The most common goal of malicious insiders is stealing (or data exfiltrating) sensitive data by copying, transferring, emailing, or printing it without authorization. Targeted data can include customer lists, source code, patent applications, trade secrets, and other IP. The motivation to steal data is often for personal gain such as bringing competitive information to a new employer. Our 2022 Insider Threat Report showed that 56% of organizations had sustained potential data exfiltration and theft because of employees leaving or joining the company. (That’s right. You may have legal liability when new employees bring sensitive information from their former employers to your company.)
Insider threats are also more damaging than external threats. The 2022 Verizon Data Breach Investigation Report found that while external actors were responsible for the majority of data breaches, “The median size (as measured in the number of compromised records) for an insider breach exceeded that of an outsider by more than 10 to one.” This makes sense. Insiders know where the sensitive information resides and often have legitimate access to the data as part of their daily tasks.
Stopping data theft by insiders is critical, but many organizations go about it in the wrong way. These organization focus a lot of energy trying to make sure they have smart data exfiltration prevention — the moment a user hits “transfer,” the green upload bar starts in Dropbox, or the minute a USB device is ejected. This approach requires a view that data exfiltration attempts happen quickly, in one fell swoop. The truth is that most insider attacks are not random or impulsive acts. Insider threats follow a process called a “kill chain” with four distinct steps before the final step of exfiltrating data from the organization:
- Reconnaissance: finding the target data
- Circumvention: bypassing security controls to avoid detection
- Aggregation: collecting the targeted data into a single location
- Obfuscation: disguising the data prior to exfiltration
- Exfiltration: removing the data from the organization via electronic or physical means.
Once a malicious user completes these steps, exfiltration occurs. Disrupting that process at any point of the kill chain prevents data exfiltration. How? By analyzing user behavior to discern user intent.
Identifying an attack at these earlier stages is where you separate the good from the bad in insider risk solutions. Traditional DLP approaches that look for specific actions by specific users on specific data can’t anticipate exfiltration (and require too much overhead for rules creation and curation). They are also ineffective. The volume of data passing through a SOC can be overwhelming. When each suspicious action requires triaging and investigation, the result is alert fatigue – too many alerts and difficulty separating real issues from the noise of inconsequential alerts and false positives.
A better approach is to focus on threat behavior: the actions insiders take, and the intent behind those actions, as part of the insider threat kill chain. By understanding activities in the context of data, machines, Applications, and people, DTEX can identify indicators of malicious intent – the activities that provide clues as to when malicious actors are performing reconnaissance, circumvention, aggregation, obfuscation – long before exfiltration.
DTEX enables organisations to proactively mitigate insider risk by providing visibility into context and user intent, all the while maintaining privacy and employee trust. Learn more about DTEX and how our InTERCEPT platform delivers risk-adaptive data protection.