0

I understand that a threat is a possible security violation that might exploit the vulnerability of a system, and a attack is an action on a system that harms the organisation in some way. Therefore, we should detect attacks and prevent or mitigate threats.

However, when I look on multiple cybersecurity sources focused on insider issues, the most of them talk only about the insider threats and do not talk about the insider attacks at all. In addition, they multiple times use the term insider threat even for actions that should be considered as attacks. You can see it, for example, in:

Can, please, someone explain me, what is the difference between insider attack and insider threat? Why it seems that it has a different meaning regarding insiders than in general usage? Why is mostly used term just insider threat?

Ylvetal
  • 1
  • 1
    I would consider *threat* to be a much broader term, which also includes attacks, because attacks are obviously pose a threat to the proper function of a company. – Steffen Ullrich Aug 12 '20 at 16:37
  • 1
    But isn't threat just a possibility of an attack? When we take it to the context of, for example, detection... Threat detection and attack detection sounds different for me - in threat detection I am looking for a possible issues that might end up with attacks, while in attack detection I detect a specific act that does harm. – Ylvetal Aug 12 '20 at 16:43

1 Answers1

2

When we look at basic definitions of the terms threat and attack, we assume that there are two different entities while most don't realize that one could very easily be the cause for the other. Meaning, a threat exists and hence an attack would be possible. So when you talk about a threat, you are automatically talking about all the possible attacks that the threat might result in.

Having a weak password policy is a threat, and hence someone guessing your password as an attack is a very plausible scenario.

So when we talking about Insider threats, we are usually also combining the possible insider attacks that could result due to the presence of this threat. Not having adequate controls over access and auditing of an employees actions is a threat, and this threat may result in a number of insider attacks which may include things like "An employee stealing or leaking confidential information".

When talking about insider threats, we usually will only see these "insider attacks" after it has happened, and not while the insider threat is being exploited, unlike external threats where we define marked boundaries between internal and external attack surfaces. So you can easily position a system at this boundary and detect an anomaly and maybe stop it before it causes harm.

To give a very basic example, for my home, I can have a security guard or an alarm system to alert me of any external threat/attack and you may prevent it with its help. My kids can steal a cookie from the cookie jar, which is an insider threat and all I can do is put it high above their reach to eliminate the threat.

Hope that helps clears your confusion.

s1rrv
  • 63
  • 6
  • Thank you very much for the explanaiton... just to be sure I understand it right (and then I'll accept the answer), I will use those terms in context: can you confirm whether these statements are true? 1. when I look for insider threats, I want to find the issues that ***might*** lead to possible insider attacks 2. when I look for insider attacks, I want to find the real actions that ***were*** or ***are*** damaging the organization (based on whether I do it realtime or not) 3. when I want to mitigate/prevent insider attacks, I have to mitigate/prevent insider threats – Ylvetal Aug 13 '20 at 09:22