CrowdStrike is offering new services to help organizations and MSSPs protect against insider risk, a growing cyberthreat that includes not only negligent or malicious employees but also outside sophisticated cybercriminal groups.
The partner-first cybersecurity firm’s Insider Risk Services, introduced this week, combine such capabilities as threat detection and response found in its Falcon platform with threat hunting via tabletop exercises and red team simulations, incident response with the help of adversary-based threat intelligence and telemetry gathered from Falcon, and programs and technical reviews to identify gaps and strengthen defenses.
The increase in insider threats is being fueled by trends like remote work, cloud adoption, and the growing complexity of IT environments, according to Thomas Etheridge, chief global services officer for the Austin, Texas-based company.
MSSPs and MSPs can play a central role in protecting organizations against such risks, Etheridge told MSSP Alert, adding they are particularly important to companies that “lack the resources or expertise to manage security in-house. … These partners are critical for extending expert guidance, proactive defense strategies, and swift incident response to businesses of all sizes.”
Insider Incidents on the Rise
There are reasons behind the rising concern about insider threats. According to Ponemon Institute, 71% of organizations surveyed were hit with 21 to 41 insider incidents in 2023, compared with 67% the previous year. In addition, the average annual cost of insider threats climbed to $16.2 million per organization, the report found.
Another survey by Cybersecurity Insiders and Securonix found that from 2019 to last year, the number of organizations reporting insider attacks rose from 66% to 76%, and 90% of companies said such attacks are equally or more difficult to detect than attacks from the outside.
CrowdStrike’s Etheridge warned that insider threat risks don’t recognize particular companies or sectors. They impact organizations of all sizes across industries, he said.
“Both negligent employees and sophisticated adversaries present significant insider threats, but their prevalence often depends on the organization's size, industry, and security maturity,” Etheridge said. “Negligent insider threats – such as accidental data sharing or falling victim to phishing – are more common and often stem from a lack of awareness or training.”
The Outside Insider Threats
That said, “sophisticated adversaries are increasingly leveraging insiders, either through coercion, social engineering, or compromise, to bypass traditional defenses,” he added.
Organizations and MSSPs need to keep in mind that internal threats can include third-party contractors with access to internal systems but also outside bad actors running complex attacks to infiltrate networks.
Etheridge pointed to Famous Chollima and other hackers linked to North Korea and its extensive efforts to place hackers into companies in the United States and elsewhere as IT workers to steal data or money. The rogue country uses such scams to collect money for its massive nuclear weapons and missile programs and bypass international sanctions.
“Typically, the group uses fake or stolen identities to infiltrate organizations as remote IT staff, followed by the use of exploit remote monitoring and management [RMM] tools to distribute malware like InvisibleFerret and BeaverTail to steal data and target cryptocurrency,” he said of Famous Chollima, which CrowdStrike outed last year. “Some of Famouth Chollima’s advanced persistence techniques include lateral movement, data exfiltration and evasion of detection systems. Their tactics allow the adversary to bypass external defenses and operate from within, which is why we classify them as insider threats.”
Signs to Look Out For
There are signs that are similar for various kinds of insider incidents, whether they are the result of negligent or malevolent insiders or external threats. Those include anomalies in behavior, unusual access patterns, or data exfiltration attempts, Ethridge said. However, there also are differences.
“Negligent actions often exhibit as one-off events, like clicking on a malicious link, while malicious insiders or external adversaries tend to display more calculated, persistent and stealthy behavior, such as consistent access to sensitive files over time,” he said.
Tools like identity threat protection and behavioral analytics, coupled with human expertise, are key to distinguishing between the two and responding quickly to mitigate risks.
MSSPs can leverage such capabilities in Falcon or similar platforms to “ensure that organizations can implement robust proactive detection and response capabilities to swiftly stop this growing risk. These partners are critical for extending expert guidance, proactive defense strategies, and swift incident response to businesses of all sizes,” Etheridge said.
