Why Is Detecting Insider Threats Difficult?

Insider threats may be rare within most organisations, but it doesn’t mean that it does not exist.

Yet even those organisations that claim to be highly competent and highly professional have suffered devastating insider incidents.

Insiders can pose many different types of threats.

•    Some simply provide information to individuals outside the organisation.
•    Some might steal from the organisation.
•    Some might decide to sabotage specific parts of the organisation assets
•    Some insiders pose a threat by making mistakes without really intending to do so. And
•    Some loyal insiders are coerced by others in assisting in theft or sabotage.

Motives for insiders in each of these categories vary widely. In general, people can follow many pathways to becoming a risk to their organisation.

Protecting against insider threats is a difficult job for three primary reasons
1.    Organisations want to downplay the risk from insiders as a non-existent threat.
2.    “Secrecy” often surrounds the challenge of mitigating risky employees. Organisations want to keep their “dirty laundry” discrete and not voluntarily share knowledge and experiences.
3.    Having to address the root cause – human behaviour. Organisations know how to fix a “broken” asset. For example, a broken door can be replaced. But someone who regularly slams the door is a different challenge.

But there is a fourth reason…

At the core of the insider mitigation process are the insider “red flags.”

What are “red flags”?
Red flags are potential risk indicators that present themselves at a point of time to the organisation that are typically ignored, misunderstood or overlooked.

Here are some examples:
•    Skipping approval steps.
•    Failing to keep appropriate or accurate records/receipts.
•    Living a lifestyle above their means or lavishing gifts on a colleague
•    Bullying colleagues.
•    Seeking access to areas which they should not be able to access.
•    Consistently seeking loans or advances.
•    Past legal/compliance problems.
•    Addiction problems.
•    Gambling problems.
•    Significant personal stress.
•    Expressing a strong sense of entitlement.
•    Expressing unhappiness with the organisation or management.

Interestingly, we often look back following an incident and immediately recognise clear indicators of abnormal behaviour before the event and unfortunately, it wasn’t reported nor acted.

Example: Bradley Manning Leaking Classified Information

What happened?
Bradley Manning, a 25-year-old US private, downloaded more than 700,000 classified documents from US military servers and passed them to WikiLeaks, which revealed sensitive information about military operations and tactics, including code words and the name of at least one enemy target.

What were the consequences?
Because of the broad scope and overwhelming volume of the WikiLeaks cables, their disclosure cast doubt on the ability of the U.S. government to guarantee the confidentiality of any kind – whether in diplomacy, military operations or intelligence.

What were his concerning behaviours?
Bradley Manning had a long-term history of psychological issues that included gender identity, bullying, physical threats, depression and problems in the military service.

Missed red flags
The Army ignored both Manning’s supervisor’s recommendation to discharge him and psychological advice not to deploy him.

His weapon was taken but not his access after a demotion, a violent episode, and planned discharge.

A deeper investigation might also have revealed statements of his intention to leak information to friends, media contacts, and ongoing communications with known hackers and WikiLeaks.

The reasons for this failure can be found within most organisations.

1.    First, insider threat early warning programs often lack the attention, expertise, funding, incentive programs, information-sharing processes and programmatic approaches necessary to succeed.
2.    Second, organisational cultures often undercut the effectiveness of early warning programs through denial, privacy concerns, lack of accountability and a cognitive bias toward technical cybersecurity.
3.    Third, faulty assumptions such as “it won’t happen here,” “red flags are reported and responded to,” and “people will do the right thing” undermine the process.
4.    Finally, there is “social shirking,” meaning no one wants to be a telltale.  Many people just want to avoid conflict, and some pass the buck on this vital issue.

The following diagram illustrates a timeline showing different behaviour anomaly indicators that can help detect potential threats before experiencing a breach.

•    Non-Technical Behaviour Anomalies indicators that the behaviour of the person has changed or flipped, for example, an otherwise nonaggressive individual becoming aggressive in conversations.

•    User & Policy Behaviour Anomalies indicators of anomalies when connected to the corporate network, for example, spending lots of time accessing social media sites or actions contrary to corporate policies.

•    System & Data Behaviour Anomalies indicators of unusual system and data behaviour, for example, using metadata analysis and other data sources such as network logs, travel reporting, network access times, etc.

There is some good news.

Significant opportunities exist for stopping insider attacks, around which an affordable and effective early warning system can be created.

These opportunities are created by the simple fact that insider attacks are generally not impulsive.

Regardless of the motivation, the insider plans for weeks or even months before action. And no matter how hard they try to cover their tracks, they leave evidence during the slow progression from idea to action.

This evidence is observable. The changes in attitude and behaviour are discernible and detectable.