Part 3 - Indicators to identify an insider threat

Video Activity

This lesson discusses indicators which might point to an insider threat. These include: 1. Violations 2. Failure to report 3. Physical access 4. Cyber actions 5. Foreign travel 6. Finances 7. Material transfer 8. Social 9. Communication 10. Reconnaissance 11. Entrenchment 12. Exploitation 13. Extraction 14. Communication 15. Manipulation 16. CI 17....

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses indicators which might point to an insider threat. These include: 1. Violations 2. Failure to report 3. Physical access 4. Cyber actions 5. Foreign travel 6. Finances 7. Material transfer 8. Social 9. Communication 10. Reconnaissance 11. Entrenchment 12. Exploitation 13. Extraction 14. Communication 15. Manipulation 16. CI 17. Other

Video Transcription
00:03
>> In order to identify who might be an insider threat,
00:03
there are essentially indicators
00:03
of activity that you can look for.
00:03
As you can see across the top line,
00:03
those indicators are broken down into sections.
00:03
The first section covers violations,
00:03
generally of policy,
00:03
if someone habitually violating
00:03
physical security policies
00:03
and our cybersecurity policies.
00:03
Because a lot of this information
00:03
is very special and very unique,
00:03
it is oftentimes stored in hard to get hard to reach
00:03
places where there are
00:03
physical and cybersecurity protocols.
00:03
I'm told that the secrets of
00:03
Kentucky Fried Chicken are essentially
00:03
stored in two vaults in Louisville,
00:03
Kentucky, and no one has access to
00:03
any one of the two vaults, but that's just rumors.
00:03
But anyway, if someone was going
00:03
to try and steal those secrets,
00:03
they would need to get some type
00:03
of physical access to that information.
00:03
Generally, there would be some type of violation of
00:03
policy that would go in
00:03
conjunction with them trying to steal that information.
00:03
That would either be a physical security violation
00:03
or a cybersecurity violation.
00:03
If someone starts to get a lot of these violations,
00:03
it could be indicative that they
00:03
are some type of insider threat.
00:03
The next group is going to be failing to
00:03
report certain information that
00:03
an organization might find useful.
00:03
For instance, if you work for the government
00:03
and you have a security clearance,
00:03
you're generally required to report certain financial,
00:03
travel, and contact information.
00:03
Finances, if you are heavily indebted,
00:03
if you're going through a bankruptcy,
00:03
you're required to report that on what is called your SF
00:03
86 that details
00:03
essentially your life history to the government.
00:03
That way, there's nothing that's
00:03
hidden or that you're trying to hide from the government.
00:03
Essentially, they know that you're deeply in
00:03
debt and you've got a plan,
00:03
and you're working to try and fix that because
00:03
obviously money is that motivating factor.
00:03
The next one is going to be travel
00:03
outside of the country.
00:03
Not to say that going to certain locations for
00:03
a planned family vacation should be considered strange,
00:03
but if all of a sudden someone just up and leaves,
00:03
and goes to this foreign country
00:03
that they've never talked about,
00:03
never had any interest in,
00:03
that would be probably indicative of
00:03
some suspicious behavior and more than
00:03
likely some type of insider threat activity,
00:03
which may reflect that they're going
00:03
to another country to meet some type of
00:03
contact who's willing to push them in
00:03
that direction of being that insider threat.
00:03
Lastly, we'll follow that up with contact.
00:03
Does this person have a lot of
00:03
foreign contacts that they would have no reason to have?
00:03
Oftentimes, you're required to report that again
00:03
on your SF 86 just due to
00:03
those foreign relationships and
00:03
someone from a foreign government or
00:03
a company trying to
00:03
pressure you into some type of relationship,
00:03
which we talked about earlier.
00:03
The next one is going to be physical access rosters.
00:03
Card blobs, door logs, signin-signout rosters.
00:03
Generally, if you have somebody who
00:03
works in 8:00-5:00 and all of a sudden
00:03
you start seeing them
00:03
show up at 8 o'clock at night repetitively,
00:03
that could be something is going on.
00:03
Same thing with the signin-signout rosters.
00:03
However, that goes a step further.
00:03
Maybe someone signs in and they don't sign out,
00:03
and they do that habitually to try and hide their tracks.
00:03
Those could be indicators that
00:03
that person could be an insider threat.
00:03
The next category is going to be cyber actions.
00:03
We'll cover that in
00:03
depth after we get through the rest of these.
00:03
We'll come back to that.
00:03
Moving on, we'll go to foreign travel.
00:03
Again, like we talked about,
00:03
the unexplained new and out of character crap.
00:03
That's not, I have
00:03
this really great interest in going to Australia,
00:03
I talked about it all the time, and finally,
00:03
I've saved up enough money to go to
00:03
Australia. It's really cool.
00:03
I've taken pictures of it.
00:03
What this talks about is that someone all of a
00:03
sudden they're acting quirky.
