Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:04 PM
Connect Directly

Hacking The Human Side Of The Insider Threat

NSA-Snowden affair and the mechanics of tracking human behavior

The details on how a young systems administrator for an NSA contractor was able to access and walk away with highly classified program information from the super-secretive agency may never be fully revealed, but the Edward Snowden case has spurred debate over how best to catch a rogue insider before he incurs any damage.

There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic, some experts say.

That would mean establishing a baseline for, say, Snowden's daily work activities. "It's not so much behavior on [technology] assets, but looking at ways to identify change in behaviors as a person starts to steal or goes through some espionage activity," says Chris Kauffman, managing partner at software firm Sphere of Influence. "If they have classified information and have been granted access to it, they can have it on their desktop ... But if their behavior starts to change in their 'patterns of life,' they change the websites they go to, they start frequently emailing recipients, or the times of day they work" changes dramatically, and their patterns diverge from previous ones or those of their co-workers, those can be red flags, he says.

"The anomalies tell of behavioral intent," Kauffman says. "In the past few years, companies working on behavioral analysis have been using more advanced analytics. But we don't see that kind of focus on insider threat technologies."

[A determined user or contractor hell-bent on leaking data can't be stopped, but businesses should revisit their user access policies and protections. See NSA Leak Ushers In New Era Of The Insider Threat .]

Security incident event monitoring (SIEM) and data leakage prevention (DLP) monitor assets, not people, he says. "They are more focused on behavioral analysis of the use of the asset ... they monitor use of data, patterns in bandwidth. If those behaviors spike beyond a baseline, then there's an alert. So it only does so much good if a person [deviates from a] pattern."

Management also must take a more proactive role in identifying possible users going or gone bad since technology can't catch everything. "Management has responsibility for oversight of its workforce members. Unfortunately, a lot of them don't take an active role" in monitoring user activities, says Andy Hubbard, senior security consultant at Neohapsis.

Bradley Manning's siphoning of gigabytes of classified information was a classic case study of a "low and slow" insider threat that slipped under the radar of traditional security monitoring systems, Kauffman says. "Manning did his everyday job and occasionally grabbed a classified document," he says.

For the past two years, Kauffman's company has been conducting research and development in the area of analyzing human behavior to detect and quell insider threat incidents. The company plans to ship a product from the R&D by the end of this year, he says.

The underlying concept is baselining and monitoring the user's normal workday behaviors or "patterns of life." If Snowden had begun visiting different websites than his co-workers, for example, the human behavioral alarms could have been sounded, Kauffman says.

"Theoretically, you could have a system in place that monitored specific computer network usage patterns of Snowden and all of the people he worked with," he says. That could match how his behaviors differed from others on his team, for instance: Teams tend to behave similarly in their usage patterns, for instance, he says.

"A software development team working on a product visit similar types of websites in their research," he says.

This approach differs from the signature and previously defined scenarios of many existing security monitoring technologies, he says. The human behavior approach would rely more on the software learning the norms and spotting patterns and red flags -- including a user employing an anonymizer or other atypical technology.

There are challenges with the human behavior technology, including the massive amounts of data required for analysis and the age-old problem of false positives. "Our emails and website visits might change every day, so [the system] has to take that into account as part of the behavioral profile" to avoid constantly sending out false positives, he says.

But like anything, the technology isn't fool-proof. "It has to be part of a layered defense. It's not meant to replace legacy, rules-based engines: It really has to complement it," he says.

"There's no such thing as 100 percent water-tight security -- we all have to recognize that we're trying to reduce the risk of our company being the next one having to show its red face in the newspapers," says security expert Graham Cluley.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
James McCabe
James McCabe,
User Rank: Apprentice
7/10/2013 | 11:17:45 AM
re: Hacking The Human Side Of The Insider Threat
"If they have classified information and have been granted access to it, they can have it on their desktop ... " If proper procedures are followed then this statement is false. You're not going to have classified material on an unclassified machine. That line of thinking is flawed from the start. If classified information is on an unclassified machine, then a violation just occurred. This is a policy problem that is now affecting others including the ISSM/ISSO of the system. From a behavioral aspect, guys like Snowden are not conducting out- of- the-ordinary research on any monitored system. They're doing it on their own time on their own computer in their own home/environment.
There's a lot of "theory" in this article that's not really based in reality. All of the detection models discussed in this article are "reactionary" to what has already occurred. I do, however, agree with the "theoretical" use of technology targeting grouping behavior patterns. But once detected, the problem has already occurred. There needs to be paradigm shift in our security thinking. We need to separate roles from those that have to look at data from those that do not in order to do their job. Example: Analyst vs. Sys Admin. No Sys Admin needs data access rights to do their job. They are paid to manage an environment, not look at data. Analysts have no need to be Root user of an operating system. They should not have access to data files directly, but rather use data through set applications. That way all these reactionary monitoring tools are in force. A defense-in-depth approach is necessary with strong encryption of data at rest combined with strong user/role based policy controls wrapped around the data itself.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...