Insider threats: The cyber risks lurking in the dark

More and more IT professionals are dealing with a growing issue that is lurking within their own organizations. With recent high-profile data breach stories hitting the headlines, the risk posed by insider threats has become a matter of utmost concern for IT teams, with such incidents rising 44 percent over the past two years according to the 2022 Ponemon Cost of Insider Threats Global Report.

While insider threats are perceived by the general public as disgruntled employees actively sabotaging systems or stealing data to sell to competitors, the problem is much more complex than that. Due to the rising cost of living world-wide, more employees will become susceptible to the requests of malicious actors looking for potential accomplices for deploying ransomware. In addition, misusing insider access is not only limited to unleashing ransomware, as users may feel incentivized to also sell their credentials in a bid to make easy money. These risks raise huge concerns for any organization, as user privileges can be easily taken advantage of and escalated to take over critical IT resources. In fact, our own Quest security assessments found out that a significant portion of user accounts -- an impressive 70–100 percent -- have access rights that can be easily escalated by hackers to gain access to Tier Zero assets, including the Active Directory domain.

Unfortunately, the threat doesn’t end there, as hackers are always on standby for any opportunity to wreak havoc -- including exploiting careless mistakes made by employees. Hackers can use these mishaps to gain control of credentials in your environment, transforming themselves from outside attackers into insider threats.

We know that having visibility over your organization’s user accounts can be difficult. With so many companies having hundreds, if not thousands, of user accounts with various levels of privileges -- where do you even begin?

You can start by taking a look at these three best practices that will help you mitigate insider threats and improve your company’s cybersecurity posture.

Understanding your organization’s control privileges

The first step in mitigating the insider threat is to get a clear picture of who has access to what. For most companies, that means understanding your Active Directory users and groups and the permissions assigned to them. A common area of focus for many organizations are groups such as Domain Admins, Enterprise Admins and Account Operators. Membership in any of these powerful groups provides enormous amounts of privilege over an environment, so it is critical to keep them under tight control.

Unfortunately, hackers often know that these groups are highly monitored, so they look for other ways to elevate their privileges. For example, malicious actors can try to get local admin access on the database server with the data they’re after or compromise an account that has access to the data they want, whether it’s an admin account or a user account. Moreover, as noted previously, it doesn’t necessarily require either privileged credentials or malicious intent to cause serious problems -- a hurried user or a careless admin might simply make a mistake that compromises your data.

Having the right control over your GPOs

Group Policy Objects (GPOs) are collections of policy settings that you can use to control password complexity requirements, prevent users from accessing parts of the system, rename the Administrator account or reset its password, deploy custom registry values, and much more. It’s hard to overstate the power of Group Policy in any Microsoft environment. Just one modification in a GPO by a malicious actor can quickly lock users out of business-critical applications, or even cause ransomware or other malware to run when the system starts up, possibly leading to crippling data loss or system downtime.

Setting up the adequate admin privileges  

Your final key priority should be focusing on reducing the ability of hackers to gain control over users accounts in the first instance. In most of the cases, user workstations are targeted first. Once attackers get a foothold on a user workstation, they look for credentials they can use to move laterally to other systems and maliciously escalate their privileges. It’s bad enough if they collect user credentials, of course, but it’s far worse if they manage to harvest admin credentials that grant more powerful privileges. Therefore, it’s critical to closely control where admin credentials are used. 

There’s no magic bullet to eliminate the insider threat completely. However, ensuring the right level privileges to your users and admins is mandatory if you want to minimize any unwanted access to your systems. By implementing these threes simple practices, your organization will be in a far better place to correctly respond and protect itself from the constant risk of insider threats.

Image Credit: LeoWolfert/Shutterstock

Bryan Patton is Principal Strategic Systems Consultant, Quest.