Who is an Insider: Clear and Present Dangers
Welcome to Fun with Insider Threat, the goal of these articles are to give a periodic view into my opinions/experience on the world of Insider Threat detection. This is the introductory segment which gives an outline of what Insider Threat is, common behavior tropes, and a glimpse into the detection methods.
Insider threats can be defined as any agent within the environment employed or under contract with a company ex-filtrating, tampering, or destroying assets and/or data. A vast majority of cyber security and audit products and techniques focus on keeping outside and unauthorized sources from accessing internal resources, but much less effort is dedicated to identity behavior patterns, motives, opportunities, and techniques through which a trusted employee might utilize to commit the same catastrophic actions. There are three traditional ways to leave a company: quit, get fired, or die. We are going to focus on the first way, as it is the most common, unless you are the Pope, or a politician. Summarized below are the major sources and motivations of insiders, in my experience.
A large portion of employees will only think to remove data from the environment when they see an end to access to the data in question. This is traditionally when people look to send work products, company data, and personal artifacts held on their company device and network home for access when they no longer work for the company. People leave a job for a myriad of reasons but the motives and behavior patterns for these are usually evident by looking an employee’s traffic in the correct ways. People naturally do not consider the fact that their traffic on a work device or network is being captured and analyzed especially if they feel underutilized or unfulfilled in their current roles. With this extra time people shop, look at cat pictures, job search and other tasks that use company assets in an unintended way. This traffic can be analyzed by baselining the traffic against their normal behavior, their peers as defined by role or management structure and the company as a whole. For example, if there is a marked increase of house hunting in a different state along with job searching, the employee should be under enhanced monitoring scrutiny. Example: graphic designers taking work produced for the current company to show a body of work for interviews, or improve next company.
Disgruntled workers have similar behavior patterns to flight risk candidates, except typically with more anger and a malicious intent. Too often people will stay with a company after they are unhappy for various reasons in order to negatively impact the flow of business, sabotage ongoing programs or assets, and/or cause reputational harm to the company. For example: An employee that was passed up for a promotion has unfettered access to current code and processes.
Lack of Work/ Termination Candidates
This group of workers are underperforming in their field or role, and see the writing on the wall for their expulsion from the company. This can often lead to the aforementioned profiles, but can be identified by different means such as a list from HR, partnerships with managers who will be relieving the workers from employment, or various communication patterns, like external communication of concerns with personal relationships of the employee.
Technical Insiders are defined as employees who have enhanced technical savvy or access through which their theft or manipulation of assets would be more severe and less obvious when compared to that of the average employee. This may include control avoidance activities, more technical sabotage, and being more quiet on the network.
Within certain industries corporate espionage in an organized way has been reported, albeit very rarely. Much more common are people moving from one company to another within the same role family and taking trade secrets, contact lists, or planned project outlines. This is especially prevalent within the financial and research sectors as part of the recruiting strategy is finding the most connected individuals and bringing both their clients and abilities to the new company.
Edward Snowden. Yup, that’s all I need to say to relay that message.
Next time on Fun with Insider Threat
- Flight Risk, focusing on three main topics
- Motivations– Fantastic Insiders and How to Find Them
- How Companies Today Combat Insiders – Extremely Threatening and Incredibly Close
- Detection Logic and Use Cases to Identify Flight Risk – An Insider’s Guide to the Galaxy
This article was written by friend and colleague, Adam Blake: Insider Threat Guru. He wanted to put together some articles to educate willing readers in the world of insider threat. No, the person sitting next to you isn't secretly funneling corporate assets into their bank account. Or maybe they are. Paranoid yet? Read on. If your coworker fits any of these criteria, pass rumors around the office that they're an insider. Nothing will go wrong. Either way, enjoy. Thanks Adam.