Submitted Successfully!
To reward your contribution, here is a gift for you: A free trial for our video production service.
Thank you for your contribution! You can also upload a video entry or images related to this topic.
Version Summary Created by Modification Content Size Created at Operation
1
Karthikeyan S
 -- 1254 2023-12-12 09:32:56 |
2 layout & references
Sirius Huang
 Meta information modification 1254 2023-12-15 02:17:48 | |
3 reformatted reference 8
Peter Tang
 Meta information modification 1254 2024-01-26 05:04:43 |

Video Upload Options

Do you have a full video?
Send video materials Upload full video

Confirm

Are you sure to Delete?
Yes No
Cite
If you have any further questions, please contact Encyclopedia Editorial Office.
Saminathan, K.; Mulka, S.T.R.; Damodharan, S.; Maheswar, R.; Lorincz, J. Insider Cyber Security Threat. Encyclopedia. Available online: https://encyclopedia.pub/entry/52611 (accessed on 16 May 2024).
Saminathan K, Mulka STR, Damodharan S, Maheswar R, Lorincz J. Insider Cyber Security Threat. Encyclopedia. Available at: https://encyclopedia.pub/entry/52611. Accessed May 16, 2024.
Saminathan, Karthikeyan, Sai Tharun Reddy Mulka, Sangeetha Damodharan, Rajagopal Maheswar, Josip Lorincz. "Insider Cyber Security Threat" Encyclopedia, https://encyclopedia.pub/entry/52611 (accessed May 16, 2024).
Saminathan, K., Mulka, S.T.R., Damodharan, S., Maheswar, R., & Lorincz, J. (2023, December 12). Insider Cyber Security Threat. In Encyclopedia. https://encyclopedia.pub/entry/52611
Saminathan, Karthikeyan, et al. "Insider Cyber Security Threat." Encyclopedia. Web. 12 December, 2023.
Insider Cyber Security Threat
Edit
This entry is adapted from the peer-reviewed paper 10.3390/fi15120373

The COVID-19 pandemic made all organizations and enterprises work on cloud platforms from home, which greatly facilitates cyberattacks. Employees who work remotely and use cloud-based platforms are chosen as targets for cyberattacks. For that reason, cyber security is a more concerning issue and is incorporated into almost every smart gadget and has become a prerequisite in every software product and service. There are various mitigations for external cyber security attacks, but hardly any for insider security threats, as they are difficult to detect and mitigate. Thus, insider cyber security threat detection has become a serious concern.

insider threat detection autoencoder artificial neural network cyber security

1. Introduction

Possible attacks that are characterized as cyber security threats can impact a particular entity of an organization or a whole organization and can be categorized as external or insider attacks. External attacks propagate from an outside perimeter of the organization network and can occur in different forms, such as distributed denial of service (DDOS), phishing, etc. Otherwise, insider attacks originate from the inside of the organization’s network, which means that the attacker(s) have already gained some level of access to the network.
The frequent occurrence of cyberattacks and threats points to the importance of maintaining and enhancing an organization’s cyber security. To defend against external attacks such as distributed denial of service (DDoS), session hijacking, etc., organizations generally utilize several security tools, including firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and security gateways.
However, cyber security attacks originating from the organization, such as insider attacks, are especially challenging for detection, since threat detection of such attacks requires more sophisticated and complex threat detection processes. A report issued by the International Business Machines (IBM) company indicates that the average time it takes to detect a software vulnerability discovered by attackers before the vendor has become aware of it (zero-day attack) is 287 days [1]. Identifying a threat at the early stages will limit the propagation of a threat in an organization, since the longer the threat exists, the more damage it causes by propagating through the network and compromising more devices. This indicates the severity and extent of the damage that can be caused by insider security attacks. Insider cyber security attacks can be classified into three types, which include insider threat attacks, security information and event management (SIEM) attacks, and user behavior or user and entity behavior analysis (UBA/UEBA) attacks.

2. Insider Threats Attacks

Insider threats can be classified into three types that include malicious insider, careless insider, and compromised insider threats. The malicious insider threat is caused by an employee in the organization misusing resources, divulging confidential information, or hurting the organization’s values. In 2018, the Russian secret service arrested the employees of a country-leading nuclear research laboratory for misusing supercomputer resources to mine bitcoin, which is an example of a malicious insider attack [2].
In the careless insider threat scenario, an employee fails to follow security standards and, as a result, increases the attack space, which exposes the organization’s assets to a potential attack. A good example of a careless insider attack is leaving the systems without logging off, using the default passwords, and delaying the installation of application security patches. In 2019, 250 million Microsoft customers’ records were exposed to everyone on the Internet due to the negligence of the security team, who failed to secure the database with improper security rules [3].
A compromised insider threat is the most sophisticated attack, which manages to gain access to the privileged parts of the organization’s network by bypassing all the security measures such as firewalls and IDSs. The bypassing of security measures enables the compromising of the privileged accounts while trying to act as a legitimate entity that steals the organization’s data. A recent Twitter breach is a good example of a compromised insider attack, where attackers used a phone spearing phishing attack to gain an employee’s credentials and abuse them by making a cryptocurrency scam that resulted in a huge cost for the company [4].

