Vulnerabilities / Threats
3/1/2013
05:51 AM
50%
50%

5 Lessons From The FBI Insider Threat Program

Finding ways to improve enterprise insider theft detection and deterrence

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Insider threats may not have garnered the same sexy headlines that APTs did at this year's RSA Conference. But two presenters with the Federal Bureau of Investigation (FBI) swung the spotlight back onto insiders during a session this week that offered enterprise security practitioners some lessons learned at the agency after more than a decade of fine-tuning its efforts to sniff out malicious insiders following the fallout from the disastrous Robert Hanssen espionage case.

RSA Conference 2013
Click here for more articles.

1. Insider threats are not hackers.
Often people think of the most dangerous insiders being hackers who are running special technology tools on internal networks. Not so, says Patrick Reidy, CISO for the FBI.

"You're dealing with authorized users doing authorized things for malicious purposes," he says. "In fact, going over 20 years of espionage cases, none of those involve people having to do something like run hacking tools or escalate their privileges for purposes of espionage."

Reidy says that just less than a quarter of insider incidents tracked on a yearly basis come at the hand of accidental insiders, or what he calls the "knucklehead problem." However, at the FBI his insider threat team spends 35 percent of their time dealing with these problems. He believes the FBI and other organizations should be looking for ways to "automate out of this problem set" by focusing on better user education. Dropping those simpler incidents gives insider threat teams more time to concentrate on the more complex problem of malicious insiders, he says.

2. Insider threat is not a technical or "cybersecurity" issue alone.
Unlike many other issues in information assurance, the risk from insider threats is not a technical problem, but a people-centric problem, says Kate Randal, insider threat analyst and lead researcher for the FBI.

"So you have to look for a people centric solution," she says. "People are multidimensional, so what you have to do is take a multidisciplinary approach."

This starts by focusing efforts on identifying and looking at your internal people, your likely enemies, and the data that would be at risk. In particular, understanding who your people really are should be examined from three important informational angles: cyber, contextual, and psychosocial.

"The combination of these three things is what's most powerful about this methodology," Randal says. "In an ideal world we'd want to collect as much about these areas [as possible], but that's never going to happen. So what's important is adopting a method working with your legal and managerial departments to figure out what works best within the limitations of your environment."

3. A good insider threat program should focus on deterrence, not detection.
For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting out bad behavior. Compared to the predictive capabilities of Punxsutawney Phil, the groundhog of Groundhog Day, that system did a worse job of predicting malicious insider activity, Reidy says.

"We would have done better hiring Punxsutawney Phil and waving him in front of someone and saying, 'Is this an insider or not an insider?'" he says.

Rather than getting wrapped up in prediction or detection, he believes organizations should start first with deterrence.

"We have to create an environment in which it is really difficult or not comfortable to be an insider," he says, explaining that the FBI has done this in a number of ways, including crowdsourcing security by allowing users to encrypt their own data, classify their own data, and come up with better ways to protect data. Additionally, the agency has found ways to create "rumble strips" in the road to let users know that the agency has these types of policies in place and that their interaction with data is being used.

4. Detection of insider threats has to use behavioral-based techniques.
Following the failure to develop effective predictive analytics, the FBI moved toward a behavioral detection methodology that has proved far more effective, Reidy says. The idea is to detect insider bad behavior closer to that "tipping point" of when a good employee goes rogue.

"We look at how people operate on the system, how they look contextually, and try to build baselines and look for those anomalies," he says.

Whatever analytics an organization uses, whether it is print file behavior or data around file interactions, Reidy recommends a minimum of six months of baseline data prior to even attempting any detection analysis.

"Even if all you can measure is the telemetry to look at prints from a print server, you can look at things like what's the volume, how many and how big are the files, and how often do they do print," he says

5. The science of insider threat detection and deterrence is in its infancy.
According to Randal, it was bad science that led the FBI to the point where they were using a worse than random predictive analysis. Part of the issue is that even now the science of insider detection and deterrence is still in its infancy. One of the issues with its slow growth is that much of the existing research just focuses on looking at data from the bad guys.

"So what the FBI has done is to really try to push this diagnostic approach of collecting data from and comparing it between a group of known bad and a group of assumed good [insiders] and try to apply that methodology to those three realms [cyber, contextual and psychosocial]."

In particular, some of the research the FBI has done with regard to psychosocial diagnostic indicators has been a bit surprising, she says.

"What we learned from this study is that some of the things we thought would be the most diagnostic in terms of disgruntlement or workplace issues really weren't that much," she says, explaining that more innate psychological risk factors come into play. For example, stress from a divorce, inability to work in a team environment, and exhibiting behaviors of retaliatory behavior all scored high as risk indicators when comparing the bad insiders with the good.

While enterprises will not be able to do the same kind of psychological screening that the FBI does with its employees, there are ways to incorporate this knowledge into insider prevention programs.

"You can try to elicit this information from other avenues: observables, behavioral manifestations, making supervisors more aware of the insider threat problem, and creating an environment where they may be more willing to report some of these things as they see them," she says. "One of the best resources that your security program has is the collaboration of the HR department."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/4/2013 | 6:59:30 PM
re: 5 Lessons From The FBI Insider Threat Program
There's a lot of buzz about law enforcement not sharing, so it's good to see FBI experts providing their expertise here. Any readers want to weigh in on whether this info is useful to their insider threat programs?

Kelly Jackson Higgins, Senior Editor, Dark Reading-
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Secure Wifi Hijacked by KRACK Vulns in WPA2
Jai Vijayan, Freelance writer,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.