How to Interview an Insider Threat Suspect

Experts offer advice on how to 'read' suspected violators

Has your database administrator breached your company's sensitive customer data? Ask him -- then watch to see if he repeatedly scratches the tip of his nose or pulls on his earlobes.

It may sound strange, but nonverbal communication can be an important element to watch when interviewing a suspected "insider" about a system compromise, according to experts in breach investigation and forensics.

With the near epidemic of data breaches today, security professionals increasingly are getting pulled into investigative roles that they never imagined -- nor were they properly trained for, according to Don Kohtz and Bill Dixon, of risk management firm Continuum Worldwide. Learning proper interview techniques can make the difference between spotting a perpetrator and missing him, they say.

Kohtz, director of investigative and compliance solutions for Continuum Worldwide, and Dixon, director of assessment & assurance services for the firm, say there are plenty of investigative techniques you can use to get the most out of an interview with a suspected insider threat. The two will share these tricks of the trade in their presentation next week at the Computer Security Institute (CSI) conference in Washington, D.C.

It's all about knowing how to interpret nonverbal cues and language patterns, as well as ways to deliver and time questions to get the most out of a response, the experts say. "These are tips and techniques that information security people probably have never learned," says Kohtz, who along with Dixon has had heavy law enforcement training on these methods.

"[Security pros] may not necessarily see it as an interview, but every time you're asking questions, you're in a fact-gathering interview," he says.

The nose-scratching habit, for instance, is likely a physiological response to anxiety. The blood vessels dilate, stretching the skin, and thus causing it to itch, Kohtz explains. Other red flags are fidgeting, continuous throat-clearing, excessive sweating, or covering parts of their mouth, or studying their fingernails or cuticles, he says. "They may be sighing or yawning a lot... which may be due to a lack of oxygen. When the body is a state of anxiety, you forget to breathe," he says.

But what about the innocent IT guy who's just plain nervous about being interviewed? "You need to look for these symptoms in clusters. And establish a baseline, by starting out by asking non-threatening questions, such as name, address, etc.," he says. "If they start displaying these nervous symptoms then, you've established a baseline" that can be used as a clue, he says.

Eye movement patterns are another clue. When asked to recall an event, a right-handed person actually remembering it typically shifts his or her eyes up and to the left, and a left-handed person, up and to the right. "Someone who's lying would generally look down," Kohtz says. "Over 90 percent of people communicate with their eyes, so using eye movement" is an effective cue, he says.

Verbal cues are another trick, the investigators say. The use of pronouns tell a lot about a person's guilt or innocence: "Saying 'I' did this or that... tends to show truthfulness by associating yourself with it," Dixon says. "When they start to distance themselves, like using 'the' and no possessive pronouns, we try to take that into account" as a possible sign of distancing themselves from the event or point in time, for instance.

"Most people don't lie -- they just don't tell you everything," Kohtz says. "They modify their language to be deceptive."

And if the interviewee avoids answering a direct question about his or her involvement in a data breach, try asking it again, in a different way, Kohtz says. "Most people answer a question the second time it's asked, so repeat the question... Ask it a third time to get a response" if you need to, he says. "Be persistent."

And if your insider threat suspect ends the interview with "that's all I know" or "that's it," try this story-reversal technique. "Have them retell the story in reverse order," Kohtz says, by querying him about what happened right before the last point in time he recounted, and then before that, and so on.

"Lead them backwards," Kohtz says. "This is a helpful technique to display contradictions in the subject's story. All of the main events and milestones [they recount] should be the same if they are telling the truth."

Sometimes an interview ends up as an interrogation, depending on the investigator's role in the case, and that takes another set of skills, which Kohtz and Dixon plan to touch on in their presentation. "There are typically four or five hard-hitting, rapid-fire questions," Kohtz says. "People who are lying usually can't think on their feet... Everyone at first says they didn't do it."

Say the person's name, and that will make him turn his head and look at you, and then continue talking faster than he can talk if you want to elicit a confession, Kohtz says. "You want to minimize the subject's involvement so it's easier for them to say 'I did it,'" he says.

And some of the more seasoned criminals won't necessarily break under questioning. The key is preparation, as well as taking into account any cultural or other personal issues that could influence a response. "And you have to get used to the fact that this could be a cat and mouse game," Kohtz says.

So having the tools and knowledge of what to look for in body language when conducting an interview or interrogation can help. "The body never lies," Kohtz says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights