Motivations– Fantastic Insiders and How to Find Them
Welcome back to Fun with Insider Threat. Continuing with our look into Insider Threat, let's venture into the world of Flight Risk. Unlike other types of Insider Threat, Flight Risk candidates rarely have ill will towards the company they are leaving. Most often, the motives are to retrieve all data they worked on or believe to be beneficial at their next job. All companies, to varying degrees, claim that any work product produced on company assets or during work hours are sole property of the employer, but when leaving work the average employee does not consider this. This seems to be especially prevalent in creative roles such as a graphic designer, for example, is judged based on the quality of their portfolio, and extracting examples of their art is pivotal to finding a new job or iterating on current work product.
Flight Risk candidates also are generally less technical than malicious insiders as they just want their work product out of the environment and accessible after they leave the job. This makes them very noisy exfiltrators, often repeatedly getting blocked and attempting to modify methods and variables to avoid the filters. This can manifest in a single email with multiple large attachments being sent home, incrementally getting sneakier by changing the destination, subject line, file names, file size, or format when using email. Often, there will be a change in medium from email, for example, which is usually the first method as it is readily available, to USB storage device writes, to website or online mail uploads, and will end with printing documents, which will not be blocked. This pattern changes in complexity and volume but generally will either result in physical security breaches such as printing, copying work onto paper or taking pictures with a cell phone. Occasionally this can escalate to Control Avoidance, which we will cover after the break.