apops - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Can internal threats be distinguished from outside malware coders?

Differentiating between insider and non-insider malware threats can be challenging. Expert Nick Lewis offers pointers for distinguishing malware coders from internal threats.

Is there any way to tell the difference between insider versus non-insider malware? Are there software products that can detect malware written by someone inside my organization?

One of the most common and oldest threats is an attack by a trusted insider. These individuals might already have the access needed to be malicious, or, alternately, a local privilege escalation attack could give them easy access to sensitive data.

While distinguishing between insider and non-insider attacks is difficult, it could be even more difficult to detect malware written by someone inside an enterprise. Targeted attacks written by an external malware coder could disguise themselves as insider attacks since an internal account could be used as part of the compromise.

Alternately, a leak of data could also be an insider attack.

Non-insider and non-customized malware could be easiest to detect versus insider malware because other systems from other networks might submit the same suspicious files to antimalware vendors; the security intelligence from vendors would improve this detection.

Unfortunately, there are no software products that would specifically spot malware written by someone within an organization. You could identify if an internal command and control system is used with the malware or where a file might have been downloaded from a legitimate system. Once a malicious file is identified, it should be checked for shared libraries or coding style that might be common in the enterprise to see if there are any commonalities.

Detecting an insider attack -- whether it is using custom developed malware or not -- can be done by monitoring suspicious activities on systems and reviewing logs. Check logs for both where and when authentication occurred, and for what files were accessed on those systems.

CERT has an insider threat focus and offers insider threat best practice list to help protect against and detect insider threats.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

Next Steps

Learn more about mitigating and monitoring insider threats.

This was last published in February 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal