apops - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Can internal threats be distinguished from outside malware coders?

Differentiating between insider and non-insider malware threats can be challenging. Expert Nick Lewis offers pointers for distinguishing malware coders from internal threats.

Is there any way to tell the difference between insider versus non-insider malware? Are there software products that can detect malware written by someone inside my organization?

One of the most common and oldest threats is an attack by a trusted insider. These individuals might already have the access needed to be malicious, or, alternately, a local privilege escalation attack could give them easy access to sensitive data.

While distinguishing between insider and non-insider attacks is difficult, it could be even more difficult to detect malware written by someone inside an enterprise. Targeted attacks written by an external malware coder could disguise themselves as insider attacks since an internal account could be used as part of the compromise.

Alternately, a leak of data could also be an insider attack.

Non-insider and non-customized malware could be easiest to detect versus insider malware because other systems from other networks might submit the same suspicious files to antimalware vendors; the security intelligence from vendors would improve this detection.

Unfortunately, there are no software products that would specifically spot malware written by someone within an organization. You could identify if an internal command and control system is used with the malware or where a file might have been downloaded from a legitimate system. Once a malicious file is identified, it should be checked for shared libraries or coding style that might be common in the enterprise to see if there are any commonalities.

Detecting an insider attack -- whether it is using custom developed malware or not -- can be done by monitoring suspicious activities on systems and reviewing logs. Check logs for both where and when authentication occurred, and for what files were accessed on those systems.

CERT has an insider threat focus and offers insider threat best practice list to help protect against and detect insider threats.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

Next Steps

Learn more about mitigating and monitoring insider threats.

This was last published in February 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization ever had an issue detecting insider threats?
Simple answer...no. More direct answer, I'm one person and I'm the only one who accesses my systems. If I had an insider threat, it would be time for stronger meds and a psychology intervention.
Differentiating insider from non-insider malware threats could be challenging as even the external malware coder can disguise their skills to fit a threat being traced back to an internal account.  Even though there are diverse security software against external attacks, there are literally no software products against internal malware threats which make it difficult to detect such threats on time and even trace their origin as coders have a certain style preferential to an individual.
This is like magic to me. I guess you could examine the code to see what components are proprietary to see if it came from inside, but who's to say the outside agent is a slouch. If you were attacking a system, wouldn't you do your evil due diligence and get as much code from the victim as you could so your malware would be less traceable? I'm a huge forensics fan and this is the future. Good discussion Nick!