Profiling The Evil Insider
How to sniff out a rogue insider
There are many ways of performing profiling, but the general methods used to detect the insider threat are actions, appearance, and instinct.
Actions play a major role when profiling a person. Take someone who is lying, for example. Many times someone who is lying will not look a person in the eye, they will play with their hair, they will fidget, and they will look generally uncomfortable. While these are extreme examples, it reinforces the fact that there are behavioral patterns associated with different actions.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
Typically in the case of an insider, an organization would look for behavior that shows an employee as being nervous or uncomfortable in a situation. An example of this could be if you walk into an employee's office and all of a sudden he or she is startled and start clicking rapidly or turn the monitor off. This is obviously not a normal reaction and should generate concern that the employee is trying to hide something. While there can also be reasonable explanation on why people do certain things, actions speak louder than words.
Once suspicious actions have been witnessed, the next step in the profiling process is to closely monitor the individual in question. In order for this step to work it is necessary that the organization have the proper policies in place. The employee should have signed a document that states he has no expectation of privacy while in the workplace and that he consents to monitoring.
When it comes to people who commit insider threat, there are some basic characteristics of those people who have been caught. These characteristics describe a low-end attacker, for the fact that the high-end attacker does not get caught. The basic characteristics of low-end attackers include minimal technical knowledge, attacks focused on intellectual property, money-driven, not fully understanding repercussions, other people knew, and anger playing a part.
Minimal technical knowledge plays a role in the fact that usual insider threat is not some super spy with special skills and high tech gadgets. These are average people who utilize the basic technology that they use in their job. These technologies include email, copying information, or deleting information. It does not take a super stealthy spy to be an insider, but rather an average employee with average technical skills.
Almost every insider attack at one level or another is focused on intellectual property. This logically makes sense because if the attack was not focused on revealing, modifying, or destroying something of value to the company than it most likely would not be classified as an insider threat.
Most insider threats are driven by money. Whether it is for greed or for financial troubles, money usually plays some type of role in these attacks. I have seen cases where people who committed insider attacks were caught, their first response is, "It was not my fault -- I had no choice. If I did not do this I would have lost everything and my family who have been living on the street." These cases are a perfect example of how most insider threats are money-driven. Even in the case of disgruntle employees who act maliciously, most employees are disgruntled because they did not receive a raise or were passed over for a promotion.
Many people who commit insider attacks do not truly understand how much trouble they could get into if they were caught and, more basically, do not even realize they were breaking the law. I have seen time and time again insiders not understand why they were arrested. In the mind of the insider they were justified for their actions and it is the organization that is to blame.
In many cases, someone besides the attacker either knew what was going on or had an idea that something suspicious was occurring. Many times these other employees do not tell management because they are either a trusted friend or agree that what the attacker is doing is justified. In other cases, employees may discover the threat through observation and just ignore it.
At some level, anger and frustration usually contribute to the reason the person is committing the attack against the company. It could be a major reason in the case of a disgruntled employee who is so frustrated and angry that they feel like they have no other solution or answer but to take that anger out on the company.
These are just a few of the characteristics that make up the basic profile of an insider. This list is by no means in-depth or exhaustive, but it should give you an idea of how the typical insider acts and thinks. While these characteristics alone do not indicate an insider, any employees sharing these characteristics should be monitored to ensure they are not causing harm to the organization.
Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.