3. Security Information and Event Management Attack

Although organizations integrate the different SIEMs in their security measures, business organizations are mostly affected by insider cyberattacks. In practice, an SIEM system has the role of a security management tool that gathers all data from network interfaces, servers, domain controllers, and other assets present in an organization [5]. The SIEM system workflow is related to logging, correlation and analysis, incident monitoring, sending alerts, and compiling and reporting. The main use cases of SIEM are basic security monitoring, advanced threat detection, log collection, security incident detection, and follow-up alerts.
Today’s attackers have developed sophisticated techniques and tactics, which are more difficult for SIEM tools to detect. As a result, SIEM shows the following limitations:
  • Due to centralized logging, when an insider threat is detected and alerted, security analysts cannot find out how and where to start an intruder search. Meanwhile, the attack goes deep into the network before being detected, and incident forensics are ineffective.
  • The SIEM tools protect against most external threats, and they are defenseless against insider threats.
  • The SIEM tools generally are not accurate for a particular security threat event. Mostly, they fail to detect the actual occurrence of an event.
  • The SIEM tools are difficult to control and manage.
  • Predefined correlation rules make the SIEM system unable to detect new attack techniques.
To address these limitations of SIEM tools, different approaches for improving organizations’ cyber security have been proposed, and they can be classified as approaches based on user behavior analysis (UBA) or on user and entity behavior analysis (UEBA).

4. User Behavior Analysis and User and Entity Behavior Analysis Attack

In 2014, Gartner, in [6], defined UBA as a security analysis approach that analyzes a user’s behavior on systems and networks. This approach is used to detect malicious behavior of users. Machine learning and deep learning algorithms constitute the core implementation of such an approach, while some recent results have proposed implementing blockchain technology for anonymous privacy-preserving authentication [7]. UBA as an approach, defines a baseline for the normal behavior of a user, and if the activity deviates from the baseline, an alert will be generated.
As a case study of the UBA approach, a United States-based tech company recorded an incident that involved a compromised Linux-based system controlled by attackers, which was used to navigate through the network and search for any further possibility of system compromission [8]. A basic approach was utilized through the attempt to log in to various servers and machines with the default credentials. As a result of this attempt, the attack seemed to have multiple users failing to log on to their systems, while these log-ins had been performed from a single machine. Thus, the shown use case provides a serious downside of UBA as an approach for the detection of cyber security threats. In 2015, Gartner redefined the UBA approach and proposed the UEBA approach. The UEBA considers the behavior of users and network and system entities like servers and includes all other assets in an organization. By taking most of the available information into account, this approach focuses on the problem of insider attacks instead of focusing on only the user and network data. It is more powerful than UBA and can detect complex attacks. In addition to monitoring and analyzing the behavior of users and entities, UEBA also identifies anomalous user behavior, recognizes unseen patterns through the utilization of machine learning and deep learning techniques, and alerts the security team in real time according to certain risk scores, before the attack propagates further.

References

  1. IBM. What Is a Zero-Day Exploit? Available online: https://www.ibm.com/topics/zero-day (accessed on 8 September 2023).
  2. BBC News. Russian Nuclear Scientists Arrested for ‘Bitcoin Mining Plot’. 9 February 2018. Available online: https://www.bbc.com/news/world-europe-43003740 (accessed on 8 June 2023).
  3. Ikeda, S. 250 Million Microsoft Customer Service Records Exposed; Exactly How Bad Was It? CPO Magazine. Available online: https://www.cpomagazine.com/cyber-security/250-million-microsoft-customer-service-records-exposed-exactly-how-bad-was-it/(accessed on 8 June 2023).
  4. Thompson, N.; Barrett, B. How Twitter Survived Its Biggest Hack—And Plans to Stop the Next One. WIRED, 20 September 2020. Available online: https://news.hitb.org/content/how-twitter-survived-its-biggest-hack-and-plans-stop-next-one(accessed on 8 June 2023).
  5. Petters, J. What Is SIEM? A Beginner’s Guide. 15 June 2020. Available online: https://www.varonis.com/blog/what-is-siem (accessed on 8 June 2023).
  6. Cassetto, O. What Is UBA, UEBA, & SIEM? Security Management Terms Defined. Exabeam, 13 July 2017. Available online: https://www.exabeam.com/siem/uba-ueba-siem-security-management-terms-defined-exabeam/(accessed on 8 June 2023).
  7. Rajasekaran, A.S.; Maria, A.; Rajagopal, M.; Lorincz, J. Blockchain Enabled Anonymous Privacy-Preserving Authentication Scheme for Internet of Health Things. Sensors 2022, 23, 240.
  8. User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats. Exabeam. Retrieved 2024-1-26
More
© Text is available under the terms and conditions of the Creative Commons Attribution (CC BY) license; additional terms may apply. By using this site, you agree to the Terms and Conditions and Privacy Policy.
Upload a video for this entry
Information
Subjects: Computer Science, Cybernetics; Computer Science, Artificial Intelligence
Contributors MDPI registered users' name will be linked to their SciProfiles pages. To register with us, please refer to https://encyclopedia.pub/register :
Karthikeyan Saminathan
,
Sai Tharun Reddy Mulka
,
Sangeetha Damodharan
,
Rajagopal Maheswar
,
Josip Lorincz
View Times: 123
Revisions: 3 times (View History)
Update Date: 26 Jan 2024
Table of Contents
    1000/1000
    Hot Most Recent
    Feedback