Research note: A new way to think about insider threats

We talk about motivation often when thinking about the insider threat to information assets. The concept of a turn cloak, spy, or trusted individual turning against the interests of an organization has always been a risk. We vilify, and in general disrespect the disloyal regardless of reason or cause. History will sometimes repair the reputation of a turn-cloak but that is usually winners revisionism. It is still a rare case that we see people who have acted treasonous treated well by even those who have benefited from treason. The emotional baggage of the insider threat cannot be under estimated and the blind spot of trust over estimated.

When we deal with information assets and the threat of a trusted entity with ill intent inside our organization the amount of harm to an organization can be significant. The realm of information is perilously controlled and subject to exfiltration from an organization in vast quantities. A paradox of automation is that damage is automated along with production. The reward to

The evil entity far exceeds the resources of the righteous. In understanding this dichotomy we do ourselves a disservice in the corruption of language. We talk about looking for an insider threat. What we are looking for is an outsider who is inside. That little mental shift changes the equation dramatically.

Insiders are no longer insiders when they are corrupted by outside influence. Even the continued mention of somebody as an insider creates more emotional response than reasoned response. You have at the point somebody takes action against your organization failed to recognize a threat. A threat is an outside influence on an organization that acts upon a vulnerability without a countermeasure within your organization. This outside entity may have been perceived as a known and trusted entity but that failure is yours not theirs. The incentive of a threat actor is to remain hidden as long as possible. They are doing what they are expected to do.

It is a harsh lesson in understanding that your mitigation technique has not vanquished the risk of an outside entity exploiting your system. Trust is a commodity traded between humans to accomplish work and maintain civility. To suddenly realize that transaction in trust has been abused is the reason we torture traitors. To grow past that and realize that trust is neither commodity nor is it traded but in fact it is non-existent is not a good place for many people to live. It is considered paranoid, and you are vilified for that lack of trust nearly as much as the traitor is for abusing it. Yet that is exactly where you need to be if you want to have any hope of tracing traitors within your organization.

Think of it this way. Twenty people walk through the front door of a company. They enter and exit. Some are engaged in commerce and others are merely browsing. After a time you make friends with these people. Then you start to notice things going missing from your company. Is it the fault of the crook, the wolf in sheep’s clothing, for you not detecting them? They are doing what their motivations and desires are driving them to do. It is you who have failed to detect that threat. Because, you are manipulated into a false sense of trust the outsider tricked you. Social engineers prey upon this trust and as long as you trust you will be at their mercy.

Insiders should be treated as outsiders, but few people will have the capability to maintain that level of paranoia for very long. Even if you find a person who claims that level of paranoia they are egotistical rather than paranoid. Saying, kill em all let god sort them out is not an answer to this problem. What you need is a man or woman in your organization who is willing to point at any individual in a position of trust and say they are evil. Vetting of staff has to occur on a daily basis (and always upon access to information). You must be able to accept that or you will be exploited if you have any hope of mitigating the threat vector.

Make a determined adjustment to your threat analysis in that a person is designated on a daily or weekly basis to investigate every anomaly as if the people involved are guilty of treason to the organization. One person in an organization should be identified who on a particular day always takes the prosecute side of the case. If your organizations evidence gathering process is not capable of refuting such evidence then you have two problems 1) Poor event management correlation and; 2) possibly a threat actor in your organization. Flipping the analysis piece towards paranoia serves to point out weakness in the event correlation analysis piece. There is peril in cronyism from this process. If you ignore the fact that your own team is subject to exploitation you will have built in weakness from the start. Everybody is subject to malefactor indications. Including you.

1 comment for “Research note: A new way to think about insider threats

Leave a Reply