Security leaders need to understand the insider profiles most relevant to their organizations and develop and automate a watchlist of the most relevant tripwires. Getting into the head of the attacker and understanding what sets them off, how they plan and how they act can help security teams mitigate insider risk.
Characteristics of a potential insider threat
The Intelligence and National Security Alliance (INSA) has outlined the following types of insider threat for security leaders to monitor: unintentional insider threat, theft of intellectual property or national defense information, insider fraud, sabotage and workplace violence.
Case study examples provide some common personality characteristics, precipitating events and indicators for each insider type. These commonalities can be refined by organizations as they tailor their risk models for their specific situations and environments.
Inadvertent or negligent threats
These insiders act without malicious intent, but become a threat through negligence or outside manipulation.
While hard numbers are always suspect in quantifying insider events due to the assumed high level of non-reported or misreported events, it’s safe to say that a significantly large percentage of insider events result from inadvertent or negligent behavior, and one in particular — credential theft through social engineering — is growing rapidly. It’s also safe to say that the critical path for inadvertent actors is far shorter and less observable than for malicious actors.
Common personality characteristics of negligent insiders include being flighty, unfocused, disorganized, scatterbrained, stressed or strained. Precipitating events that can precede an inadvertent threat are often new personal or professional distractions.
Common indicators include personal cell phone/computer overuse, unwittingly providing sensitive information to outsiders, discussing sensitive matters with uncleared personnel, leaving sensitive documents or devices accessible to others, posting confidential organizational details to social media sites and consistent failure to meet deadlines. Monitoring for these indicators can present a challenge to security leaders.
IP and data thieves
These insiders seek to benefit themselves or others by stealing valuable data or materials. They may be working alone or in collaboration with an outside malicious actor.
Common personality characteristics include entitlement, narcissism, anti-social behavior and a desire to control all things. Common precipitating events include a negative personal financial event, failed promotion effort, poor performance review, unmet career aspirations, resignation or termination.
Common indicators include “borrowing” office items for home use, attempting privilege escalation, conducting questionable downloads, violating cybersecurity policy, working out of profile hours, transferring data and/or printing during out of profile hours, stealing inventory and bringing unauthorized recording equipment into work.
Fraudsters
These insiders seek personal gain through their attacks.
Common personality characteristics include egotism, entitlement, privilege and self-importance. For fraudsters, common precipitating events include significant additional expenses, negative personal financial events, and unmet career and/or lifestyle aspirations.
Common indicators include living beyond one’s means, debt collection, violations of financial policies, intentional data manipulation, use and/or close association with a known supplier, minor fraudulent expenses, violations of insider trading, demonstrating excessive control over financial duties and exhibiting shrewd or unscrupulous behavior.
Saboteurs
These insiders strike out against an organization with intent to harm its functionality.
Common personality characteristics include anger, vengefulness, vindictiveness, disengagement and destructive behavior. In the case of saboteurs, common precipitating events include confrontation with management, poor performance review, failed promotion effort, demotion, workplace embarrassment and termination.
Common indicators include the testing of security procedures, defacing company website pages, “accidentally” breaking a component in a critical machine, contaminating a clean room, altering enterprise software, misconfiguring products to cause failure and workplace harassment or violence.
Violent offenders
These insiders seek to strike out against the organization to cause bodily harm to people within the organizations and possibly even themselves.
Common personality characteristics are aggression, emotional detachment, confrontation, disengagement, strain and a lack of remorse. In the case of violent offenders, common precipitating events include negative family or relationship events.
Common indicators are the same as those for sabotage, which includes emotional outbursts, failure to communicate and/or work in groups, bullying, difficulty taking criticism, boundary violations, violent threats, physical altercations and reflections of extremist beliefs.
Vulnerable life stages
Just as there is a critical path for each insider attack, there are critical stages of life. The ages between 35-45 years old are particularly relevant, as they’re the ages known for reevaluation of life choices and life goals and the highest point of the symbiotic relationship between one’s personal and professional lives.
Known commonly as a “mid-life crisis,” divorce and career change are highest during these years and are closely bound. A strong marriage or personal relationship can carry someone through a bad work situation and a good work situation can carry someone through a bad relationship, but the simultaneous collapse of both often results in increased psychological vulnerability for the employee and increased risk for their employer.
With the knowledge of what characteristics to look out for, security leaders can monitor for insider threats or employees with the potential to escalate their risk level.
Insider kill chain: How security threats escalate
In addition to character evaluations, it is important for security professionals to understand the critical path that an insider takes as they move toward action: the insider kill chain. The kill chain is comprised of six stages:
- Personality temperament: Essentially, this is the nature of person you hired. For security purposes, an important personality differentiation is whether this person is predisposed toward “self-destruction” versus “self-healing.” Elements that sway a personality toward self-destruction (and insider attacks) include violent tendencies, psychological imbalance, vengefulness, etc. Malevolent qualities known in psychology as the “Dark Triad” of narcissism, psychopathy and Machiavellianism can also increase self-destructive nature.
- Precipitating event: A security leader’s focus here should be on stressors that create emotional change, such as personal or professional crises.
- Conflict: This stage is often marked by a self-expression like dissatisfaction with a superior, colleague or the entire organization.
- Determination: The fourth stage is often exemplified by refinement of a mindset like increased risk-taking, open hostility, social withdrawal, identification with violence, etc.
- Preparation: Often taking the form of reconnaissance, acquisition of materials, drafting of manifestos and other attack precursors, this stage precedes the final attack.
- Attack: The endpoint of resentment that has been building against an organization or system that the insider believes has unfairly treated them.
Remember, the insider kill chain takes place within the organizational environment — which security can control. Just as security leaders can design a building to enhance an organization’s security measures, they can design an environment to enhance the insider risk program. As the environment is where security can administer the greatest mitigation, it’s up to the security team to build in the strongest insider threat countermeasures allowable by the organization’s culture, capabilities and resources. The organizational environment can work for or against the cause of risk mitigation.
To a much lesser degree, organizations control the personalities of their communities — by who they hire in the first place. While understanding the need to hire quickly in today’s environment, hiring decisions have tremendous impact on an organizations’ insider risk resiliency. Move fast, but move smartly.