Notes from DoDIIS 2017: Talking Cyber Espionage and Insider Threat

Read on for a sneak peek into some of the Insider Threats insights I will be sharing at DoDIIS today as part of the “Industry Perspective on Cyber Espionage and Insider Threat” panel.

Insider threat is both a very old concept and a new one. The cyclical nature of technology concepts is constant, with only the players and methods changing. However, the instruments of data movement are getting smaller. In the past a person had to literally carry reams of paper out of the building to do the same kind of damage a person with a cell phone camera, cloud storage account, or a USB drive can today. Additionally, interconnections within the growing technology-enabled physical world and the infinitely connected web have allowed for more esoteric ways of information movement and access through the average smart home thermostat or wifi-enabled light bulb.

This newfound ability to deal damage in small packages has created a secondary issue: the accident. When data was big, taking the form of paper, floppy disks, or CD-ROMs, it took physical media or a lot of upload time to cause widespread harm. Again, this isn’t a concept any reasonable security practitioner is unaware of. In fact, I’m counting on it. The issue is not that there is growing risk and the world is harsh place, or that people will forever try to gain an unfair edge, but the reality that the line between maliciousness and accidents is growing ever greyer.

The Grey Area between Accidents and Maliciousness

When exfiltration and infiltration methods were complex and incredibly risky (think Cold War spy tactics) an accident would be defined as taking a folder of documents home, leaving a laptop on a train or having your Blackberry stolen. Now it is as simple as an unnoticed incorrect autocomplete address in Outlook with a sensitive attachment, or a misunderstanding about sensitivity and upload to a cloud drive. A mistakenly clicked email about a fake password reset can risk a whole company, just ask a few retailers or Hollywood producers.

This creates several avenues of discussion mainly around training and awareness (do it), thoughtful and effective controls (get some), and security analysis and response (make it tougher). The issue with insider issues is that mindset is everything. The motivation and goal of the actor is what determines the real difference between a stern lecture, employment termination or law enforcement arrest. Did the person really mis-click that link in the email? Did they really not notice the other address? Actually, they probably didn’t notice and just thought they had to provide their password. Realistically, there are only a few real-life Jason Bourne or Ethan Hunt types in the world -- and if those people were targeting you odds are you’d have little chance of stopping it.

We need to realize that people are people and not computers. If we approach insider threat analysis as a black and white issue like malware then we risk more than wasted time. If an analyst suspects a computer to be infected with malware, they can patch or re-image without a second thought. The computer won’t get offended or quit. But we all live in a world of greys, not black and white. The sooner we start to recognize that different tactics and analysis are needed to better assess activities to determine that mindset the better.

This isn’t about ignoring or discounting troubling events, it is about understanding context, asking questions and realizing that while we have machines learning how to identify malware patterns we just aren’t that good at people yet. A computer really can’t have good days and bad days, but people have every kind of day imaginable. Some end one day feeling like they need to take their traffic and coffee-fueled frustrations out on others and “get their due,” but go back home, have a Coke and a smile and then the next day is a bit brighter. Let’s look at insider threat as managing both the light and dark side of the human condition, and ensure that people are aware of the rules, we have good controls to help contain when they forget or break them, and analysis that isn’t based on “guilty before proven innocent.”

If you are in St. Louis attending DoDIIS today be sure to stop by Room 103 at 1:30 p.m. CT to hear more during the “Industry Perspective on Cyber Espionage and Insider Threat” panel. 

Or, if you aren’t attending DoDIIS but would like to learn how you can “Operationalize a Practical Insider Threat Program” in your organization, view my webcast here.