Part 1 - What is Insider Threat?

Video Activity

This lesson covers insider threats; which include: · Insiders: examples include company employees and partners · Malicious insiders: insiders with intent to cause damage to an organization Insider threats are especially dangerous to an organization as they have access to information that others do not have and can use it to cause significant damage...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers insider threats; which include: · Insiders: examples include company employees and partners · Malicious insiders: insiders with intent to cause damage to an organization Insider threats are especially dangerous to an organization as they have access to information that others do not have and can use it to cause significant damage. When thinking about the motivation behind an insider threat, remember to MINCE words: · Money · Idealogy · Nationalism · Compromise · Ego · Sex In addition, there are also foreign controlled insider threats called RASCLS: · Reciprocation · Authority · Scarcity · Commitment and Consistency · Liking · Social Proof

Video Transcription
00:03
>> Hello Cybarians, and welcome back
00:03
to incident response and advanced forensics.
00:03
My name is Max Alexander and I'll be
00:03
your subject matter expert for today's course,
00:03
which is insider threats,
00:03
that happens to be one of my favorite topics.
00:03
First and foremost, we need to set the definition of
00:03
what exactly is an insider threat.
00:03
We'll break this into two parts.
00:03
An insider is anyone with access,
00:03
privilege, or knowledge of
00:03
information systems and services.
00:03
Essentially, they're going to have placement and
00:03
access to your information.
00:03
Examples of insiders could be employees, contractors,
00:03
trusted business partners, or individuals who may
00:03
be involved in a merger or acquisition process.
00:03
What separates that normal insider from
00:03
that malicious insider or insider threat?
00:03
Malicious insiders are motivated to
00:03
intentionally adversely
00:03
impact the organization's mission.
00:03
They're going to seek to deny, damage, degrade,
00:03
or destroy some type of information that you have,
00:03
or seek to release that information to the public and
00:03
thereby degrade or damage your organization as a whole.
00:03
Examples of malicious insiders that have come from
00:03
the news would include Pvt Manning, Edward Snowden,
00:03
Dejan Karabasevic, Wen Ho Lee,
00:03
I'm pronouncing these Chinese names,
00:03
Guoging Cao, and Shuyu Li.
00:03
Those are just some examples
00:03
of individuals who have committed
00:03
insider threat and have exposed information or have
00:03
stolen information from their employers.
00:03
What is the danger of an insider threat?
00:03
Insiders have placement and
00:03
access that outsiders don't have.
00:03
That means they're already inside your organization.
00:03
For some part, they've already been vetted,
00:03
and they've been given access by
00:03
you and you have some level of trust in them.
00:03
The second bullet point is that they
00:03
are already inside and they may
00:03
possess knowledge of trade secrets
00:03
or highly sensitive information
00:03
on a routine basis that
00:03
you obviously or hopefully would not have hired them.
00:03
Worse, they are trusted and rarely
00:03
watched as closely as an outsider would be watched.
00:03
Then due to the level of trust placed in insiders,
00:03
they can manipulate that trust to
00:03
cause harm to the organization.
00:03
They'll use that trust,
00:03
they'll use that placement and access to
00:03
essentially perpetrate for their crimes.
00:03
Bottom line, an organization
00:03
does not knowingly hire a traitor.
00:03
Rather on rare occasions,
00:03
an organization hires someone it
00:03
believes it can trust who either
00:03
successfully hides his or her intention
00:03
to commit espionage,
00:03
or more commonly, later finds
00:03
themselves in circumstances that
00:03
for any number of personal complex reasons,
00:03
>> presents espionage,
00:03
>> or in an industrial case,
00:03
theft of intellectual property
00:03
as a reasonable even attractive choice.
00:03
In order to go through this process of
00:03
becoming an insider threat,
00:03
someone has to have means, motive,
00:03
opportunity, and the belief that
00:03
they're generally going to get away with their crimes.
00:03
That goes back to that criminal justice element
00:03
>> of trying to find and figure out who's
00:03
>> going to be an insider threat.
00:03
The dangers again, to summarize and capstone that,
00:03
insiders can steal your intellectual property.
00:03
For instance, if your business has
00:03
this one really cool widget that makes
00:03
it what it is and someone from inside
00:03
your organization gives away that widget,
00:03
or if you work for Kentucky Fried Chicken and
00:03
you give away the Colonel's secret,
00:03
essentially you're damaging that business.
00:03
Fraud, so if you work in a financial services sector
00:03
and that person has placement access to financial data,
00:03
they can essentially start stealing some of that data.
00:03
The most recent case is
00:03
the Wells Fargo fiasco
00:03
that happened here at early October 2016,
00:03
where there's essentially fraudulent accounts
00:03
created for customers at Wells Fargo.
00:03
Then lastly, sabotage,
00:03
and that could include compromising
00:03
the availability or the integrity of data.
00:03
If you've got someone that works in
00:03
your organization and they're hacked off,
00:03
they've been fired, essentially,
00:03
they could go in and start deleting files or records,
00:03
making them unavailable, or they could start changing
00:03
information on those files and
00:03
records altering their integrity.
