The Insider Threat

Back to Home
The Insider threat, or malicious insider has supplanted external hackers as the primary focus for many organizational network security teams. The focus shift is likely due to a number of high profile insider threat breaches, and the apparent complacency that was highlighted throughout analysis and reporting of these breaches. Security teams have become too reliant on monitoring technologies that prioritize the discovery of indicators of compromise (IoC), focusing less on user behaviors and work force security awareness training.
With the pendulum shift from an external focus to an internal one, organizations must walk a fine line in ensuring that employees are not treated as liabilities so that respect and trust is not lost across an organization. Too often trust is placed more on monitoring technology and third party managed service providers to monitor insider threats, and control is taken away from employees within an organization. Balancing trust between internal and external assets is a difficult but necessary element of doing business today. Employees should view themselves as valued assets and not insider threats.

What Motivates the Malicious Insider?

The motives of a malicious insider is often the most difficult assess or determine until it is too late. Edward Snowden was a trusted contract employee for the NSA, maintaining a mid-level position and maintaining a low profile. Through a number of means, Snowden obtained access to materials mostly outside the scope of his position, greatly due to poor security management and human error. Snowden’s moves appeared calculated and his true motives are still being determined (beyond personal statements), which made early detection virtually impossible. There are no indicators that Snowden received specialized training in counterintelligence or espionage, but it is possible that Snowden had access to classified training documents outlining tactics, techniques and procedures (TTP).
Various elements of espionage are generally linked to a malicious insider threat actor. Foreign adversaries continually seek individuals with placement and access to sensitive government and corporate information to fulfill intelligence requirements and to further strategic or tactical objectives.

Insider Threat Active Defense

The insider threat should not solely be combatted through technical reactionary tools, but should begin at the root cause of the insider breach – the employee. More emphasis needs to be placed on properly vetting individuals throughout the hiring process. This includes background checks, digital foot printing, personality testing, and face-to-face neurolinguistics evaluations throughout the interview process. Too often, businesses hire individuals based on credentials and acumen, and focus little on assessing individuals’ personalities and traits. Many employers likely steer clear of assessing potential hires’ personal lives, fearing offense or breaking hiring norms and regulatory guidance. Due diligence must occur throughout the hiring process at a cost that is compatible with the organization’s size and risk appetite.
An organization needs to lay the foundation of a security-minded culture. This includes providing clearly stated guidelines outlining proper use of information systems, information classification guides, and intellectual property handling procedures need to be reviewed and made available to all employees, partners, and contractors. Offering individual and organization-wide incentives for meeting compliance guidelines is a healthy way to secure an organization. Building in a security incentive program to an organization’s benefits package will incentivize employees into maintaining a steady security posture.
Organizations also should establish an insider threat program that drives monitoring of privileged accounts, implements and spells out separation of duties and least privilege policies, and maintains a clearly stated insider threat incident response plan. Additionally, an organization should maintain forensic capabilities, and maintain a patch and update schedule for all software and hardware attached to the network. Small and mid-size companies often outsource many of these duties, but it is important for organizations of all sizes maintain some form of internal monitoring capabilities and business continuity plan.