Blog

Insider Threats: profiling and detection

“It’s all about trust” we could say. The majority of human activities and human interactions are based on trust. We trust who build and implemented the traffic light system. We cannot verify that when we see green on our way driving 80 km/h, everybody else has red and is not moving. Again we trust the restaurant’ chef cooking our meal utilising good ingredients and nothing harmful for our health. We cannot break into the kitchen and personally inspect what’s happening there. Inheritably we trust people in our organisation, we trust who we hire giving them access to confidential information and business critical Intellectual property. This represents a business risk which mature organisations know very well but finds it as one of the hardest problems to solve.

Security operations articulate their activities around people, process and technology and if having a good balance between the three components is true and necessary for external threats it’s even more true and pushes to the limit the threat detection capabilities.

But who is an internal threat?

Based on the White Paper from Eric D. Shaw and Harley V. Stock Some of the more interesting findings from the review include:

Insider IP thieves are more often in technical positions

The majority of IP theft is committed by current male employees averaging about 37 years of age who serve in mainly technical positions including engineers or scientists, managers, salespersons and programmers. The majority of IP thieves had signed IP agreements, indicating that policy alone, without employee comprehension and effective enforcement, is ineffective.

Typically insider IP thieves already have a new job

About 65% of employees that commit insider IP theft had already accepted positions with a competing company or started their own company at the time of the theft. About 25% were recruited by an outsider who had targeted the data and about 20% of thefts involved collaboration with another insider.

Insider IP thieves most often steal what they have authorised access to

Subjects take the data they know, work with and often feel entitled to. In fact, 75% of insiders stole material they had authorised access to. This complicates an organisation’s ability to protect their IP through technical controls and supports the need for more direct discussions with employees about what data is and is not transferrable upon their departure and should be an overt part of any employee IP agreement.

Trade secrets are most common IP type stolen by insiders

Trade secrets were stolen in 52% of cases. Business information such as billing information, price lists and other administrative data was stolen in 30%, source code 20%, proprietary software 14%, customer information 12%, and business plans 6%.

Insiders use technical means to steal IP, but they are discovered by non-technical employees

The majority of subjects 54% used a network—email, a remote network access channel or network file transfer to exfiltrate their stolen data. However, most insider IP theft was discovered by non-technical versus technical employees.

Professional setbacks can fast-track insiders considering stealing IP

Acceleration on the pathway to insider theft occurs when the employee gets tired of “thinking about it” and decides to take action or is solicited by others to do so.

This move often occurs on the heels of a perceived professional set-back or has not met his/her expectations. This demarcation from intention to action, explains why some insider theft appears to be spontaneous, when it isn’t.

At this point, having profiled who the typical insider threat is let’s have a look at how to address this risk and possible mitigations. An interesting approach comes from CISA. In their website section dedicated to Infrastructure Security we can find the description of the concept of People as Sensor.

“An organization’s personnel are the human component for the detection and identification of an insider threat. Co-workers, peers, friends, neighbors, family members, or casual observers are frequently positioned for insight into and awareness of predispositions, stressors, and behaviors of an insider who may be considering malicious acts. When observing human behavior, bear in mind two important qualities:

Listen through the other person’s frame of reference, not your own. Do not assume that somebody will ask for help or ask to be stopped, or that they will talk about their intentions in the same way you would.

Listen to the other person with your eyes. People often disclose their intentions through non-verbal means.”

There is also a series of indicators that is worth to mention as they give more context and details about where to look for Insider Threat signs.

Personal Indicators are a combination of predisposition attributes and personal stressors currently impacting the insider.
Background Indicators are events that happen before an individual is hired by an organisation or before an individual obtains network organisational access.
Behavioural Indicators are actions directly observable by peers, HR personnel, supervisors, and technology. Over time, behaviours create a baseline of activities from which changes may be considered a threat indicator.
Technical Indicators involve network and host activity and require direct application of IT systems and tools to detect.
Organisational/Environmental Indicators:
- Organisational policies and cultural practices can play a significant role in creating or managing an insider threat.
- Environmental factors can escalate or mitigate stressors that may contribute to behavioural changes and an individual’s progression from trusted insider to insider threat. These factors are often related to organisational policies and cultural practices.
Violence Indicators are specific behaviours or collections of behaviours that can instill fear or generate a concern that a person might act upon these behaviours include, but are not limited to, intimidation, harassment, and bullying.

As a final consideration, it is important to mention that with the evolution of Artificial Intelligence technologies like Machine Learning it’s possible to combine the behavioural approach with technical artefacts like network or host metadata. This allows the detection process to get faster by orders of magnitude. No matter if it’s a Smash and Grab or a slow bleeding type of behavior, AI will be able to generate useful indicators out of the network’s noise. Also combining different type of indicators can add value and improve the posture against Insider Threats. One example that I’ve seen recently, is when an employee resigns and in the notice period starts to collect and exfiltrate data. In this specific scenario combining non-technical indicators – resignation – with a threat hunting approach – search the network metadata for anomalies – can be very beneficial.

Battista Cagnoni

Battista Cagnoni, Senior Consultant, Advisory Services, EMEA at Vectra, is a security expert with a long experience in different areas of the industry, where he has held positions as Security Engineer, Security Analyst or SOC Lead. He is passionate about cyber security culture, awareness and understanding of methodologies to deal with security issues. He is constantly sharing his knowledge, offering advice and processes at the highest level, helping CISOs who are thinking about how to strengthen and achieve a high degree of maturity in security operations. Battista holds the GIAC Forensic Analyst and Incident Handler certifications as well as the CISSP, GCFA, GCIH Expert certificates.