March 30th, 2023
Defend against insider threats with LimaCharlie
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as “the potential for an insider to use their authorized access or understanding of an organization to harm that organization.”
The nature of insider threats is fairly wide-ranging. Most of us in the security field will naturally think of insider threats in cybersecurity terms, but CISA’s definition includes things like espionage, terrorism, and workplace violence.
CISA also notes that insider threats can sometimes be unintentional. For example, a developer who carelessly hard-codes credentials in a GitHub repository is an insider threat, even if they aren’t trying to be.
In this post, we’re going to be focusing on the cybersecurity side of insider threats—but as we’ll see, it’s important to understand that insider cyber threat mitigation is part of a much larger conversation. We will also examine how LimaCharlie can be a pivotal part of that mitigation strategy.
Holistic strategies, complex behaviors
Insider threat mitigation brings some unique challenges. It’s important to realize that there won’t always be a clear technical solution to the problem of insider threats. CISA’s Insider Threat Mitigation Guide stresses the importance of a holistic, all-hands approach. A comprehensive insider threat mitigation strategy accounts for elements like organizational culture, training, leadership, governance, and much more. Cybersecurity professionals need to understand that they’re part of a larger team effort, and that so-called soft skills like communication and collaboration are going to be essential.
In addition, the special characteristics of insider threats mean that security teams will need to think outside the box when developing threat detections. CISA points out that “insider threat research has shown that potential insider threat perpetrators evolve over time, moving as if on a pathway, and potentially exhibiting multiple, overlapping, detectable and observable behaviors.” To prevent an insider cybersecurity incident, security teams will need to detect behaviors/clusters of behaviors that they may not be used to considering.
In short, cybersecurity teams have a vital role to play in the fight against insider threats—but it’s challenging and highly skilled work. Because of our unique approach to cybersecurity, LimaCharlie is especially well-suited to insider threat mitigation tasks.
3 ways LimaCharlie can help defend against insider threats
Develop sophisticated behavioral detections
Insider threats are insidious because they come from trusted sources—and because they involve attack vectors and malicious activities that off-the-shelf EDR solutions do not sufficiently account for.
As noted above, a focus on hunting for behaviors is essential to detecting insider threats. In this regard, LimaCharlie’s Detection, Automation, and Response Engine is extremely helpful.
The LimaCharlie EDR offers broad visibility into endpoint activity on multiple platforms—and the flexible YAML-based detection syntax means that security teams can use LimaCharlie to write highly customized detection rules. One example of how these capabilities might be applied to the problem of insider threats is to use LimaCharlie to monitor O365 logs and associated Azure data for insider threat behavior. For example, it’s possible to use LimaCharlie to monitor for insider threat events like data exfiltration and mass file deletions. For a walkthrough of how these kinds of rules are implemented, see: Enhance your SOC's visibility on Microsoft platforms with LimaCharlie.
In terms of the bigger picture, LimaCharlie’s flexibility and customizability means you can combine different event types and parameters to build a completely tailored detection logic. Rather than looking for the behaviors expected of a generic external adversary, LimaCharlie gives you the ability to detect against the likely behavioral profile of an insider threat in a specific industry or organization.
Automate alerting and response
For security teams, another challenge in dealing with insider threats is efficiently managing alerting and response. For example, it’s important not to surface too many events for priority review, because that might overwhelm personnel who are already stretched very thin.
The benefit of using LimaCharlie here is that it is an engineering-centric platform—which means, among other things, that it was built for cybersecurity automation. Insider threat detections can be written in an extremely fine-grained way, classifying events or combinations of events according to severity and responding to different event classes with an appropriate automated action. LimaCharlie’s integrations with no-code automation platforms like Tines and Torq make this even easier, allowing teams to automate entire cybersecurity workflows with a few clicks.
Furthermore, because LimaCharlie’s EDR sensors are able to issue commands on an endpoint, automation can also be used to respond to imminent threats instantaneously. LimaCharlie’s real-time, semi-persistent TLS connection to endpoints means that an automated response action can be taken fleetwide in around 100ms.
Operationalize telemetry for investigations and audits
LimaCharlie’s numerous capabilities around telemetry data can also be used to defend against insider threats.
To begin with, LimaCharlie offers users one free year of full telemetry data storage. Data is stored in a normalized and fully searchable data format. You can run detection and response (D&R) rules against the data using our Replay feature—or easily export it to another tool for analysis. In addition, the newly released LimaCharlie Query Language (LCQL) feature provides a flexible and cost-effective way to explore your stored telemetry data without ever leaving the LimaCharlie platform.
In terms of insider threat mitigation, this lets security teams hunt for signs of trouble proactively. It’s important to remember CISA’s point that a malicious insider threat event is almost always preceded by a progression of worrisome behaviors that lead up to it. So using LCQL, for example, you could search for GitHub security policy violations over the past 90 days, investigating a specific user further if warranted.
It’s also important to remember here that many insider threats are unintentional in nature. They’re still very serious, but in these cases the insiders aren’t setting out to do damage. Intervention and education is often the best mitigation strategy for this type of insider threat—if high-risk behaviors can be identified and detected early. Because LimaCharlie offers the ability to query stored telemetry data in a highly specific way, it can be used in service of an auditing program that pinpoints specific security policy infractions over a given time frame. The resulting information can then be used to facilitate feedback and corrective training if needed.
Getting started with LimaCharlie
LimaCharlie’s high degree of customizability, extensive automation capabilities, and rich telemetry features all make it an excellent tool for security teams trying to harden organizations against insider threats.
To see for yourself how LimaCharlie can be leveraged to defend against insider threats, try it for free or book a demo.