The misuse of ones privileges is an intentional, malicious attack pattern. Most of the data breaches in 2021 in this category were caused by privilege abuse or data mishandling. They were mostly initiated by internal actors (“insider threat”) and financially motivated. Healthcare and finance were the top industries threatened by this attack pattern over the last years [1,2].
Proactive and reactive security measures
In order to address this attack pattern, organizations should follow a considerate approach on access management and implement detective controls.
Proper access management should start with the definition of user roles and access profiles. It is very important to align these roles and profiles with the organizations IT services and resources. In a second step, processes for adding, changing and removing access rights should be established. A process for ensuring that only authorized identities may be granted access to a resource is essential. IT service management (ITSM) frameworks like ITIL may help organizations implement access management with best-practice guidelines.
In order to detect insider threats in a timely manner, security information and event management (SIEM), including 24/7 monitoring, should be established. With the help of MITREs recently published knowledge base of insider threat tactics, techniques and procedures (TTP), the detection abilities for activities related to this attack pattern can be automated. This community project focuses on “real-world adversary behaviors” and helps to look for what is probable instead of what is possible .
Check if your organization tackles the threat of privilege misuse:
- Are identities and access within the organization managed with proper processes and governance?
- Are sources like firewalls or active directory logs constantly monitored?
- Are security events specifically related to insider threats detected?
Need help implementing access management or security information and event management? Contact us for more information.