00:03
Those are the dangers that those insider threats pose.
00:03
To look at the motivations of
00:03
what drives an insider threat to do what they do,
00:03
there has been some studies by
00:03
psychologists and the Central Intelligence Agency
00:03
>> looking at the motivational factors.
00:03
>> A lot of folks have tried to pigeonhole these and
00:03
narrow these down into some very broad categories.
00:03
It doesn't mean these are
00:03
the only categories that exist,
00:03
but these are some pretty common ones.
00:03
The acronym for this is MINCEs.
00:03
The first is money.
00:03
Individuals who are in
00:03
a generally tight financial position
00:03
or who are just greedy,
00:03
they may be motivated by money to
00:03
be a spy or to steal your intellectual property.
00:03
Moving down from there is ideology.
00:03
Someone who holds strong convictions
00:03
that drive them to do something, for instance,
00:03
if they believe so strongly that they do not like
00:03
the capitalist system and they want to take
00:03
down your major big bank,
00:03
that ideology will be driving them to
00:03
commit insider threat activity.
00:03
Nationalism, which we see a lot of in the government,
00:03
where individuals who are generally
00:03
approached by China or
00:03
some other large country who
00:03
wants to compete economically with the United States,
00:03
essentially, they'll get thrown the card that, hey,
00:03
you guys are ethnically Chinese,
00:03
we're Chinese, don't you want to see China be great?
00:03
They'll be pitched that way and
00:03
essentially that will be
00:03
their motivation for committing espionage.
00:03
Not to say that
00:03
every Chinese person is
00:03
a danger or threat to be an insider threat,
00:03
but that just is one example.
00:03
The next one is going to be compromise,
00:03
also known as blackmail.
00:03
If you've done something that you
00:03
don't want someone to know about,
00:03
and they figure out that you've done that thing,
00:03
essentially, they could blackmail you
00:03
into going into work and becoming that insider threat.
00:03
The next one is going to be ego.
00:03
The insider threat thinks they're
00:03
smarter than everyone else is,
00:03
and they're going to do this for ego.
00:03
A good example of that
00:03
was Robert Hansen who work for the FBI
00:03
and betrayed the government by
00:03
giving up secrets to Russia.
00:03
It could just also be that they're looked down
00:03
upon at work and to prove
00:03
themselves that they're better
00:03
than the people that they work with,
00:03
they will commit those insider threat activities.
00:03
Then the last one is sex.
00:03
That's your classic honey net
00:03
where someone is lured into a sexual relationship,
00:03
and then that person turns out to be
00:03
pushing that individual towards
00:03
being that insider threat.
00:03
Those are some of the basic motivations and
00:03
categories that psychologists have
00:03
come up with over the years.
00:03
Another acronym is RASCLS.
00:03
This generally applies to
00:03
foreign controlled insider threats specifically.
00:03
Reciprocation is going to be
00:03
the first type of motivation.
00:03
Tit for tat, I do a favor for you,
00:03
you do a favor for me.
00:03
Generally, this starts out on a small scale where
00:03
someone is put in a position where
00:03
they have something done for them,
00:03
and then that other individual will say,
00:03
I've done a favor for you,
00:03
you now owe me
00:03
a favor and then it just builds and builds,
00:03
and then eventually it turns into
00:03
an insider threat or an espionage type of activity.
00:03
The next one is going to be authority.
00:03
When you're in some of these relationships,
00:03
a lot of times, there's going to be
00:03
>> a more dominant type of personality.
00:03
>> As the relationship develops,
00:03
usually the person who's driving
00:03
that other person to commit espionage and or
00:03
insider threat activities will try and be more superior
00:03
and direct the actions of
00:03
that other person through a position of authority.
00:03
The next one is scarcity.
00:03
That speaks to itself.
00:03
If you're in a relationship with another person
00:03
>> and your resource poor due to
00:03
>> Maslow's hierarchy of needs, a lot of times,
00:03
whoever you're dealing with may be
00:03
able to provide you money, food,
00:03
whatever it is that you're in need of,
00:03
and due to scarcity,
00:03
that will drive that person to be
00:03
an insider threat and or a spy.
00:03
Moving on is commitment and consistency.
00:03
This usually is for preexisting
00:03
relationships where someone is already
00:03
an insider threat or a spy,
00:03
and there's going to be some type of turnover in
00:03
that relationship where they're going to
00:03
be dealing with a new handler
00:03
or someone who's going to be
00:03
pushing them to be that insider threat.
00:03
Due to the past relationship,
00:03
they're going to get that person
00:03
to again renew their commitment and
00:03
being consistent with providing that information.
00:03
The next one is just good, old-fashioned liking.
00:03
We get into a relationship, you like me,
00:03
you want to do favors for
00:03
me just because I'm a nice guy,
00:03
and it turns out I'm trying to drive you to commit
00:03
espionage and or insider threat activities.
00:03
The last one is going to be social proof.
00:03
Again, that goes on that ego,
00:03
I have to provide myself that I'm better,
00:03
I've got some type of depressed sense of self worth,
00:03
and in order to essentially
00:03
elevate my sense of self worth,
00:03
I have to be this insider threat or spy.
00:03
Again, just another way of
00:03
looking at some of the activities
00:03
that drive an individual to become an insider threat.
Up Next