Hello, Siberians. And welcome back to the incident response and advanced forensics. My name is Max Alexander, and I'll be your subject matter expert for days course, which is insider threats. That happens to be one of my favorite topics.
So, first and foremost, we need to set the definition of what, exactly is an insider threat.
So what kind of break this into two parts on insider is anyone with access privilege? Our knowledge of information systems and service is essentially they're going to have placement and access to your information, so examples of insiders could be employees contractors.
Trusted business partners are individuals who may be involved in a merger acquisition process.
So what separates that normal insider from that malicious insider or insider threat
so malicious insiders are motivated to intentionally adversely impact organization's mission.
So they're going to seek to deny damaged, grade or destroy some type of information that you have, or seek to release that information to the public and thereby do greater damage organization as a whole.
So examples of malicious insiders that have come from the news would include Private Manning, Edward Snowden, Deja para Pacific Wind Holy
uh whoa. Comb up pronouncing these Chinese names booking cow and she only so those are just some examples of individuals who have committed insider threat, have exposed information or have stolen information from their employers.
So what is the danger of an insider threat?
So insiders have placement access the outsider to don't have, so that means they're already inside the organization.
For some part, they've already been vetted, and they've been given access by you, and you have some level of trusted.
So the second bullet point is that there are e inside and they may possess knowledge of trade. Secrets are highly sensitive information on a routine basis. They didn't you obviously are, hopefully would not have hired them
so worse. They're trusted and rarely watched as closely as an outsider would be watched.
And then, due to the level of trust placed in insiders, they could manipulate that trust to Carm, cause harm to the organization so they'll use that trust that use that placement access to essentially perpetrate for their crimes.
So bottom line and organization does not knowingly hire a trader rather on rare occasions and organisation, hire someone that believes it can trust who either successfully hides his or her intention to commit espionage are more commonly later finds themselves in circumstances that, for any number of personal complex reasons,
presents espionage are in industrial cases
stepped up in a lock that intellectual property
as a reasonable, even attractive, choice.
So in order to go through this process of becoming
insider threat, someone has to have means motive, opportunity and the belief that they're generally going to get away with their crimes. That kind of goes back to that criminal justice element
of trying to find and figure out who's going to be an insider threat.
So the dangers again kind of summarized capstone that
insiders can steal your intellectual property. So, for instance, if your business has, as this one really cool widget that makes makes it what it is, and someone inside your organization gives away that widget or if you work for Kentucky Fried Chicken and you get the way up the colonel secret, essentially, you're damaging
fraud. So if you work in a financial service is sector and that person has placement access to financial data, they can essentially start stealing some of that data. The most recent cases, the well Spargo Theat sco. That happened here early October 2016 where there's essentially fraudulent accounts created
customers of Wells Fargo and then, lastly,
sabotage. And that could include compromising the availability or the integrity of data. So you've got someone that works in your organization, and they're they're hack, doctor. They've been fired. Essentially, they could go in and start bleeding files or records
making them unavailable. Or they could start changing information in those files and records,
altering their integrity. So those are the dangers that those insider threats pose,
so to look at kind of the motivations of what drives an insider threat to do what they do.
There has been some studies by psychologists and the Central Intelligence Agency looking at the motivational factors, and a lot of folks have trying to pigeonhole, leaves and narrow these down to some very broad categories doesn't mean these were the only categories that exists. But these are some pretty common ones
on the acronym for this is menses.
So the first is money
individuals who are in a general, a tight financial position or who are just greedy. They may be motivated by money to be a spy are to steal your intellectual property,
moving down from there's ideology. So someone who holds strong convictions that,
drive them to do something. For instance, if they believe so strongly that they do not like the capitalist system and they want to take down your major big bank, that ideology would be driving them to commit insider threat activity.
Nationalism, which we see a lot of the government where individuals who are generally approached by
China or some other large country who wants to compete economically with the United States.
Essentially, they'll get thrown the card that hey, you guys air ethnically Chinese, where Chinese, Don't you want to see China great
and they'll be pitched that way. And essentially that will be their motivation for committing espionage now that not not to say that every Chinese person is a danger or threat to be on insider threat. But that just is one example.
The next one is going to be compromised,
also known as blackmail. So if you've done something that you don't want someone to know about and they figure out that you've done that thing essentially, they could blackmail you and to, uh, going into work and becoming that insider threat.
The next one is going to be ego. Uh, you think you're smarter. That insider threat thinks they're smarter than everyone else's, and they're going to do this for egos. Ah, good example. That was Robert Hanssen, who work for the FBI and betrayed the government by giving up secrets. Thio, Russia.
I could just also be that they're kind of
look down upon at work and to prove themselves that they're better than the people that they work with will commit those insider activities
and the last one of ***. So that's your classic honeypot running that someone is lowered into a sexual relationship. And then that person turns out to be pushing that individual towards being that insider threat. So those are some of the basic, uh,
motivation of categories that psychologists have come up with over the years.
Another one. Another acronym. It's Rascals. This generally applies to foreign controlled insider threats specifically,
so reciprocation is going to be the first type of motivations *** for tat. I do a favor for you. You do a favor for me. Generally, the starts out very on a small scale where someone has put in a position where they have something done for them,
and then that other individuals say, You know, I've done a favor for you
now you owe me a favor and just kind of builds and builds. And then eventually it turns into a new insider threat or espionage type of activity.
The next one is going to be authority
When you're in some of these relationships, a lot of times it's there's going to be a more dominant type of personality.
And as the relationship develops, the usually the person who's driving that other person to commit espionage and or insider threat activities will try and be more superior and direct the actions of the other person through a position of authority,
the next one. It's scarcity that kind of speaks to itself. So if you're in a relationship, another person and
your resource poor due to mass loves hierarchy of needs. A lot of times, whoever you're dealing with may be able to provide you money, food, whatever. Is that your need up and do the scarcity that will drive that person to be an insider threat and or spot
moving honest commitment, consistency. This usually eyes for pre existing relationships where someone is already an insider threat or a spy. And there's going to be some type of turnover in that relationship where they're going to be dealing with a new handler. For someone who's going to be pushing them to be
and due to the past relationship, they're going to get that person to again renew their commitment and being consistent with providing that information.
Uh, the next one is just good old fashioned liking. We get into a relationship. You like me. You want to do favors for me just because I'm a nice guy. And it turns out I'm trying to drive you to commit espionage and or insider threat activities,
and the last one is going to be social proof again. That kind of goes out that ego. I have to prove myself that I'm better. I've got some type of,
depressed sense of self or and in order, Thio essentially elevate my sense of self, or I have to be this insider threat, our spy. So again, just another way of looking at some of the activities that drive on individual to become an insider threat