Defending against “Flight Risk” Employees

Security firms, media houses, and the InfoSec community at large dedicate a lot of time to the discovering and subsequent analysis and reporting of the latest malware strains. Whether ransomware, creepware, MageCart attacks, or the host of other malware types, it is these threats that need to be defended against. What of inside threats? The threat posed by a disgruntled employee about to resign and the sensitive data they have access to. While most agree that such a threat needs to be defended against, how to do it efficiently remains a problem, leaving holes in even the most secure of organizations.

According to Securonix and their recently published 2020 Insider Threat Report employees that are planning to leave their job are involved in 60% of insider cybersecurity incidents and data leaks. These employees are seen as “flight risks” and are defined by researchers as,

“An employee who is about to terminate their employment with a company for various reasons. These employees typically show flight risk behavior patterns when their browsing behavior and email behavior indicate they are leaving the company. This behavior is pertinent to insider threats because over 80% of flight risk employees tend to take data with them, anywhere from 2 weeks to 2 months prior to their termination date.”

Closely related to this definition is the researchers' definition of an insider threat which states,

“An insider threat is the risk posed by employees or contractors regarding the theft of sensitive data, misuse of their access privileges, or fraudulent activity that puts the organization’s reputation and brand at risk. The insider’s behavior can be malicious, complacent, or ignorant, which in turn can amplify the impact to the organization resulting in monetary and reputational loss.”

The threats posed by “flight risk” employees are certainly not imagined as the data used in compiling the research paper involved 300 cases across eight industries. From the data set it was found that organizations with the pharmaceutical sector experienced the highest number of insider threat incidents. This is due, in part, to the high value assigned to intellectual property by nation-state actors as well as corporate espionage activities. Given the profits involved in bringing drugs to market, disgruntled employees may feel more motivated to commit a crime if deemed financially worth their while. This was followed closely by the financial sector whose information is also prized for similar reasons.

flight risk employees

For many organizations, even those with well-developed security strategies to combat insider threats, the increased adoption of cloud-based resources has left avenues open to exploit. Organizations will often turn to third-party cloud-based applications to reduce costs and remain competitive. However, this does open up a number of vulnerabilities that may be taken advantage of. As part of the research, insights were garnered into how data is exfiltrated by “flight risk” employees. Data exfiltrated via email is still the most popular method but cloud-based attempts saw a sharp rise with experts believing that such attempts will increase in the future as organizations come to rely on such technology to a greater extent. An area that has seen improvement in recent years is data exfiltration attempts using USB disks. This decrease is due to organizations either completely blocking USB usage or placing strict limits on their use.

Defending through Detection

The key to defending against insider threats is looking at how to predict and then detect behavior associated with insider threats. Of the 300 case studies used by the firm’s researchers it was found that specifically looking for behavior anomalies proved to be one of the best methods for detecting potential insider threat activity. An anomaly can be seen as anything that deviates from what is deemed a baseline of normal behavior. For example, when analyzing an employee’s email behavior, data pertaining to the size of attachments can set a baseline, and then any outlier different to the baseline can be seen as an anomaly. On such method to determine this is described as,

“…behavior anomaly algorithms using min/max clustering applies unsupervised machine learning techniques to baseline normal activity and then measures large deviations from that normal activity on a daily basis. This has proven to be successful in detecting nefarious insider threat behaviors.”

Other than email abuse researchers determined a set of behaviors along with privileged account abuse that may be indicators of malicious or ignorant behavior that places the organization at risk. By far the most numerous behavior seen throughout the study were attempts to circumvent IT controls. This was seen more often in mid to large size organizations where policies and procedures had not been clearly defined. Further, IT controls would be circumvented if users become complacent. Examples of such behavior include employees running PowerShell with no proper business justification, a spike in undocumented account creation, and misuse of service accounts, where explicit credentials were used to run non-business approved programs. In concluding researchers sted the following regarding the current reality and how best to defend against it,

“Using traditional technologies – such as DLP tools, privileged access management (PAM) solutions, and other point solutions – is not sufficient to detect insider threat behavior today. The adoption of cloud systems presents a complex threat fabric that requires advanced security analytics that utilize purpose-built algorithms to detect specific outcomes. In addition, it is essential to stitch these indicators together to form a threat chain that represents a holistic threat, which allows for effective response and threat mitigation. In order to detect privileged access abuse, which is an important insider threat for companies to combat, by applying a curated multi-stage detection, which combines a rare occurrence of an event in conjunction with anomalies that indicate suspicious or abnormal usage, is proving to be effective since it combines deviations from what is deemed as “normal” behavior for accounts, users, and systems.”

Real-World Scenario

In November 2019, Trend Micro, a well-known and respected security firm, announced that it had suffered an insider threat incident. The incident involved an employee improperly accessed customer data and who subsequently stole the data of approximately 70,000 customers. The data was accessed via the customer support database where names, email addresses, support ticket numbers, and some telephone numbers were stolen. The stolen data was then used to help facilitate targeted scams. By using sensitive data such as what was stolen to bolster a scam can give it an air of legitimacy, a factor all scammers strive to convince potential victims. If the victim feels that the scam is exactly what it pretends to be the chances of success for the scammer are much higher.

As to the exact nature of the scam, Trend Micro released no further details but did suspect that the incident was a coordinated effort between the employer and a third-party. Those who uncovered the incident believe that the information was sold onto a third-party, as to who that party is has either not been determined or not disclosed to the public. Impacted customers, predominately English-speaking, have been notified and the cybersecurity firm is keen to emphasize that the data theft likely only affected less than one percent of Trend Micro's 12 million customers. Even at less than one percent, any indent that potentially can affect 120,000 customers drags the organization’s name through the mud and a certain amount of PR fallout is to be expected. The employee was subsequently fired and law enforcement notified. Trend Micro added,

“There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed,”

This news followed another embarrassing scenario in Trend Micro’s history where the company again was forced to apologize and take other steps to recover from a PR nightmare. This time antivirus products owned and developed by the firm were capturing user data, including “snapshots” of user browser history, and sending them to servers.

Given the high prices that intellectual property and sensitive personal information can demand on the Dark Web, the temptation for disgruntled employees planning to leave an organization, to make some cash, albeit illegally, on the side will remain. It is not enough anymore to defend against outside threats alone but also the potential of insider threats. Hackers and other threat actors are keenly aware of this with many malware-as-a-service operations actively looking to recruit partners in large companies that have privileged access to company networks. For the hacker this bypasses the need to attempt to compromise a network using spam emails and specific malware strains that have a large chance of failing. Having someone on the inside increases the chance of success, a fact criminal organizations have looked to exploit for eons.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps..

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal