Monitor user behaviour to detect Insider Threats

The risk of Insider Threats has grown massively with attackers getting around the increasingly complex perimeter protection of Enterprise organisations. It is one of the most common ways customer data or industrial and trade secrets are leaked. This very complex topic includes countless types and techniques. Let us see how such behaviour could be detected at a network level.

100 terabytes of data was stolen from Sony Pictures in 2014. A Korea Credit Bureau’s employee sold details of their 104 million customers to a marketing firm. 40 million credit card details were lost because Target company engineers did not pay attention to their security system alerts. What connects these cases? They are all great examples of the three major types of Insider Threats that have been carried out, successfully.

1. You have been social engineered - The Sony Pictures case

The number one tool for social engineering is email. Attackers are ingenious in finding different ways of persuading you to do what they need. Statistically, the number one method to lure you into their nefarious clutches is money transfer. Phishing and Pharming are commonly used techniques too (check out my Frequent & Dangerous series for further reading).

So, how to respond using Flowmon? Usually the first detection method in Flowmon to trigger is BLACKLIST. That is when we see communication with known phishing pages, malware sources or Command & Control domains. If the device is infected with malware, we look further for other indicators of compromise. Malware will most certainly perform some of the following actions detectable by Flowmon ADS:

  • “Calling home” - to the C&C server, sometimes direct internet communication
  • Reconnaissance scanning and collateral movement - port scanning, later also trying brute force on passwords to gain control or spread malicious code further
  • Data exfiltration - more on this in part 3 of this article

To gain a further understanding of malware activity at a network level see my colleague’s blog post.

We have recently introduced a new detection method called BPATTERNS to easily define your own detection rules. Our engineers have already created a number of Behaviour patterns for attacks like WannaCry, Petya or BadRabbit and should you wish, your Flowmon ADS will automatically connect to to download fresh ones on a regular basis. 

2. Attackers among us - The Korea Credit Bureau case 

Ordinary people when unhappy at work usually quit or just keep their jobs because of the benefits. Some when they leave for a new job take their email or contact databases with them, some just leak data even when they do not leave their job. Whatever the reasons may be, it is very important to monitor user activity at a network level. 

Data leakage is commonly seen when data is uploaded outside the network, which can be easily detected by simple anomaly detection. But more sophisticated breaches and leakages also exist where you need some sort of advanced behaviour analysis intelligence. Some of our customers regularly detect “covered channel” communication, when a data payload is sent over unusual protocols, where regular traffic filtering systems fail. By looking at the characteristics of user traffic we can see a payload sent over, among many others, the ICMP protocol normally used for signalling, and thus should consist of packets with a small size. More interesting is Flowmon’s capability of detecting DNS tunnelling. Even if your device does not have direct access to the internet, all that an attacker needs is access to at least one internal DNS server that can reach an external DNS and a Command & Control domain as a communication partner. Using regular DNS functionality and legitimate servers, the compromised device and the C&C domain can establish a two-way communication and exchange text messages encoded into the DNS query. The article on our blog will show you further wonders about DNS monitoring.

3. Policies do not apply to some people – The Target case

Gartner calls these employees “Goofs”. They know they should not connect to critical systems from unsecured networks and computers. They should not perform any changes which have not been approved. But they do. Sometimes they need to carry out a pressing task while under the pressure of time. Sometimes they are lazy, but they never have any bad intentions. How can they be differentiated from a real attacker?  How can their malicious behaviour be visible on the network? They could be using peer to peer communications as well as VPN tunnels, bypassing the proxy server or using anonymizers, such as TOR to connect to the Dark Web. 

These are all standard off-the-shelf detection capabilities of Flowmon ADS. By using Flowmon Probes we even gain application level visibility into many protocols and we can also carry out full packet capture. For more details, check out this blog article from our CTO, Pavel Minařík.

Challenges of protection strategies

Protection instruments could be process and technology based. As far as processes are concerned, you can find many best practices and recommendations. You can also pay for expensive risk assessments and audits that should help you strengthen your company security. And actually in the days of GDPR the “can” should transform into “must”. Check out this post to see how Flowmon can help you in your GDPR strategy.

For the technical part, the respected analytical company Gartner says: “Most organizations have limited technical resources to devote to an insider threat program and are constrained in the types of data they can proactively collect and analyse for insider threats.”
Source: Best Practices for Managing Insider Security Threats

That said, let me stress that log management and SIEM systems are often far from the financial reach of many companies, in which case NetFlow/IPFIX should be considered as an effective source of data. It cannot fully replace SIEM, but provides the market best price/performance in detecting Insider threats. This is due to the fact that NetFlow/IPFIX can be exported from any reasonable router and switch already deployed in the organisation network. And later, if they purchase SIEM, outputs from such NetFlow/IPFIX based detection solutions can serve as an irreplaceable source of log data.


Processes or technologies standalone can never bring an adequate level of security, so the rule of thumb here is to create the most effective combination of both. Educate your employees, control their accesses, log their activity and mainly detect breaches with technologies that provide a fast time to value.