Preventing insider threats: What to watch (and watch out) for

September is officially National Insider Threat Awareness Month (NIATM) and the theme of this year's NIATM is resilience. Of all the digital threats facing organizations, the insider threat can be the most vexing to tackle given how uncomfortable it can feel to suspect one's own colleagues of wrongdoing. It's challenging to set up systems and processes that might catch well-regarded peers or superiors in a harmful act.

At last week's inaugural Insider Risk Summit, experts at corporations and cybersecurity firms gathered to talk about the top trends driving insider security threats and what security officers should know in trying to combat those threats. "There's not one type of threat but there is a common aspect, which is that [insiders] are looking to get at critical assets of the organization -- people, information, technology and facilities," Michael Theis, chief engineer, Strategic Engagements at the US Community Emergency Response Team's (CERT's) National Insider Threat Center, said during his keynote talk.

Theis based most of his talk on the fraud model that CERT's threat center has built on a data set of 2,500 verified insider incidents that resulted in sabotage or corporate threat. It's important to define what exactly an insider threat is, Theis said. "[It's] the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally to act in a way that could negatively affect the organization." The people who could be considered insiders encompass a wide range of individuals from current or former full-time employees, part-time employees, temporary employees, contractors, and trusted business partners.

The ways that an insider can cause damage are wide-ranging, too. They include fraud, theft of intellectual property, sabotage, espionage, workplace violence, social engineering, accidental disclosure, accidental loss or disposal of equipment or documents.

Anticipating human behavior

Although infosec professionals tend to search for technical indicators of insider acts, the best clues to heading off the revenue or reputational damage of insider threats lie in understanding human behavior. "There is one thing that is common and that is the human beings over time actually leave artifacts from their behavior," Theis said. Analyzing these artifacts can ward off negative events. "For the most part, what we're trying to do is get ahead of the damage... and respond to it in a good way that keeps the damage from occurring."

When it comes to sabotage, the insider threat pool is not restricted to just technical people. "In one of our cases we had an individual who was upset, went home, got his gun and went back and shot the server. Literally shot the data center server rack and literally killed the computers," Theis said. "In most organizations they say 'well if there's IT sabotage, we have backup tapes and we can just restore the system. It's a little hard to do that when it's been kinetically killed. That is a type of IT sabotage."

Some insider threats are unintentional, such as a case that involved a member of the military tweeting out his precise locations when traveling or other cases where the organizations failed to retrieve portable electronics when employees departed. Fundamentally, insider threats are "really all about behavior. It's about human beings. It's about motivations they're working through," Theis said.

"It starts with personal predispositions...something someone has before they come to work for you. What is their temperament like, how do they handle certain kinds of things?" Add to that the personal, professional and financial stressors those people are managing. Finally, and perhaps most tellingly, are any concerning behaviors they exhibit.

Watching for behavioral indicators

"A behavioral indicator is collected by the organization at least one month before the technical indicator," Theis said, "usually their attitude or how they are behaving with their peers."

Almost all insider risks are preceded by behavioral changes. "Behavioral changes, problems at work or interpersonal environments precede technical risk indicators," Elsine Van Os, a psychologist and CEO of intelligence and security consulting firm Signpost Six, said.

Van Os said that as much as 97% of insiders already had official attention for concerning behaviors such as violations of rules, policies, practices or inappropriate interpersonal behavior. Other key statistics involving insider risks: 58% of insiders communicated negative feelings, grievances, intent to harm the organization or a member prior to conducting an attack and in 31% of cases, others had specific knowledge of the insider's attack intention, plans or activities, including coworkers, friends or families.

"This means there is information out there way before an insider commits insider acts. It's about connecting the dots to prevent the insider acts in the first place," she said.

The role of organizational support

Organization can handle those behaviors in maladaptive ways such as inattention, no risk assessment process, inadequate investigation, summary dismissal or other actions that elevate risk, Theis said.  A more effective approach is to help the employee. "If I'm capturing the behavioral indicator, I can get to the point where I say, 'let's find out what this person's stressors are and see if we can help them,'" he said.

Theis emphasized that one of the most deterministic factors in predicting insider risk is whether employees believe they have the organization's support. "If you think about this, it makes sense. I might love the people I work with but that doesn't mean I couldn't leave and go work somewhere else and have those people follow me. How many times have we've seen that?"

"So hopefully when a person does come to have a stressor they're thinking ‘you know this organization is very good to me, I love the people I work with, I really like my job, I'm not going to do anything to jeopardize that by acting out against the organization itself,’" Theis said.

How Tesla’s culture helped it thwart an attack

Like most of the other experts speaking at the summit, Christine Leslie, senior manager of information security at Tesla, believes that how you use technology is more important than the technology itself in discovering insider threats. "On technology, many people think this is the most important part of the program, but throwing tech at the problem is not going to get you results," she said.

"In our experience, the way that you're using your tech stack and tools is really the most critical piece here rather than finding a solution that's going to be a magic bullet. Understand the culture at your company and build an insider threat program that really meets the needs of the business."

Tesla recently dodged a major insider threat where a ransomware gang approached an employee. "We had a recent incident in the news that stemmed from an employee reporting something. One of the things that we emphasize is that if you see something, say something," Leslie said.

"If someone approaches you, you should report it. I'd like to give our team a little pat on the back you know the education and awareness that we gave to our employees really opened the avenue for that employee to understand that this was the right thing to do to report it to security and his manager."