Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:04 PM
Connect Directly

Hacking The Human Side Of The Insider Threat

NSA-Snowden affair and the mechanics of tracking human behavior

The details on how a young systems administrator for an NSA contractor was able to access and walk away with highly classified program information from the super-secretive agency may never be fully revealed, but the Edward Snowden case has spurred debate over how best to catch a rogue insider before he incurs any damage.

There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic, some experts say.

That would mean establishing a baseline for, say, Snowden's daily work activities. "It's not so much behavior on [technology] assets, but looking at ways to identify change in behaviors as a person starts to steal or goes through some espionage activity," says Chris Kauffman, managing partner at software firm Sphere of Influence. "If they have classified information and have been granted access to it, they can have it on their desktop ... But if their behavior starts to change in their 'patterns of life,' they change the websites they go to, they start frequently emailing recipients, or the times of day they work" changes dramatically, and their patterns diverge from previous ones or those of their co-workers, those can be red flags, he says.

"The anomalies tell of behavioral intent," Kauffman says. "In the past few years, companies working on behavioral analysis have been using more advanced analytics. But we don't see that kind of focus on insider threat technologies."

[A determined user or contractor hell-bent on leaking data can't be stopped, but businesses should revisit their user access policies and protections. See NSA Leak Ushers In New Era Of The Insider Threat .]

Security incident event monitoring (SIEM) and data leakage prevention (DLP) monitor assets, not people, he says. "They are more focused on behavioral analysis of the use of the asset ... they monitor use of data, patterns in bandwidth. If those behaviors spike beyond a baseline, then there's an alert. So it only does so much good if a person [deviates from a] pattern."

Management also must take a more proactive role in identifying possible users going or gone bad since technology can't catch everything. "Management has responsibility for oversight of its workforce members. Unfortunately, a lot of them don't take an active role" in monitoring user activities, says Andy Hubbard, senior security consultant at Neohapsis.

Bradley Manning's siphoning of gigabytes of classified information was a classic case study of a "low and slow" insider threat that slipped under the radar of traditional security monitoring systems, Kauffman says. "Manning did his everyday job and occasionally grabbed a classified document," he says.

For the past two years, Kauffman's company has been conducting research and development in the area of analyzing human behavior to detect and quell insider threat incidents. The company plans to ship a product from the R&D by the end of this year, he says.

The underlying concept is baselining and monitoring the user's normal workday behaviors or "patterns of life." If Snowden had begun visiting different websites than his co-workers, for example, the human behavioral alarms could have been sounded, Kauffman says.

"Theoretically, you could have a system in place that monitored specific computer network usage patterns of Snowden and all of the people he worked with," he says. That could match how his behaviors differed from others on his team, for instance: Teams tend to behave similarly in their usage patterns, for instance, he says.

"A software development team working on a product visit similar types of websites in their research," he says.

This approach differs from the signature and previously defined scenarios of many existing security monitoring technologies, he says. The human behavior approach would rely more on the software learning the norms and spotting patterns and red flags -- including a user employing an anonymizer or other atypical technology.

There are challenges with the human behavior technology, including the massive amounts of data required for analysis and the age-old problem of false positives. "Our emails and website visits might change every day, so [the system] has to take that into account as part of the behavioral profile" to avoid constantly sending out false positives, he says.

But like anything, the technology isn't fool-proof. "It has to be part of a layered defense. It's not meant to replace legacy, rules-based engines: It really has to complement it," he says.

"There's no such thing as 100 percent water-tight security -- we all have to recognize that we're trying to reduce the risk of our company being the next one having to show its red face in the newspapers," says security expert Graham Cluley.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
James McCabe
James McCabe,
User Rank: Apprentice
7/10/2013 | 11:17:45 AM
re: Hacking The Human Side Of The Insider Threat
"If they have classified information and have been granted access to it, they can have it on their desktop ... " If proper procedures are followed then this statement is false. You're not going to have classified material on an unclassified machine. That line of thinking is flawed from the start. If classified information is on an unclassified machine, then a violation just occurred. This is a policy problem that is now affecting others including the ISSM/ISSO of the system. From a behavioral aspect, guys like Snowden are not conducting out- of- the-ordinary research on any monitored system. They're doing it on their own time on their own computer in their own home/environment.
There's a lot of "theory" in this article that's not really based in reality. All of the detection models discussed in this article are "reactionary" to what has already occurred. I do, however, agree with the "theoretical" use of technology targeting grouping behavior patterns. But once detected, the problem has already occurred. There needs to be paradigm shift in our security thinking. We need to separate roles from those that have to look at data from those that do not in order to do their job. Example: Analyst vs. Sys Admin. No Sys Admin needs data access rights to do their job. They are paid to manage an environment, not look at data. Analysts have no need to be Root user of an operating system. They should not have access to data files directly, but rather use data through set applications. That way all these reactionary monitoring tools are in force. A defense-in-depth approach is necessary with strong encryption of data at rest combined with strong user/role based policy controls wrapped around the data itself.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (, contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (, contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.