Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:07 AM
Connect Directly

How to Interview an Insider Threat Suspect

Experts offer advice on how to 'read' suspected violators

Has your database administrator breached your company's sensitive customer data? Ask him -- then watch to see if he repeatedly scratches the tip of his nose or pulls on his earlobes.

It may sound strange, but nonverbal communication can be an important element to watch when interviewing a suspected "insider" about a system compromise, according to experts in breach investigation and forensics.

With the near epidemic of data breaches today, security professionals increasingly are getting pulled into investigative roles that they never imagined -- nor were they properly trained for, according to Don Kohtz and Bill Dixon, of risk management firm Continuum Worldwide. Learning proper interview techniques can make the difference between spotting a perpetrator and missing him, they say.

Kohtz, director of investigative and compliance solutions for Continuum Worldwide, and Dixon, director of assessment & assurance services for the firm, say there are plenty of investigative techniques you can use to get the most out of an interview with a suspected insider threat. The two will share these tricks of the trade in their presentation next week at the Computer Security Institute (CSI) conference in Washington, D.C.

It's all about knowing how to interpret nonverbal cues and language patterns, as well as ways to deliver and time questions to get the most out of a response, the experts say. "These are tips and techniques that information security people probably have never learned," says Kohtz, who along with Dixon has had heavy law enforcement training on these methods.

"[Security pros] may not necessarily see it as an interview, but every time you're asking questions, you're in a fact-gathering interview," he says.

The nose-scratching habit, for instance, is likely a physiological response to anxiety. The blood vessels dilate, stretching the skin, and thus causing it to itch, Kohtz explains. Other red flags are fidgeting, continuous throat-clearing, excessive sweating, or covering parts of their mouth, or studying their fingernails or cuticles, he says. "They may be sighing or yawning a lot... which may be due to a lack of oxygen. When the body is a state of anxiety, you forget to breathe," he says.

But what about the innocent IT guy who's just plain nervous about being interviewed? "You need to look for these symptoms in clusters. And establish a baseline, by starting out by asking non-threatening questions, such as name, address, etc.," he says. "If they start displaying these nervous symptoms then, you've established a baseline" that can be used as a clue, he says.

Eye movement patterns are another clue. When asked to recall an event, a right-handed person actually remembering it typically shifts his or her eyes up and to the left, and a left-handed person, up and to the right. "Someone who's lying would generally look down," Kohtz says. "Over 90 percent of people communicate with their eyes, so using eye movement" is an effective cue, he says.

Verbal cues are another trick, the investigators say. The use of pronouns tell a lot about a person's guilt or innocence: "Saying 'I' did this or that... tends to show truthfulness by associating yourself with it," Dixon says. "When they start to distance themselves, like using 'the' and no possessive pronouns, we try to take that into account" as a possible sign of distancing themselves from the event or point in time, for instance.

"Most people don't lie -- they just don't tell you everything," Kohtz says. "They modify their language to be deceptive."

And if the interviewee avoids answering a direct question about his or her involvement in a data breach, try asking it again, in a different way, Kohtz says. "Most people answer a question the second time it's asked, so repeat the question... Ask it a third time to get a response" if you need to, he says. "Be persistent."

And if your insider threat suspect ends the interview with "that's all I know" or "that's it," try this story-reversal technique. "Have them retell the story in reverse order," Kohtz says, by querying him about what happened right before the last point in time he recounted, and then before that, and so on.

"Lead them backwards," Kohtz says. "This is a helpful technique to display contradictions in the subject's story. All of the main events and milestones [they recount] should be the same if they are telling the truth."

Sometimes an interview ends up as an interrogation, depending on the investigator's role in the case, and that takes another set of skills, which Kohtz and Dixon plan to touch on in their presentation. "There are typically four or five hard-hitting, rapid-fire questions," Kohtz says. "People who are lying usually can't think on their feet... Everyone at first says they didn't do it."

Say the person's name, and that will make him turn his head and look at you, and then continue talking faster than he can talk if you want to elicit a confession, Kohtz says. "You want to minimize the subject's involvement so it's easier for them to say 'I did it,'" he says.

And some of the more seasoned criminals won't necessarily break under questioning. The key is preparation, as well as taking into account any cultural or other personal issues that could influence a response. "And you have to get used to the fact that this could be a cat and mouse game," Kohtz says.

So having the tools and knowledge of what to look for in body language when conducting an interview or interrogation can help. "The body never lies," Kohtz says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.