Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:04 PM
Connect Directly

Hacking The Human Side Of The Insider Threat

NSA-Snowden affair and the mechanics of tracking human behavior

The details on how a young systems administrator for an NSA contractor was able to access and walk away with highly classified program information from the super-secretive agency may never be fully revealed, but the Edward Snowden case has spurred debate over how best to catch a rogue insider before he incurs any damage.

There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic, some experts say.

That would mean establishing a baseline for, say, Snowden's daily work activities. "It's not so much behavior on [technology] assets, but looking at ways to identify change in behaviors as a person starts to steal or goes through some espionage activity," says Chris Kauffman, managing partner at software firm Sphere of Influence. "If they have classified information and have been granted access to it, they can have it on their desktop ... But if their behavior starts to change in their 'patterns of life,' they change the websites they go to, they start frequently emailing recipients, or the times of day they work" changes dramatically, and their patterns diverge from previous ones or those of their co-workers, those can be red flags, he says.

"The anomalies tell of behavioral intent," Kauffman says. "In the past few years, companies working on behavioral analysis have been using more advanced analytics. But we don't see that kind of focus on insider threat technologies."

[A determined user or contractor hell-bent on leaking data can't be stopped, but businesses should revisit their user access policies and protections. See NSA Leak Ushers In New Era Of The Insider Threat .]

Security incident event monitoring (SIEM) and data leakage prevention (DLP) monitor assets, not people, he says. "They are more focused on behavioral analysis of the use of the asset ... they monitor use of data, patterns in bandwidth. If those behaviors spike beyond a baseline, then there's an alert. So it only does so much good if a person [deviates from a] pattern."

Management also must take a more proactive role in identifying possible users going or gone bad since technology can't catch everything. "Management has responsibility for oversight of its workforce members. Unfortunately, a lot of them don't take an active role" in monitoring user activities, says Andy Hubbard, senior security consultant at Neohapsis.

Bradley Manning's siphoning of gigabytes of classified information was a classic case study of a "low and slow" insider threat that slipped under the radar of traditional security monitoring systems, Kauffman says. "Manning did his everyday job and occasionally grabbed a classified document," he says.

For the past two years, Kauffman's company has been conducting research and development in the area of analyzing human behavior to detect and quell insider threat incidents. The company plans to ship a product from the R&D by the end of this year, he says.

The underlying concept is baselining and monitoring the user's normal workday behaviors or "patterns of life." If Snowden had begun visiting different websites than his co-workers, for example, the human behavioral alarms could have been sounded, Kauffman says.

"Theoretically, you could have a system in place that monitored specific computer network usage patterns of Snowden and all of the people he worked with," he says. That could match how his behaviors differed from others on his team, for instance: Teams tend to behave similarly in their usage patterns, for instance, he says.

"A software development team working on a product visit similar types of websites in their research," he says.

This approach differs from the signature and previously defined scenarios of many existing security monitoring technologies, he says. The human behavior approach would rely more on the software learning the norms and spotting patterns and red flags -- including a user employing an anonymizer or other atypical technology.

There are challenges with the human behavior technology, including the massive amounts of data required for analysis and the age-old problem of false positives. "Our emails and website visits might change every day, so [the system] has to take that into account as part of the behavioral profile" to avoid constantly sending out false positives, he says.

But like anything, the technology isn't fool-proof. "It has to be part of a layered defense. It's not meant to replace legacy, rules-based engines: It really has to complement it," he says.

"There's no such thing as 100 percent water-tight security -- we all have to recognize that we're trying to reduce the risk of our company being the next one having to show its red face in the newspapers," says security expert Graham Cluley.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
James McCabe
James McCabe,
User Rank: Apprentice
7/10/2013 | 11:17:45 AM
re: Hacking The Human Side Of The Insider Threat
"If they have classified information and have been granted access to it, they can have it on their desktop ... " If proper procedures are followed then this statement is false. You're not going to have classified material on an unclassified machine. That line of thinking is flawed from the start. If classified information is on an unclassified machine, then a violation just occurred. This is a policy problem that is now affecting others including the ISSM/ISSO of the system. From a behavioral aspect, guys like Snowden are not conducting out- of- the-ordinary research on any monitored system. They're doing it on their own time on their own computer in their own home/environment.
There's a lot of "theory" in this article that's not really based in reality. All of the detection models discussed in this article are "reactionary" to what has already occurred. I do, however, agree with the "theoretical" use of technology targeting grouping behavior patterns. But once detected, the problem has already occurred. There needs to be paradigm shift in our security thinking. We need to separate roles from those that have to look at data from those that do not in order to do their job. Example: Analyst vs. Sys Admin. No Sys Admin needs data access rights to do their job. They are paid to manage an environment, not look at data. Analysts have no need to be Root user of an operating system. They should not have access to data files directly, but rather use data through set applications. That way all these reactionary monitoring tools are in force. A defense-in-depth approach is necessary with strong encryption of data at rest combined with strong user/role based policy controls wrapped around the data itself.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...