Application security

Understanding hackers: The insider threat

“Oh, we’re good, we do external penetration testing.”

Have you heard people say this (or perhaps even said it yourself)?

Companies often think of attackers as something that comes from the outside, yet overlook the far more dangerous threat: attackers from within. Have you adequately considered how the people you already know and trust might actually be a threat vector?

Download Ted's free ebook, "How to secure your software faster and better."

Get Your Copy

Furthermore, even companies who are considering the insider threat often mistake it as a single attacker type, when it’s actually a collection of attacker types. Some act opportunistically, while others simply make a mistake. Some were once trustworthy but then become disgruntled, while others act maliciously from the outset. 

These insiders pose a real risk, and if your security approach doesn’t consider attacks coming from both external and internal attackers, it’s time to look inside. 

Who is an insider threat?

As we talk about attackers, let’s make sure we understand that despite what the media might suggest, “hackers” aren’t inherently bad: that term simply refers to someone who makes things behave differently than intended. Good guys do that too. In this article, we’ll explore the bad kind of hackers, the ones who do harm to your company, especially from the inside.

So, the first question we need to answer is this: who is a potential insider threat?

Many people think that an insider is an employee. That is often true. However, being an insider is not about employment status; it’s about having elevated trust and elevated access. 

Elevated trust means this person is trusted more than other people. There is confidence that this person will not harm the company. Elevated access means this person can access more systems and more assets than other people. This person was hired to perform a job and provided the means to do it. 

Insiders have these conditions; an adversary attacking from outside the company does not. All employees have these conditions, of course. However, other trusted parties do, too. Your vendors, third-party integration partners, consultants, advisors, board members, janitors, shareholders and maybe even your family members can all become the insider threat, too.

Understanding motivations

To combat an internal attacker, it’s important to understand their motivations. Why are they attacking your company? Generally, the insider threat falls into four categories: accidental insider, opportunistic insider, disgruntled insider or malicious insider. 

The first is when someone acts accidentally. They are otherwise trustworthy and don’t mean to harm your company — they just do something dumb. Even the smartest people click malicious links, download malicious attachments, give up passwords and plug in malicious USB devices. It’s up to you to protect your systems against employees making a mistake that could result in a breach. 

The second, an opportunistic insider, is motivated by personal gain if — and only if — they think they can get away with it. They don’t set out to harm your company, but if a good opportunity arises to obtain some personal benefit, they’ll try. This attacker matters to every company because you must provide access to insiders, and some may attack if they think they can get away with it.

The third type is the disgruntled insider. These individuals are motivated primarily by revenge. They start as loyal people, but then something changes. Maybe they are denied a promotion or a contract, or disagree with a stance taken by the CEO. As a result, they become angry and set out to hurt your company.

Finally, the most dangerous attacker is the malicious insider. This is someone working with an outside group (such as a nation-state or organized crime) to actively harm your company. In some cases, the malicious insiders are already an agent when seeking a job or contract with you; in other cases, they’re recruited later. Your enemies know that getting an insider is the most effective way to achieve their malicious goals, which is why it’s so important to protect against exploitation from the inside. 

Identify and secure your attack surfaces

Now that you understand where insider attacks might come from, you’ll want to protect against them as best as you can. To do that, you need to identify and secure your attack surfaces. 

Attack surfaces include any points where data is transferred or accessed. These are the areas where your system is most vulnerable. This might include your web app’s front end, interfaces such as your API or your system’s backend. 

Ask yourself, “Where can users interact with the system? Where can other systems interact with this system? What third-party integrations does the system rely on?” 

Examine each of the attack surfaces with a malicious mindset, considering how an attacker might exploit the system from an insider’s vantage point. 

Don’t assume you know who will attack

As humans, we often want to trust those we work closely with. After all, your coworkers, contractors and vendors have all passed some sort of trustworthiness sniff test in the first place. It can feel unnatural to be suspicious of those people. However, to successfully defend — especially against attacks originating from the insider threat — it’s imperative that we must understand this collection of attackers.

Some insiders might want to harm your company, others are simply waiting for the right opportunity to present itself, and some are motivated to cause damage. Don’t consider attacks only from the outside; instead, consider the insider threat. And don’t think of them as a single group either; understand the differences between the different types of insiders.

When you do these things, you set yourself up for security success.