There are two different types of insider threat: negligent and malicious. Negligent insiders are people who give attackers access by mistake. For example, the employee who clicks on a spear-phishing email and lets hackers into their employer’s networks is a negligent insider. This is a significant problem, but one that can be corrected through training and a strong focus on good cyber hygiene.
The issue of malicious insiders is completely different. A malicious insider is an employee who willfully either steals information or damages company networks on purpose. The threat from malicious insiders is especially pressing because they are already inside all the protections meant to keep malicious actors out. Arguably the most famous malicious insider is Edward Snowden, who stole a vast amount of classified information from the federal government in 2013. That incident was extremely high profile, but a more common manifestation of a malicious insider threat would be fraud committed by people who work in the financial services industry.
There are a number of reasons why an insider might become a threat. A 2005 study from the Defense Personnel Security Research Center identified eight primary insider threat archetypes. Explorers and Samaritans are broadly non-malicious and violate IT procedures either by accident or in order to more efficiently do their jobs. Career Thieves and Moles are malicious from the start and seek employment with their targets in order to steal either money or information. Proprietors are motivated by a desire to maintain sole control over their systems and are willing to destroy those systems if that control is threatened. Hackers are – somewhat unsurprisingly – hackers who continue to engage in hacker-activity in their workplace. Avengers are motivated by a desire to retaliate against their employer for past slights or insults. And Machiavellians commit malicious acts in order to further their own agendas. Some of these are more common than others, with insider attacks motivated by greed or revenge occurring far more often.
Fortunately, there are ways to assess the likelihood of an insider becoming a threat and ways to detect them once they do. A 2008 study, published by the Software Engineering Institute (SEI) at Carnegie Mellon University on insider threats in the telecommunications sector, found that 73 percent of insider threats were precipitated by a specific workplace-related event, such as terminations, demotions, or disciplinary actions.
Another SEI report from 2012 found that, in the financial services sector, 81% percent of malicious insiders planned their attacks in advance. This means that employers can approach the issue of countering insider threats from two distinct angles: focusing on the psychology of the insider or focusing on the data that their activities leave behind. Steve Bongardt, Regional Vice-President for Security Consulting Services at Fidelis Cybersecurity, has experience applying behavioral profiling to cybercrimes from previous work at the FBI. According to Bongardt “we can look at behavior or look at individuals within a company and try to find out, ‘Are they dangerous? Are they really going to act out? What are the hot points going on in that organization?’ to try to understand what the insider threat might be.”
On the more data analytic side, Stuart Clarke, Chief Technical Officer for Cybersecurity at Nuix, believes that data visualization makes it much easier to see evidence of pre-planned malicious behavior. He told The Cipher Brief that “visualizations really expose that information, because it’s an outlier. It’s anomalous behavior effectively, and that can’t be detected in a linear fashion.”
The threat posed by insiders is not going away any time soon, and many cybersecurity professionals believe it is one of the most pressing concerns facing businesses today. There are ways to circumvent the issue, such as ensuring that businesses have robust privilege controls that limit which employees have access to what information. But that will not stop all malicious insiders from attempting to cause damage, which is why monitoring and analytics are such critical parts of modern cybersecurity. It remains to be seen how well behavioral data visualization and psychological profiling will be utilized in a field that is consistently focused on technical solutions over human ones. However, the insider threat is a fundamentally human issue, and it will likely require a more human-centric response to keep malicious insiders in check.
