Perimeter
11/16/2010
06:43 AM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Profiling The Evil Insider

How to sniff out a rogue insider

There are many ways of performing profiling, but the general methods used to detect the insider threat are actions, appearance, and instinct.

Actions play a major role when profiling a person. Take someone who is lying, for example. Many times someone who is lying will not look a person in the eye, they will play with their hair, they will fidget, and they will look generally uncomfortable. While these are extreme examples, it reinforces the fact that there are behavioral patterns associated with different actions.

Typically in the case of an insider, an organization would look for behavior that shows an employee as being nervous or uncomfortable in a situation. An example of this could be if you walk into an employee's office and all of a sudden he or she is startled and start clicking rapidly or turn the monitor off. This is obviously not a normal reaction and should generate concern that the employee is trying to hide something. While there can also be reasonable explanation on why people do certain things, actions speak louder than words.

Once suspicious actions have been witnessed, the next step in the profiling process is to closely monitor the individual in question. In order for this step to work it is necessary that the organization have the proper policies in place. The employee should have signed a document that states he has no expectation of privacy while in the workplace and that he consents to monitoring.

When it comes to people who commit insider threat, there are some basic characteristics of those people who have been caught. These characteristics describe a low-end attacker, for the fact that the high-end attacker does not get caught. The basic characteristics of low-end attackers include minimal technical knowledge, attacks focused on intellectual property, money-driven, not fully understanding repercussions, other people knew, and anger playing a part.

Minimal technical knowledge plays a role in the fact that usual insider threat is not some super spy with special skills and high tech gadgets. These are average people who utilize the basic technology that they use in their job. These technologies include email, copying information, or deleting information. It does not take a super stealthy spy to be an insider, but rather an average employee with average technical skills.

Almost every insider attack at one level or another is focused on intellectual property. This logically makes sense because if the attack was not focused on revealing, modifying, or destroying something of value to the company than it most likely would not be classified as an insider threat.

Most insider threats are driven by money. Whether it is for greed or for financial troubles, money usually plays some type of role in these attacks. I have seen cases where people who committed insider attacks were caught, their first response is, "It was not my fault -- I had no choice. If I did not do this I would have lost everything and my family who have been living on the street." These cases are a perfect example of how most insider threats are money-driven. Even in the case of disgruntle employees who act maliciously, most employees are disgruntled because they did not receive a raise or were passed over for a promotion.

Many people who commit insider attacks do not truly understand how much trouble they could get into if they were caught and, more basically, do not even realize they were breaking the law. I have seen time and time again insiders not understand why they were arrested. In the mind of the insider they were justified for their actions and it is the organization that is to blame.

In many cases, someone besides the attacker either knew what was going on or had an idea that something suspicious was occurring. Many times these other employees do not tell management because they are either a trusted friend or agree that what the attacker is doing is justified. In other cases, employees may discover the threat through observation and just ignore it.

At some level, anger and frustration usually contribute to the reason the person is committing the attack against the company. It could be a major reason in the case of a disgruntled employee who is so frustrated and angry that they feel like they have no other solution or answer but to take that anger out on the company.

These are just a few of the characteristics that make up the basic profile of an insider. This list is by no means in-depth or exhaustive, but it should give you an idea of how the typical insider acts and thinks. While these characteristics alone do not indicate an insider, any employees sharing these characteristics should be monitored to ensure they are not causing harm to the organization.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.