06:43 AM
Eric Cole
Eric Cole
Connect Directly

Profiling The Evil Insider

How to sniff out a rogue insider

There are many ways of performing profiling, but the general methods used to detect the insider threat are actions, appearance, and instinct.

Actions play a major role when profiling a person. Take someone who is lying, for example. Many times someone who is lying will not look a person in the eye, they will play with their hair, they will fidget, and they will look generally uncomfortable. While these are extreme examples, it reinforces the fact that there are behavioral patterns associated with different actions.

Typically in the case of an insider, an organization would look for behavior that shows an employee as being nervous or uncomfortable in a situation. An example of this could be if you walk into an employee's office and all of a sudden he or she is startled and start clicking rapidly or turn the monitor off. This is obviously not a normal reaction and should generate concern that the employee is trying to hide something. While there can also be reasonable explanation on why people do certain things, actions speak louder than words.

Once suspicious actions have been witnessed, the next step in the profiling process is to closely monitor the individual in question. In order for this step to work it is necessary that the organization have the proper policies in place. The employee should have signed a document that states he has no expectation of privacy while in the workplace and that he consents to monitoring.

When it comes to people who commit insider threat, there are some basic characteristics of those people who have been caught. These characteristics describe a low-end attacker, for the fact that the high-end attacker does not get caught. The basic characteristics of low-end attackers include minimal technical knowledge, attacks focused on intellectual property, money-driven, not fully understanding repercussions, other people knew, and anger playing a part.

Minimal technical knowledge plays a role in the fact that usual insider threat is not some super spy with special skills and high tech gadgets. These are average people who utilize the basic technology that they use in their job. These technologies include email, copying information, or deleting information. It does not take a super stealthy spy to be an insider, but rather an average employee with average technical skills.

Almost every insider attack at one level or another is focused on intellectual property. This logically makes sense because if the attack was not focused on revealing, modifying, or destroying something of value to the company than it most likely would not be classified as an insider threat.

Most insider threats are driven by money. Whether it is for greed or for financial troubles, money usually plays some type of role in these attacks. I have seen cases where people who committed insider attacks were caught, their first response is, "It was not my fault -- I had no choice. If I did not do this I would have lost everything and my family who have been living on the street." These cases are a perfect example of how most insider threats are money-driven. Even in the case of disgruntle employees who act maliciously, most employees are disgruntled because they did not receive a raise or were passed over for a promotion.

Many people who commit insider attacks do not truly understand how much trouble they could get into if they were caught and, more basically, do not even realize they were breaking the law. I have seen time and time again insiders not understand why they were arrested. In the mind of the insider they were justified for their actions and it is the organization that is to blame.

In many cases, someone besides the attacker either knew what was going on or had an idea that something suspicious was occurring. Many times these other employees do not tell management because they are either a trusted friend or agree that what the attacker is doing is justified. In other cases, employees may discover the threat through observation and just ignore it.

At some level, anger and frustration usually contribute to the reason the person is committing the attack against the company. It could be a major reason in the case of a disgruntled employee who is so frustrated and angry that they feel like they have no other solution or answer but to take that anger out on the company.

These are just a few of the characteristics that make up the basic profile of an insider. This list is by no means in-depth or exhaustive, but it should give you an idea of how the typical insider acts and thinks. While these characteristics alone do not indicate an insider, any employees sharing these characteristics should be monitored to ensure they are not causing harm to the organization.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 ( and HANA Developer Edition 80 ( allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.