06:43 AM
Eric Cole
Eric Cole
Connect Directly

Profiling The Evil Insider

How to sniff out a rogue insider

There are many ways of performing profiling, but the general methods used to detect the insider threat are actions, appearance, and instinct.

Actions play a major role when profiling a person. Take someone who is lying, for example. Many times someone who is lying will not look a person in the eye, they will play with their hair, they will fidget, and they will look generally uncomfortable. While these are extreme examples, it reinforces the fact that there are behavioral patterns associated with different actions.

Typically in the case of an insider, an organization would look for behavior that shows an employee as being nervous or uncomfortable in a situation. An example of this could be if you walk into an employee's office and all of a sudden he or she is startled and start clicking rapidly or turn the monitor off. This is obviously not a normal reaction and should generate concern that the employee is trying to hide something. While there can also be reasonable explanation on why people do certain things, actions speak louder than words.

Once suspicious actions have been witnessed, the next step in the profiling process is to closely monitor the individual in question. In order for this step to work it is necessary that the organization have the proper policies in place. The employee should have signed a document that states he has no expectation of privacy while in the workplace and that he consents to monitoring.

When it comes to people who commit insider threat, there are some basic characteristics of those people who have been caught. These characteristics describe a low-end attacker, for the fact that the high-end attacker does not get caught. The basic characteristics of low-end attackers include minimal technical knowledge, attacks focused on intellectual property, money-driven, not fully understanding repercussions, other people knew, and anger playing a part.

Minimal technical knowledge plays a role in the fact that usual insider threat is not some super spy with special skills and high tech gadgets. These are average people who utilize the basic technology that they use in their job. These technologies include email, copying information, or deleting information. It does not take a super stealthy spy to be an insider, but rather an average employee with average technical skills.

Almost every insider attack at one level or another is focused on intellectual property. This logically makes sense because if the attack was not focused on revealing, modifying, or destroying something of value to the company than it most likely would not be classified as an insider threat.

Most insider threats are driven by money. Whether it is for greed or for financial troubles, money usually plays some type of role in these attacks. I have seen cases where people who committed insider attacks were caught, their first response is, "It was not my fault -- I had no choice. If I did not do this I would have lost everything and my family who have been living on the street." These cases are a perfect example of how most insider threats are money-driven. Even in the case of disgruntle employees who act maliciously, most employees are disgruntled because they did not receive a raise or were passed over for a promotion.

Many people who commit insider attacks do not truly understand how much trouble they could get into if they were caught and, more basically, do not even realize they were breaking the law. I have seen time and time again insiders not understand why they were arrested. In the mind of the insider they were justified for their actions and it is the organization that is to blame.

In many cases, someone besides the attacker either knew what was going on or had an idea that something suspicious was occurring. Many times these other employees do not tell management because they are either a trusted friend or agree that what the attacker is doing is justified. In other cases, employees may discover the threat through observation and just ignore it.

At some level, anger and frustration usually contribute to the reason the person is committing the attack against the company. It could be a major reason in the case of a disgruntled employee who is so frustrated and angry that they feel like they have no other solution or answer but to take that anger out on the company.

These are just a few of the characteristics that make up the basic profile of an insider. This list is by no means in-depth or exhaustive, but it should give you an idea of how the typical insider acts and thinks. While these characteristics alone do not indicate an insider, any employees sharing these characteristics should be monitored to ensure they are not causing harm to the organization.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.