Perimeter
11/16/2010
06:43 AM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Profiling The Evil Insider

How to sniff out a rogue insider

There are many ways of performing profiling, but the general methods used to detect the insider threat are actions, appearance, and instinct.

Actions play a major role when profiling a person. Take someone who is lying, for example. Many times someone who is lying will not look a person in the eye, they will play with their hair, they will fidget, and they will look generally uncomfortable. While these are extreme examples, it reinforces the fact that there are behavioral patterns associated with different actions.

Typically in the case of an insider, an organization would look for behavior that shows an employee as being nervous or uncomfortable in a situation. An example of this could be if you walk into an employee's office and all of a sudden he or she is startled and start clicking rapidly or turn the monitor off. This is obviously not a normal reaction and should generate concern that the employee is trying to hide something. While there can also be reasonable explanation on why people do certain things, actions speak louder than words.

Once suspicious actions have been witnessed, the next step in the profiling process is to closely monitor the individual in question. In order for this step to work it is necessary that the organization have the proper policies in place. The employee should have signed a document that states he has no expectation of privacy while in the workplace and that he consents to monitoring.

When it comes to people who commit insider threat, there are some basic characteristics of those people who have been caught. These characteristics describe a low-end attacker, for the fact that the high-end attacker does not get caught. The basic characteristics of low-end attackers include minimal technical knowledge, attacks focused on intellectual property, money-driven, not fully understanding repercussions, other people knew, and anger playing a part.

Minimal technical knowledge plays a role in the fact that usual insider threat is not some super spy with special skills and high tech gadgets. These are average people who utilize the basic technology that they use in their job. These technologies include email, copying information, or deleting information. It does not take a super stealthy spy to be an insider, but rather an average employee with average technical skills.

Almost every insider attack at one level or another is focused on intellectual property. This logically makes sense because if the attack was not focused on revealing, modifying, or destroying something of value to the company than it most likely would not be classified as an insider threat.

Most insider threats are driven by money. Whether it is for greed or for financial troubles, money usually plays some type of role in these attacks. I have seen cases where people who committed insider attacks were caught, their first response is, "It was not my fault -- I had no choice. If I did not do this I would have lost everything and my family who have been living on the street." These cases are a perfect example of how most insider threats are money-driven. Even in the case of disgruntle employees who act maliciously, most employees are disgruntled because they did not receive a raise or were passed over for a promotion.

Many people who commit insider attacks do not truly understand how much trouble they could get into if they were caught and, more basically, do not even realize they were breaking the law. I have seen time and time again insiders not understand why they were arrested. In the mind of the insider they were justified for their actions and it is the organization that is to blame.

In many cases, someone besides the attacker either knew what was going on or had an idea that something suspicious was occurring. Many times these other employees do not tell management because they are either a trusted friend or agree that what the attacker is doing is justified. In other cases, employees may discover the threat through observation and just ignore it.

At some level, anger and frustration usually contribute to the reason the person is committing the attack against the company. It could be a major reason in the case of a disgruntled employee who is so frustrated and angry that they feel like they have no other solution or answer but to take that anger out on the company.

These are just a few of the characteristics that make up the basic profile of an insider. This list is by no means in-depth or exhaustive, but it should give you an idea of how the typical insider acts and thinks. While these characteristics alone do not indicate an insider, any employees sharing these characteristics should be monitored to ensure they are not causing harm to the organization.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio