This content is part of the Essential Guide: How to prepare for the emerging threats to your systems and data
Manage Learn to apply best practices and optimize your operations.

Accidental insider threats and four ways to prevent them

Most insider attacks to enterprises are accidental, not intentional. SANS Faculty Senior Fellow Eric Cole, Ph.D., explains why security awareness training isn't enough to stop these threats.

Insider threat is a term many people are familiar with. The problem is that when people hear this term, they immediately...

think of malicious, evil insiders that are deliberately causing harm to an organization.

While the "malicious" insider threat will always be a concern, many may be surprised to learn that it isn't the primary area of damage for most organizations today. The main point of compromise for many attacks today is the "accidental" insider.

The accidental insider is someone who honestly and earnestly believes he is doing his job well and presents no threat to his employer, but is tricked or manipulated into allowing someone to cause harm to the organization.

When looking at attacks today, most people think external attacks are the biggest problem for organizations and where they need to focus most of their energy. However, it is important to distinguish between the source of an attack and the cause of damage. While the source of most attacks is absolutely external, the cause of damage is often the accidental insider. Adversaries recognize that it is too hard to directly break into servers and compromise an organization externally. It is much easier to target an insider, trick that person into opening an attachment or clicking on a link through social engineering, and then leverage his system as a point of compromise.

In many cases, the activity that is used to compromise an insider typically revolves around executable attachments, macros in office documents and HTML embedded content.

What can an organization do to properly protect itself against insider threats? Most organizations believe greater security awareness is the answer to minimizing accidental insider attacks; this means ensuring employees better understand the dangers and exposures. While I am a big fan of awareness, organizations have to remember that no solution will solve every problem.

Awareness is good for basic attacks where there is something visibly wrong with the email or information received by the user. However, with advanced adversaries and more sophisticated phishing attacks, the information received looks identical to real communication, thus the reason it is often successful. Awareness will not help in this case. The solution to these sophisticated attacks is to remove the vector of attack.

Insider threats are often targeted by attachments in email or embedded Web links that are used to cause harm and compromise a system. The following are four categories of actionable controls that enterprises can put in place to minimize the harm of the unintentional insider attacks.

Control applications

Two of the most potentially harmful applications on computers today are Web browsers and email clients; they are typically the most common points of entry for malware. Steps can be taken to limit the capability of those applications, but doing so also affects legitimate functionality that is often required to conduct key business processes.

Therefore, one solution is to run dangerous applications in separate virtual machines. Every time the application is launched, it runs in an isolated VM. If it is malicious, any infections would occur only in the VM, and there is no harm to the host operating system. When the application is closed, the VM is closed and any harmful activity is also controlled. In this case, a system is only infected for a short period in a controlled environment and there is minimal long-term impact. Additionally, this solution has no impact to the user while significantly impacting the ability of the adversary to cause harm.

Filter bad content

In many cases, the activity that is used to compromise an insider typically revolves around executable attachments, macros in office documents and HTML embedded content. Most organizations do not need to allow this activity coming from the Internet. Therefore, in the spirit of least privilege, if the activity is not required, it should be blocked. Strategically blocking only a small subset of harmful activity can have a positive impact on minimizing the damage from an adversary.

Limit executable content

Blocking all files of a certain type, while effective, is not always feasible if the files are needed by a user. Therefore, an alternative is to sandbox or filter out certain activity while still allowing legitimate activity through. Effective technology exists that can take an attachment, perform analysis of the content, and even run it in a sandbox to examine the behavior; if it is malicious, it would be blocked, and if it is legitimate, it is allowed through. This gives organizations more flexibility in filtering out content, but limits the impact of stopping normal activity that is required to run the business.

Control executables

Compromising an accidental insider is usually done by tricking the user into running an executable that they believe is legitimate, but actually contains malicious content. By controlling and verifying executables through technology like application whitelisting, you can minimize the introduction of harmful content into a system.


It can't be emphasized enough that the most important part of understanding accidental insider threats is that the non-malicious employees, partners and others with privileged access represent the greatest potential for malice, simply because of the ease with which the average person can be manipulated. The good news is that once an organization understands that the accidental insider is the greatest potential cause of insider-related damage, actionable steps can be taken to control and minimize the impact this risk has on an organization.

If there is an article that you would like written or a problem you are looking to solve, please contact Eric Cole at [email protected].

About the author:
Eric Cole, Ph.D., is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder of and an executive leader at Secure Anchor Consulting, where he provides leading-edge cybersecurity consulting services and expert-witness work, and leads research and development initiatives to advance state-of-the-art information systems security. He was the lone inductee into the Infosecurity Europe Hall of Fame in 2014. He is actively involved with the SANS Technology Institute and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.

Next Steps

The SANS Institute says enterprises are overconfident in their ability to detect insider attacks and threats

Find out how the Dyre Wolf financial malware campaign is using social engineering to attack banks

This was last published in April 2015

Dig Deeper on Security Awareness Training and Internal Threats-Information