Posted in Insider Threat Management

Three Indicators Your Privileged Users May Be Insider Threats

Reading Time: 3 minutes

Your privileged users, or super-admins, can have access to troves of sensitive and confidential data — ranging from intellectual property, to payroll, to HR information, and more. Whether malicious or unintentional, privileged user account abuse is one of the top causes of insider threat incidents, with 55% of organizations claiming that privileged users posed the biggest insider security risk.

How do you tell if a trusted, privileged user is going to be guilty of data exfiltration? Here are some key insider threat indicators to watch out for in your organization:

  1. Escalating Privileges or Giving Access to Untrusted Users

    Usually, privileged users have access to a certain subset of data or information that they need to do their jobs effectively. Following the principle of least privilege, these users  have some sort of time limitation or role-based segmentation of access control.

    However, in an insider threat scenario, you may begin to detect that these users are regularly escalating their own privileges, or granting themselves access to otherwise restricted areas of the network.

    In many cases this is done by logging into systems with a low-end user account to search for exploitable programming errors or design flaws in the system that can be used to escalate their privileges and gain more access. If these insider threats successfully exploit these vulnerabilities, they can create new system users, access files, authorize network activity, and change system settings. (Yikes.)

    Takeaway: Keep an eye out, for example, for the authorization of otherwise untrusted users. Once your insiders (and potentially, related outside threat actors) are in that deep, sensitive data can easily be exfiltrated, an entire network can be hijacked – or worse.


  1. Abusing Root-Level Commands

    Many organizations tend to restrict admin access to the   systems, because of the high risk associated with admins logging in as the root user (or changing identity to root after logging in during a session). Instead, sudo is used to grant administrators root-level permissions to execute particular commands and scripts, when needed. This allows admin users to do their jobs without needing to know the root password or gain full root permissions.

    There are, however, significant risks with the sudo approach: admins can abuse the root-level permissions they have received for one purpose to perform unrelated and nefarious activities that are very difficult to detect.

    Takeaway: One behavior to watch, for example, is breaking out of an intended file to execute a destructive command, while using a sudo permission.


  1. General Negligence With Administrative Credentials

    Considering that 2 out of 3 insider threat incidents are caused by employee or contractor negligence, mistakes can sometimes be even more costly than the rarer malicious insider use cases.

    Privileged users, in particular, can become major risks if they start to become negligent with general security hygiene, such as password management. For example, neglecting to regularly change administrative passwords, or sharing admin credentials through insecure systems may increase the risk of a breach.

    In addition, many organizations fall victim to accidentally committing their administrative credentials to code using repositories such as GitHub, much like the infamous Code Spaces AWS security breach of 2014, which caused the company to close its doors.

    Takeaway: Using secrets management systems to rotate administrative credentials could help reduce some of this margin for error.

How User Activity Monitoring Can Detect Privileged Insider Threats

A user activity-based insider threat management system like ObserveIT can help detect suspicious user activity, giving security teams much needed visibility.

Whether users are escalating privileges, exploiting them, or generally being negligent, it’s important to know exactly what your super-admins are doing with their privileged permissions. Likewise, it is also important to be able to obtain visibility into users with lesser permissions, to determine if their access or activity changes over time.

In the event of an insider threat incident, security teams can review detailed user activity logs and video playback for fast root cause analysis and forensics investigation.

For more information on ObserveIT, why not try it for free?