Insiders are being actively recruited by criminals operating on the Dark Web, according to Gartner clients. Disgruntled employees working at companies across many sectors, such as financial services, pharma, retail, tech, and government are gladly selling their services to the bad guys in order to inflict harm on their employers. Seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money from employers, according to our clients.
Gartner clients are increasingly inquiring about how to address and mitigate insider threats – which is a stark contrast to just two years ago when private sector clients would barely utter the words ‘insider threat’. (Of course combating insider threats became a passion and a mandate in the federal government, following the Snowden leaks).
Gartner clients tell us that the reason for the increase in insider threats is in fact the ease in which disgruntled employees can ‘get back’ and harm their employees by selling their insider knowledge and services to bad guys on the dark web. All they have to do is log onto TOR and make their available services known and the criminals happily pounce on their offers. The criminals even bicker amongst themselves for control and ownership of a trusted insider. See graphic below for a screenshot of this activity from a relatively new threat intelligence firm, Diskin Advanced Technologies.
Insider Threat Detection and Insider Intelligence
Upcoming research will outline best practices for detecting insider threats but in sum, (as always) we advocate a multi-layered approach where;
- Different physical world and technology based methods are used for different types of insiders (see diagram below)
- On the technology front, enterprises should;
- Consider using ‘insider intelligence’ along with employee activity analytics and monitoring. Insider intelligence combines both internal and external information to create a ‘dossier’ on each employee, highlighting those that present the most risk to the organization (see below). Creepy I know, but necessary in high risk situations.
- Decide if they want to take a ‘light’ ‘medium’ or ‘serious’ data and information approach, that differs based on the type of data and information fed into the insider threat analytics system. (See diagram below). The analytics will only be as good as the data it has to work with.
3. Determine which type of analytics they want to use. Most will want to start by discovering and highlighting ‘known’ bad activities. Gartner clients tell us that about 80% of insider threat techniques are ‘known’. Once comfortable with that type of detection, enterprises can move on to detecting ‘unknown unknowns’ using anomaly detection or unsupervised machine learning. (See diagram below).
Combating insider threats is a sensitive and potentially creepy undertaking. No one wants to impinge on employee privacy but at the same time, no one wants to watch years of expensive R&D or other undertakings go down the tube either. Organizations will have to be the judge of how high their risks are and how far they need to go fighting it.
Organizations also can’t count on technology solutions to solve all their insider threat problems. Technology solutions will NEVER catch trusted insiders doing normal things. For that, we still need good old fashioned workforce management, perhaps supplemented by new evolving ‘insider intelligence’ solutions.
One thing is for certain – insiders are very much in demand in the Dark Web.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.