Earlier today we published our 2022 Insider Risk Report, our fifth consecutive since 2017. The purpose of our reports is simple: Help business leaders, cyber security executives and practitioners, advisory and research organizations, as well as MSSP providers understand the activities, behaviors, and communications among employees, consultants, and partners that create unnecessary risk and threaten the security of regulated data, workforce privacy, industrial intellectual property, and financial information. As with previous reports, this year’s report is driven by real data observed as part of thousands of investigations at hundreds of customers with whom the DTEX i3 Insider Risk Intelligence and Investigations Team worked closely with in 2021 to detect and respond to potential insider risk incidents before a breach occurred, not collected as part of a blind online survey.
What we learned in 2021 was fascinating. The effect that the shift to Work-from-Anywhere (WFA) had on insider psychosocial behaviors was dramatic and increased organizational risk across all sectors. This shift, coupled with a measurable increase in employee attrition toward the end of 2021, created the perfect storm for insider threats. Ultimately what we came to understand along with our customers is if your organization didn’t observe a proportional increase in attempted or actual data loss, then you were likely not looking.
This year’s report digs deep into the complex relationship between cyber security technologies and programs and human psychosocial behaviors in the new, permanent reality of WFA. What we found both proved and disproved long-standing technological approaches to data loss prevention and user behavior analysis, further defined the difference between insider ‘risks’ versus ‘threats,’ and brought to the surface evidence of a new threat–the Super Malicious Insider. The Super Malicious Insider is a technically proficient user who is acutely aware of an organization’s cyber security architecture, solutions, and processes and who understands both the technical and human analyst limitations in detecting insider threat indicators.
Related to this new persona, investigations performed by the DTEX i3 team found a dramatic increase (32%) in the use of sophisticated insider techniques across the insider incidents they studied including a 43% increase in the usage of burner email accounts, a noticeable increase in the use of OSINT practices to conceal identity, and the active avoidance (96%) of techniques known in the MITRE ATT&CK framework.
Along with details and indicators that suggest a Super Malicious Insider may be present, the 2022 report includes eight real-world incident spotlights collected through our work with hundreds of organizations over the last 12 months. These identify and highlight never-before-captured workforce activities that indicate emerging threats and examines the shift to remote work on employee psychosocial human behaviors that create organizational risk. Here are some of our key findings:
- The ‘Super Malicious Insider’ accounted for 32% of malicious insider incidents investigated by DTEX i3 in 2021;
- 72% year-over-year increase in actionable insider threat incidents;
- 42% of which were related to IP and data theft, including industrial espionage incidents related to the theft of trade secrets, source code, and active collusion with a foreign nexus;
- 75% of insider threat criminal prosecutions were the result of remote workers;
- 56% of organizations had an insider data theft incident resulting from employees leaving or joining companies;
- +200% year-over-year increase in data loss associated with users taking screenshots during confidential Zoom and Microsoft Teams meetings; and
- +300% year-over-year increase in employees utilizing corporate assets for non-work activities.
How do we apply what we learned in 2021 to what we thought we knew and use it to our advantage as cyber security and risk professionals to build a better, more secure environment for our distributed workforces and our data? We have several ideas based on what we learned in 2021 and over the last 10 years. One of these is: Look for the Early Indicators of Malicious Intent, Not Only Exfiltration.
Exfiltration is the last step in an Insider Threat attack, and once data has been removed from your network, applications, and endpoints, it is nearly impossible to retrieve. Regardless of the methodology you use to build your program or the technology solution you choose, be sure to understand the Insider Risk Framework and the steps that precede exfiltration. These include Reconnaissance, Circumvention, Aggregation, and Obfuscation and are marked by a set of common indicators and behaviors. When sequenced, these behaviors illustrate a clear intent to exfiltrate data and will allow you to mitigate threats before data is exfiltrated.