1 - Two Types of Internal Fraud

Insider threats are carried out by people who are trusted to do business within an organization's network. It has two types:

• Compromised Insider: When an outsider gains access to the system using the hacked insider's credentials. Successfully remaining undetected, this hacker can become a long-lived Advanced Persistent Threat (APT), using continuous stealth processes to hack into organizations.
• Malicious Insiders: Employees, contractors, partners, and other trusted individuals who have been given some level of access to systems. They may be using company data and networks to generate a second source of income, they may be sabotaging, or they may be taking advantage of their retirement to steal intellectual property.

2 - Reasons why it is difficult to detect internal improprieties

Whether it's email, cloud services, or networks, legitimate users must be given access to the resources they need to do their jobs. Of course, some employees need access to sensitive information such as financial information and patents.

Insider threats are harder to find because they use legitimate credentials and known machines with administrator-granted privileges. To most security products, the behavior of an insider attacker appears normal and does not raise an alarm.

Threat detection becomes even more complex when attackers perform lateral movement. Lateral movement is the act of switching credentials, IP addresses, and devices to cover your tracks and gain access to high-value targets.

3 - Possibility of internal fraud

According to Verizon's Data Security Breach Investigations Report, four out of the top five breaches are related to insider fraud. Number one is security breaches using stolen or compromised credentials. In fourth place is abuse of privileges by malicious insiders. Second and third place are security breaches related to compromised insiders, which can lead to insider threat incidents.

Source: Verizon Data Breach Investigation Report 2018
(Verizon Data Security Breach Investigation Report 2018)

4 - Behavior that indicates possible insider fraud activity

Insider threats typically occur over time and across multiple network resources. If you know where to look, you can find it.

Here are five behaviors that indicate internal improprieties.

• Abnormal Privilege Escalation: This includes creating a new privileged or administrative account and then switching to it to perform an activity or exploit application vulnerabilities or logic to gain network or application access. It includes behaviors that reinforce.
• C2 (command and control) communication: Traffic or communication to known domains or IP addresses for command and control. There is little good reason for employees to visit places like this.
• Data Exfiltration: There are digital and physical exfiltration. In the digital case, sensitive information such as intellectual property, customer lists, and patents are copied to removable devices, attached to emails, and sent to cloud storage. Massive printouts with default names like "document1.doc" are anomalous behavior that may indicate data theft.
• Fast data encryption: The occurrence of bulk encryption and deletion of files following fast scanning can indicate a ransomware attack. While ransomware is commonly run by compromised insiders, it can also be run by malicious insiders.
• Lateral Movement: Switching user accounts, machines, or IP addresses (and switching to explore more valuable assets) is a common insider act. This behavior is distributed and leaves little hints in the logs of various siled security tools, making it difficult to detect.

5 - How to Increase the Reliability of Internal Fraud Detection

In the past, signatures and correlation rules were effective detection methods for single-vehicle attacks such as SQL injection. Insider threats are now complex and intertwined across multiple identities and machines. Attacks involve trusted parties and can last for months or even years. Such long-running attacks do not allow the creation of well-functioning triggers and signatures. However, insider fraud can be detected by other means. That's behavioral analysis.