Addressing insider threats with logon management

(Image credit: Image Credit: Andrea Danti / Shutterstock)

With so much news focusing on external attacks, one of the greatest threats to your organization’s data security, revenue, and reputation is insider threats. Insiders – employees with access to data that is externally valuable - are responsible for 28% of all data breaches. While 28% may not seem as large as the implied 72% of attacks by external attackers, 28% is actually a massive number.

External attacks leverage automation, pre-programmed code, and the opportunistic nature of targeting millions of email addresses to seek out and find their next victim.  Insiders, on the other hand, are individuals who personally perform the threat action.  External attacks need to find the data they believe to be valuable, while insiders already know about every bit of your valuable data they have access to. So, while the 28% number may seem immaterial, it’s quite the opposite. 

In fact, insiders can pose a greater threat to the organization than external attackers. 

Every organization has confidential business data, customer data, employee PII, and intellectual property that should only be used for the benefit of the organization. And, because a malicious insider is using permissions to applications, resources, and data they have been granted as part of their job, it is extremely difficult to determine if activity should be considered a threat or not. That means they can steal information and you may never know it even happened! 

The insider can be anyone within the organization. In a recent survey, the concern around both privileged IT users and regular employees as potential insider threat actors by IT organizations was nearly identical. And they should be; anyone with access to data that’s considered valuable externally is potentially a threat.

Also keep in mind, almost every external attacker eventually looks like an insider. The use of compromised internal credentials by an external attacker is the most common threat action in data breaches. This underpins the value of identifying insider threats as early as possible. 

So, how can organizations spot the insider – preferably before a threat action takes place?

Spotting insider threats

The goal is to look for leading indicators of improper or malicious employee behavior. This is found in watching for abnormal user activity – but it needs to be activity that suggests a potential threat, and no necessarily activity that suggests threat activity is in progress. For example, you can watch for excessive copying of files, or surges in upload web traffic to spot potential data theft, but the reality is once these activities occur, it’s too late – the threat action has taken place. 

What needs to happen is to watch for activity that occurs well before threat actions are taken. The simplest and most common to every insider threat action is the logon. Nearly all threat actions require the logging on using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.

Let’s cover three potential insider threat scenarios and discuss how logon management helps identify and address insider threats.

Scenario 1: the malicious insider

In this scenario, the employee is using their own credentials, leveraging any granted privileges for their own purpose. This can be anything from stealing data valuable to them personally, to data valuable to a competitor or startup, to data sellable on the black market.

The malicious insider knows they can be caught, so their primary objective is to hide their activity. Some common ways they attempt to do this (which also serve as threat indicators) include:

  • Coming in to work early – Nothing says “no one will know” than no one being around. Insiders take advantage of early morning hours to perform threat actions.
  • Leaving work late – In similar fashion, staying after hours has the same effect.
  • Multiple logons – Insiders often become nervous, stopping themselves from continuing. This results in multiple successive logons and logoffs within a short period of time. 
  • After hours logon – An employee who never comes in on a Saturday who suddenly does is suspect. 
  • Remote logon – Malicious actions are easier from the comfort of your own home. Remote access to the corporate network by someone that normally doesn’t should raise some eyebrows.

Using logon management to identify and stop an insider

  • Logon Auditing – Logon anomalies around time, frequency, type, and source machine can all easily be identified, allowing IT teams to respond appropriately.
  • Logon Policies – Restrictions can limit when used can logon, from where, how often, and using which session type (interactive, RDP, over Wi-Fi, etc.). This limits employees logon options, which can deter them from performing threat actions.
  • Time Restrictions – Should an employee want to “hang out” after hours, users can be forcibly logged off at end of an approved work schedule.
  • Responsive Actions – Upon being notified, IT can mirror sessions to monitor actions, can lock the workstation, and forcibly lock out a user from the session – all before anything malicious occurs.

Scenario 2: malicious insider with stolen or shared credentials

Sometimes the insider doesn’t use their own credentials at all. Instead they leverage another user’s credentials. How did they get the credentials? They were shared. In a recent study, we found that 49% of employees (from key departments like legal, HR, IT, Finance, and more) share their credentials with fellow employees.

Insider using another’s privileges is a great way to instantly increase the breadth and depth of their access to valuable data. Common indicators of credential misuse include:

  • Logon from a Different Workstation – It’s far more likely that the “borrowed” credentials will be used from the insider’s own workstation than the one normally used by the user owning the credentials.
  • Logon at Abnormal Times – Employees are, generally, creatures of habit.  They come and go along the same schedule.  So, it’s likely that the insider’s logon will look unusual.
  • Simultaneous Logons – The insider isn’t going to wait until the credential’s owner is logged out; they’ll log in while the credential owner is still logged on. Or, at least, attempt to do so (depending on whether or not you have restrictions around concurrent logons in place).

Spotting and stopping the insider with logon management

  • Logon Policies – Policies can be setup to limit simultaneous logons, restrict logon to the credential owner’s workstation, and deny simultaneous logons from different systems.
  • Auditing and Notifications – IT can be notified of both attempted and successful anomalous logons.
  • Responsive Actions – Should a logon appear suspect, not only can the user be logged off, but the account can be blocked from any further logons (until lifted by IT).

Scenario 3: malicious attacker with compromised credentials

The most common external attack model involves the attacker first establishing a foothold using their initially compromised endpoint.  From there, they need to move laterally across the organization, jumping from one machine to the next in an attempt to search for, identify, and access valuable data.  For every jump, there must be a logon. Common indicators include:

  • Logon from Workstation to Workstation – Connections from one endpoint to the next, to the next will occur to facilitate lateral movement. 
  • Abnormal Logon Times – External attackers take advantage of the access they’ve attained and won’t wait for the next business day.  They will begin lateral movement the moment they can.
  • Multiple Simultaneous Logons – If a compromised account provides them access to a wide range of endpoints, they will use that account over and over again, resulting in numerous logons from the same account.

Spotting and stopping the insider with logon management

  • Logon Policy – Policies can be established to limit from which machines or IP address ranges an account can logon, severely limiting the use of a compromised account and stopping lateral movement. 
  • Auditing and Notification – Monitoring of attempted use can alert IT and move them into action to respond to the threat.
  • Block the Attack – Before malicious activity occurs, the logged-on session can be terminated and, most importantly, the account can be blocked from logging onto any system on the network. 

Stopping insider threats at the logon

The insider threat is real and it’s here. Today. On your network already.  They are the employee’s you work with every day, where the shift to them becoming an insider may take little more than a broken-up relationship, passed up promotion, or personal hardship. So, having a proactive and cost-effective solution to address insider threats is as important as your endpoint protection, firewalls, and email gateway.

The common factor to every insider scenario is the logon. By leveraging Logon Management, you put the focus of your insider threat detection and response well ahead of any malicious actions that could take place, stopping the insider dead in their tracks, with IT in complete control. 

François Amigorena, CEO of IS Decisions 

François Amigorena

François Amigorena is CEO of IS Decisions who develop the logon security solution UserLock. He is an expert in solutions for user access control, file auditing, server and desktop reporting, and remote installations, IS Decisions combines the powerful security today’s business world mandates with the innovative simplicity the modern user expects.