Insider Threat Assessment

The Aon team follows a clear and proven process in analyzing the organizational aspects of the insider threat landscape, which includes:

• A review of existing policies, procedures and technologies related to organizational charters, access control, data management, and incident response.
• Building an insider threat strategy based on the organization’s unique risks and vulnerabilities. The model could focus on potential threat actors and/or specific sensitive information or trade secrets that could interest cyber actors.
• Interviews and surveys with key personnel to gather insights into user behavior, motivation and attitudes toward security and risk management.
• Evaluate the effectiveness of security tools, monitoring, and countermeasures. Aon’s Insider Threat Simulation is aligned with the MITRE Insider Threat initiative  and allows clients to assess insider threat risk. The simulation impersonates employee/contractor user roles and uses specific insider breach techniques to try to bypass security controls and defenses. The simulation provides multiple scenarios to test the effectiveness of security controls and detection mechanisms. 
• During an Insider Threat Simulation, Aon’s integration with a client’s security stack and Security, Information and Event Management (SIEM) provides an in-depth analysis of successful/blocked breach techniques while measuring the efficacy of defensive controls and the security monitoring programs. 
• Aon can test the effectiveness of data leak prevention controls and firewall policies by simulating thousands of attacker techniques to stage data.

These fact-finding steps are supported by access to advanced tools and technologies for monitoring and analyzing network activity, user behavior and data access patterns.

After gathering and analyzing the information gained in the above steps, the Aon team develops a comprehensive report of findings and recommendations — including specific actions to address identified vulnerabilities and improve overall security posture. Recommended actions may include:

• Improvement of policies and procedures
• Deployment of more effective access controls
• Enhanced user awareness and security training
• Implementation of advanced security technologies and solutions
• Technical findings intended to improve SIEM detection and security tool effectiveness

This report is presented to key stakeholders, including the C-suite, security leadership, senior management, HR and legal stakeholders involved in managing an insider threat program. 

Commonly referred to as compromise simulation, this targeted penetration test demonstrates the potential impact by an authenticated malicious insider, advanced end-user or host compromised by malware or credential theft. Posing as a legitimate user with low-level domain privileges, Aon penetration testers simulate a targeted attack, attempting to breach security controls and gain access to restricted data and internal systems. This style of test helps determine whether an organization has problems with its insider controls, such as overly permissive authorization protocols, privilege escalation or exploitation of network and application vulnerabilities. 

Aon also simulates sophisticated insider attacks that manually subvert security controls to gain access to sensitive data such as confidential customer information, employee records, code signing keys, strategic planning and financial information. This type of manual assessment allows clients to gauge the effectiveness of notoriously difficult-to-monitor attacks instead of relying on automated scanning output . Aon’s team can demonstrate a realistic attack path to sensitive data within the organization from end to end. This allows clients to evaluate internal security controls, including the new security controls implemented following an Insider Threat Assessment and Simulation.

This service can be customized to cover numerous potential attack paths and targets. Regularly performing these types of assessments helps to continuously improve client security posture as new vulnerabilities and threat tactics, techniques, and procedures evolve. This may include building controls to counter:

• New 0-day vulnerabilities
• Improved attacker tooling
• New EDR/AV bypasses
• Emerging threats

The Aon team develops a comprehensive report of findings and recommendations — including specific actions to address identified vulnerabilities and improve overall security posture. Recommended actions may include: 

• Improving incident response procedures and alerts 
• Improving access control efficacy
• Recommendation of advanced security technologies and solutions