Illusive Blog September 7, 2017

Detecting Insider Threats With Deception Technology

By The Illusive Networks team

Deception can play a powerful, multifaceted role in helping financial services organizations protect their crown jewels. Our recent post, By Detecting Lateral Movements, Banks Can Get Ahead of Fraud and APTs (Aug. 21, 2017) described how deception is used to combat fraud. In this post, we’ll look at how deception can play a strategic role in defeating insider threats.

IBM’s 2016 Cyber Security Intelligence Index reflects that 60% of all cyber attacks were carried out by insiders, and three-fourths of those were by malicious actors. Some malicious insiders use relatively simple means to steal data, but others—often people in IT roles—have the skills to carry out nefarious activity using the sophisticated tools and techniques used by external attackers. For purposes of this discussion, we’ll refer to them as “advanced insiders.” While such attacks may not be common, they may be as dangerous as other forms of APT.

Core banking, wealth management, payment processing, and trading platforms are accessed millions of times a day, making it easy for an advanced insider to hide malicious activity within the sheer volume of normal transactions. Advanced insiders can have several objectives. They might want to steal customer data, financial data, or intellectual property for criminal purposes. They might aim to disrupt the business because of personal dissatisfaction or to advance a political viewpoint. And unfortunately, advanced insiders have significant advantages over external advanced attackers.{{cta(‘d4c9511f-032f-49f6-aa3c-fa9640e2052b’)}}

First, they’re already in, enabling them to skip the initial breach, reconnaissance, and intelligence steps. They are familiar with at least parts of the network and core applications. Second, advanced insiders often have privileged access to high-risk systems. Finally, because they have an insider’s understanding of company culture and business processes, they can skillfully execute their activities without attracting attention. It’s critical to detect them early in the lateral movement phase of an attack.

Inserting deception into your current environment can give you a distinct advantage. Not only can deceptions detect lateral movement of an advanced insider, they can also help root them out. Illusive’s deception technology can also deliver valuable forensics to accelerate investigations. Here are key tips to consider:

Apply an insider lens in the design of deceptions

Effective deceptions must appear authentic to fool an outsider, but it’s doubly difficult to fool an insider. Start by reverse-engineering the insider’s thought process. Where would he or she go to find information about new M&A activity? How could he manipulate (and cover up) account activity in clearing or settlement processes? Then, design deceptions based on the insider’s perspective. For example, in a wealth management environment, you might create deceptive file shares that mimic real shares that house quarterly portfolio reports. These deceptive shares must match the organization’s naming conventions, but to fool an insider, they must be structured to include the same types of data, such as aggregate account overviews, portfolio holdings, time-weighted performance data, asset allocation percentages, and account activity—authentic-looking, but fake. An advanced insider should also be able to access deceptive file shares the same way that legitimate users access real file shares. 

Cast a net of deceptions to validate a suspicion

If nefarious activity is suspected, it’s possible to leverage events within the organization, or create new ones, to flush advanced insiders from cover. For example, an enterprise-wide requirement to change passwords by a particular date could provide an opportunity to use deceptions designed to detect credential-scraping during this change window.  

Gather the right forensics

To falsely accuse someone can have legal implications and harm company culture, so capturing tangible evidence of malicious intent is essential. Searching randomly through log files for potentially anomalous activity is not practical. DLP and other tools create far too much data, and the data they gather might show what happened but not how, or by whom. Post-breach forensic tools might take a snapshot of a hard drive but would not usually preserve information about processes and sessions running in memory on the endpoint. Because Illusive identifies threatening activity at the source, we capture this and other information. Once deception identifies a perpetrator, forensic details can be used to query other records as part of a more complete investigation.


No technology on its own can provide a complete solution for detecting insider threats; it is part of a broader program. An understanding of human psychology is also critical to identify people who may be motivated to commit malicious acts. An insider threat program must also include collaboration between IT and business teams to determine what kinds of cyber indicators to look for. But for financial services companies, deception technology is an important component of a security strategy, because it can detect activity that would otherwise appear normal. Tailoring deceptions for this purpose—given the huge impact malicious insider activity can have—is well worth the effort.  

Learn more about stopping advanced attackers—whether external or from within—with Illusive deceptions.

Download our white paper, Wire Transfer Attacks, APT, and Well-Funded, Organized Attackers.