Behavioral Patterns That Alert an Insider Threat

Improvements in technology and digital transformation have made it easier for public and private sector organizations to identify the behavioral patterns that may indicate a malicious insider threat, but technology is just one component of an overall insider threat program.

Insider threats are seldom impulsive acts. Employees wishing to harm a current or former employer, business partner, or client whether by stealing trade or government secrets, sabotaging information systems, or even opening fire on colleagues usually plan their actions. Some wish to get revenge against an organization they believe wronged them. Others seek some kind of personal or financial gain, or to point out a perceived injustice. Still others may operate as spies for a foreign government. Regardless of their motivation, their plans often percolate for weeks, months, or even years before they act. Recent revelations about a member of the U.S. intelligence community leaking national security documents has once again put public and private sector organizations on alert to insider threats.

Insiders move along a continuum from idea to action,"Dawn Cappelli, US CERT expert says, "They don’t wake up one morning and decide to exploit confidential information. They get an idea, ruminate, and then begin testing the waters to see if they can execute the idea maybe by trying to access sensitive data or a secure facility.”

As malicious insider move along the idea to action continuum, they leave evidence, no matter how hard they may try to cover their tracks. Red flags frequently take the form of changes in attitude or behavior: The insider may grow frustrated or disgruntled, begin violating corporate policies, come in or stay late at the office, show “undue interest” in information that may not be relevant to their work, or attempt to access physical areas where they don’t typically or shouldn’t work.

To detect malicious insider's actions before they do harm, the best advice is organizations to establish a series of threat indicators, such as policy violations, job performance difficulties, or disregard for rules, based on high-value assets they wish to protect. For example, potential indicators that a rogue software developer appears likely to steal his company’s source code may include a vengeful attitude, isolation from co-workers, accessing the system on which the source code is stored during off-hours, and a bad performance rating. (An employee with a bad ranking who believes he’s going to lose his job may try to steal intellectual property that could help him land a job with a competitor or start his own company.) Manufacturers seeking to safeguard new product designs may keep an eye out for insiders trying to access or download those plans, traveling to countries where intellectual property theft is prevalent, sending emails with large attachments, and/or experiencing financial difficulty.

There’s no (psychological) profile for an insider, An individual’s personality isn’t nearly as important as their actions. That said, you’re not looking for a specific behavior, but a pattern of behaviors that may indicate a potential insider threat.

With insider threat indicators established, companies can then begin to collect and correlate virtual and nonvirtual data about employees, according to Cappelli. Virtual data refers to the digital trails employees leave when they log on and off the corporate network, access systems, download or print documents, send email, and use the Web. Nonvirtual data includes information about an individual’s role in an organization, performance ratings, compliance with corporate policies, and work habits (such as the times of day they start and stop working, the people they typically interact with, and their physical movement throughout an office).

I did analyzed a variety of insider threat detection tools that use advanced analytics to correlate virtual and non-virtual data. Even though these systems are first generation, they’re capable of integrating disparate data sources and analyzing structured and unstructured information.

Dawn Cappelli, US CERT once quotes in his book (The CERT Guide to Insider Threat), says many of these systems work by establishing and maintaining a baseline for “normal” or “typical” employee behavior and tracking deviations from it. For example, if during the course of a day a financial securities trader calls a competitor in addition to his normal client base, attempts to badge into the investment research area of his company’s business (a policy violation), and executes a trade outside the rules he’s allowed to trade within (another policy violation), the system will raise an alert for follow-up. “These systems include rules and logic that establish thresholds for risk indicators, and release an alert when those thresholds are exceeded,” he says.

While today’s insider threat monitoring systems may be effective, most of critical infrastructure operators cautions organizations against relying solely on technology to mitigate insider threats. Instead, the best suggestion if CNII Operators institute an insider threat program that defines the assets a company wants to protect; establishes policies, procedures, controls, and training designed to protect those assets; and brings together stakeholders and data owners from a variety of functions, including HR, legal, compliance, finance, and administration.

As I would suggest, Correlating peoplecentric data over time can allow organizations to identify threats that might otherwise go undetected and stop a malicious insider’s forward progress. But without full participation from leadership, CIOs and CISOs may have trouble getting the data required to build that pattern of precursors that may indicate a potential insider threat.