00:03
Then next week, they take a bunch of leave and
00:03
their off to this country that you've never heard of.
00:03
It's out of character for their pattern of life.
00:03
The next category is going to be finances..
00:03
This could be undue affluence.
00:03
You know that your buddy Joe makes
00:03
$50,000 a year and you make $50,000 a year,
00:03
and you know how hard it is.
00:03
You guys oftentimes talk about that
00:03
and you drive this old car,
00:03
and he drives an old car.
00:03
All of a sudden, Joe comes in
00:03
and he's got this brand new Jaguar.
00:03
That's showing that undo affluence.
00:03
Especially if he hasn't inherited
00:03
a lot of money or won the lottery,
00:03
it's very odd that all of a sudden he is now
00:03
able to afford this brand new Jaguar.
00:03
If you decide to go to Joe's house
00:03
one day and all of a sudden he has
00:03
completely redecorated the house with these two
00:03
or $3,000 draperies,
00:03
that could be indicative that he has come
00:03
under some undue affluence.
00:03
Conversely, if someone has massive amounts of debt,
00:03
they have more debt than they would ever be able to pay
00:03
off in their lifetime and for
00:03
their their level of income,
00:03
that could be an indicator that they
00:03
are a potential insider threat.
00:03
Or if they have a potential gambling habit
00:03
and it's out of control,
00:03
they could be an insider threat.
00:03
Especially if they have access to
00:03
this very special and unique information,
00:03
they would be more likely to want to sell
00:03
that information to you to cover
00:03
their gambling debts or to cover their massive debt.
00:03
The next category is material transfer.
00:03
This talks about either downloading large amounts of
00:03
material or gathering up
00:03
the material and throwing it in a garbage bag,
00:03
and walking out of the FBI building
00:03
like Robert Hansen did.
00:03
Any type of removal of sensitive material,
00:03
would be an indicator that
00:03
that person could be an insider threat.
00:03
The next one are social indicators,
00:03
so things that they're saying
00:03
internally and things that they're saying externally.
00:03
If you have this employee who comes to
00:03
work and he's been very chatty,
00:03
has a good history,
00:03
and all of a sudden you see
00:03
a marked shift in his behavior,
00:03
he's no longer chatty.
00:03
>> He is hostile towards his co-workers.
00:03
That could be an indicator that,
00:03
one, there's something going on with that employee.
00:03
That, two, that he might be an insider threat.
00:03
Then, externally,
00:03
what are his social relationships like?
00:03
Is there a marked change in how
00:03
he interacts outside of work,
00:03
especially if you have co-workers who hang
00:03
out together outside of work on social setting?
00:03
Moving on, communication.
00:03
If you're looking at how
00:03
an employee uses their social media,
00:03
a lot of times you have companies that
00:03
monitor employees and their social media presence.
00:03
All of a sudden, you see this employee
00:03
start bashing your organization
00:03
saying how much they hate working there,
00:03
it's like going to work in salt mines.
00:03
That could be an indicator that that person
00:03
has the potential to be an insider threat.
00:03
Likewise, the misplaced loyalty.
00:03
Generally, that applies to a government where
00:03
someone is starting to say that they
00:03
dislike the United States of America,
00:03
that they prefer this other country,
00:03
that would be an example of misplaced loyalty.
00:03
Going back to cyber actions,
00:03
there are, again,
00:03
subcategories on cyber actions.
00:03
Again, we have reconnaissance.
00:03
That would include doing
00:03
web browsing, database searches,
00:03
or net scanning of
00:03
your organization's network to
00:03
try and figure out
00:03
vulnerabilities just like a hacker would.
00:03
That would be indicative of someone
00:03
who's becoming an insider threat.
00:03
Entrenchment is going to be
00:03
that next stage which should be,
00:03
again, familiar with that anatomy of a hack.
00:03
Someone who might be installing
00:03
sensors to figure out what is going
00:03
on within that network or
00:03
unauthorized software on their computer,
00:03
or they're making themselves entrenched in that activity.
00:03
The next one is where they actually go in and
00:03
start exploiting the network.
00:03
They're going to escalate their privileges,
00:03
so that they have just certain read processes.
00:03
They may want to escalate that to read,
00:03
write, or if they only have a secret clearance.
00:03
They may want to escalate
00:03
their privileges up to a top-secret clearance.
00:03
Then we'll go to password cracking,
00:03
trying to get passwords either through
00:03
technical means and/or by social engineering,
00:03
per se, going around to individuals and work
00:03
and using their leverages.
00:03
A computer administrator saying,
00:03
I need your password so I
00:03
can log into your account and do
00:03
something and then actually masquerading as that person.
00:03
Then account misuse.
00:03
Doing things with their account
00:03
that they're not supposed to do.
00:03
Moving on from there,
00:03
we'll go to the extraction of data.
00:03
That could include printing large amounts of data,
00:03
again, filling the garbage bag and walking out with it,
00:03
downloading massive amounts of data to some place,
00:03
or uploading it to maybe Google Share folder or
00:03
a Office 365 folder that they
00:03
shouldn't take that data to.
00:03
Removable media. If your organization doesn't
00:03
have a digital laws prevention policy in place,
00:03
you have someone who brings in the sport terabyte
00:03
hard drive and they're downloading the state secrets,
00:03
that would be a good indicator
00:03
that they're an insider threat.
00:03
Or someone who goes to the copy machine
00:03
a lot and is making
00:03
duplicate copies of data that they come across,
00:03
that again would be indicative of the insider threat.
00:03
Moving on from there is, how
00:03
does this person communicate?
00:03
Are they using encrypted mail at
00:03
work such as the old Hushmail or the new
00:03
ProtonMail trying to email their contact information?
00:03
Are they receiving coded messages?
00:03
Are they using covert channels to try and
00:03
hide some of the activity that they're doing?
00:03
The next category is manipulation;
00:03
changing file permissions up or down.
00:03
All of a sudden, I've got access
00:03
to this document and someone
00:03
changes it so I can't access it and see what's going on,
00:03
that would be an example.
00:03
Or deleting files.
00:03
As we've talked about earlier,
00:03
someone who is hacked off at the organization,
00:03
they may want to delete all of the files that
00:03
are within this folder,
00:03
or that contain, again,
00:03
the secret to Colonel Sanders' chicken,
00:03
and that someone deletes that and it's gone,
00:03
how do you recover from that?
00:03
Or changing the file data.
00:03
You've got that, again,
00:03
Colonel Sanders chicken recipe and you
00:03
add too much paprika,
00:03
essentially changes the consistency
00:03
of the recipe and it may ruin your business.
00:03
Moving on from there,
00:03
you have the counterintelligence concerns.
00:03
If someone is searching the human resources or
00:03
security databases about themselves,
00:03
trying to figure out what information the company may
00:03
be gathering about that person
00:03
to see if someone may be on their tracks.
00:03
Disk erasure and destroying an evidence.
00:03
They're going to try and cover up
00:03
any activity or any evidence
00:03
of the activity that they've done.
00:03
Those would be indicative of an insider threat.
00:03
Then lastly, someone who was looking
00:03
at pornography or gambling at work.
00:03
Again, those are just blatant violations generally of
00:03
a company policy and
00:03
that could be indicative of other problems,
00:03
and it might actually lead to
00:03
someone being an insider threat.
00:03
Again, not everyone who exhibits
00:03
some of these indicators
00:03
is going to be an insider threat.
00:03
One who starts seeing
00:03
large amounts of these indicators checked off,
00:03
that is going to be generally a good assumption that you
00:03
might want to look at that person a little bit more.
00:03
Out of all that consolidate that down into
00:03
some sensors that you can look at for individuals.
00:03
Honeypot, Honeynet data.
00:03
What are they doing on your network?
00:03
Call patterns and call logs.
00:03
Are they making calls that are
00:03
inconsistent with their daily activities?
00:03
Or all of a sudden,
00:03
are they picking up their phone,
00:03
or are they calling the Russian embassy trying
00:03
to get information out of your organization?
00:03
Email patterns. Are they emailing
00:03
individuals outside of your organization or are
00:03
they emailing someone in another country that
00:03
your business doesn't necessarily
00:03
have business dealings with?
00:03
That would be indicative.
00:03
Again, travel and vacation.
00:03
We've talked about these strange trips
00:03
to these foreign countries
00:03
that they've never had any desire
00:03
or talking about going to before.
00:03
Maintenance schedule. That would be a good sensor
00:03
of looking at someone to see if they
00:03
might be an insider threat
00:03
so you can schedule maintenance and then
00:03
go in and look at certain information of that person.
00:03
Keyboard logs. If your organization
00:03
starts logging information via the keyboard,
00:03
you can look to see what that person
00:03
is doing at their workstation.
00:03
File system logs.
00:03
To see if they've changed permissions of files,
00:03
what files they've created,
00:03
what files they've looked at.
00:03
Is that in conjunction with
00:03
their roles and responsibilities?
00:03
Are they looking at new information
00:03
that they've never had access to before?
00:03
That would be a sensor to see if they're
00:03
an insider threat. Trouble tickets.
00:03
Again, if someone is having
00:03
massive amounts of computer problems because they're
00:03
dorking around with the system and trying to exfiltrate
00:03
data or do something to
00:03
their computer to enable them to be that insider threat,
00:03
they might have trouble and are having trouble tickets,
00:03
and that could be indicative of
00:03
that person being an insider threat.
00:03
Then again, your IDS logs;
00:03
what information is coming in and out of your network?
00:03
Then lastly, system logs;
00:03
what are they doing on that system?
00:03
Is there a bunch of security alerts
00:03
that you may need to review?
00:03
Again, those are just some ways that you could look to
00:03
see if you can find some of those indicators.
Up Next