator who had been sending him flowers at work and inappropriate text messages and had continually driven past his home. Once clearly rejected, the attacker corrupted the company’s database of training videos and rendered the backups inaccessible. The company fired him. But knowing that it lacked proof of his culpability, he blackmailed it for several thousand euros by threatening to publicize its lack of security, which might have damaged an upcoming IPO. This costly incident—like most other insider crimes—went unreported.
It’s common sense to remove terminated employees from systems, yet a 2014 infosec survey showed that 13 percent of respondents still had access to previous employers’ systems using their own credentials. It is critical to void passwords, privileges and user accounts immediately—and to document and adhere to “stand down” procedures to protect the enterprise.