A CSO’s Guide to Insider Threats

| Alex Bolling
Alex Bolling
Former CIA Chief of Station

Each minute of each day federal cybersecurity teams triage an unimaginable number of threats to our national security. While many of those threats are from nation-state backed hackers attempting to breach our defenses, there are just as many critical threats coming from inside an agency.

Insider threats are not new. Since the existence of protected information, there have been adversaries, competitors, and enemies looking to gain advantage. The ability to store, transmit, and process huge amounts of data has only underscored the importance of actively addressing insider threats. Not all insider threats are the same; they differ in terms of their attack methods and objectives. Identifying insider threats and creating an effective mitigation strategy requires an understanding of threat types, motivations, and goals.

At the most basic level, there are two types of insider threat: the malicious insider and the negligent threat. While both are trusted members of the organization, the behaviors that make them a danger to information security are very different. The malicious insider, while trusted, is in some way compromised by a lure that turns them into a bad actor. The enticement could be financial gain, a desire to harm the agency, or the need to protect themselves from harm. These individuals use their position of trust and privileged access to introduce malware, directly ex-filtrate data, or carry out another form attack, and then share or sell the data to nation-state actors or their sinister proxies.

On the other side of the equation is the negligent insider threat. This trusted insider is not looking to cause harm from their online activities but does so by inadvertently circumventing established security protocols. They may write down their password in a convenient but obvious location or click on a phishing email and introduce malware into the network. And they’re the person who becomes a targeted, cultivated victim of a social engineering attack.

It’s the human aspect that makes insider threats difficult to identify and extremely dangerous to governments, companies, and organizations. Malcontents are hard to ascertain, even within the rigorous vetting procedures of security clearances and background checks. Also, the motivations for a malicious actor evolve over time. A variety of unexpected life events—financial distress, personal crisis, lack of career advancement—may provide the catalyst for a trusted employee to become a malicious insider theat. Meanwhile, there are thousands of negligent insiders in every federal agency. These are people who are unaware of the basics of cyber and personnel security or who are simply overwhelmed by multiple layers of complex security requirements.

The impact of insider threats has multiplied in recent years due to the growing amount of data that we now create and store in data centers and in the cloud. Not only are there rich stores of stand-alone information, but even more valuable is data aggregated with other known data sets. Some of the most worrisome attacks occur on data aggregated over time; it can reveal a treasure trove of information that can be used for identity theft, blackmail, or by nefarious state actors.

The insider threat issue is a complex issue. Based on my experience studying the insider threat problem from multiple angles and applying various approaches in large organizational environments, successful mitigation of an insider threat requires a multifaceted approach combining the application of technology, behavioral analytics, and comprehensive corporate governance.

The technology part of the equation is covered by the tools of the trade—endpoint monitoring, anti-malware tools, geo-fencing, encryption, and data loss prevention solutions—to name only a few. An effective behavioral analytics strategy not only involves the aggregation of data about user activity on the computer network, it also factors in additional information about the employee within the workplace and their social environment. Organizations and government agencies can aggregate their existing data sources to learn more about their employees, increasing their chance of identifying anomalous behavior and mitigating the malicious insider. Individual data points from human resources, legal, and finance in isolation may not be significant, but stitched together they can provide important tripwires to identify potential malicious actors.

The final part of the triad is data and corporate governance. Governance involves not only determining who can access data while it’s in use, but it also considers how long data is stored, how it should be archived, and who can access stored data. Each federal agency will have unique governance requirements based on mission, but all agencies need to have information governance rules in place.  In the information age, data governance needs to be a top priority throughout the public and private sectors.

It goes without saying that these challenges to information security will only get more complex as both the amount of data continues to increase and the number of threat vectors multiplies. Insider threat will also get more complex as we welcome the next-generation of workers—not just millennials, but generation Z and beyond—into the workforce. As dependence on mobile platforms and flexible work schedules grows, and new technology like IoT (Internet of things) devices and robotics are introduced into the workforce, our ability to defend information and discern who is a threat will become even more complex. However, even with these new challenges, the fundamentals of good security hygiene—technology, analytics, and governance—will continue to provide a strong foundation in mitigating insider threats.

The Author is Alex Bolling

Alex Bolling served 28 years in the CIA's Directorate of Operations as Chief of Station and Deputy Chief of Station in several war zones in the Middle East, North Africa and Southwest Asia. He was Chief of Operations of the CIA's Information Operations Center (IOC) where he was responsible for orchestrating multi-disciplined offensive cyber collection against counterterrorist, counter proliferation and counterintelligence targets. Thoughout his career, Bolling planned, managed and executed... Read More

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *