Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson discusses indicators which might point to an insider threat. These include: 1. Violations 2. Failure to report 3. Physical access 4. Cyber actions 5. Foreign travel 6. Finances 7. Material transfer 8. Social 9. Communication 10. Reconnaissance 11. Entrenchment 12. Exploitation 13. Extraction 14. Communication 15. Manipulation 16. CI 17. Other

Video Transcription

00:04
so in order to identify who might be an insider threat, they're sexually indicators of activity that you could look for.
00:13
So if you can see across the top line, those indicators are broken down into sections, and the first section covers violations generally a policy. So
00:26
is someone habitually violating physical security policies and our cyber security policies?
00:32
Because a lot of this information is very special and very unique. It is often times store and hard to get hard to reach places where there are physical in cyber security protocols. I'm told that the secrets of Kentucky Fried Chicken are essentially storing two adults in Louisville, Kentucky.
00:52
No one has access to any
00:55
one of the two goals, but that's just rumors. But anyway,
00:58
if someone was going to
01:00
try and steal the secrets, they would need to get some type of access, physical access to that information,
01:07
and generally there would be some type of violation of policy that would go in conjunction with them. Trying to steal that information that would either be a physical security violation are a cyber security violation.
01:21
If someone starts to get a lot of these violations, it could be indicative that they are some type of insider threat.
01:29
The next group is going to be failing to report certain information that an organization might find useful. For instance, if you work for the government and you have a security clearance, you're generally required to report certain financial travel in contact
01:48
information.
01:49
So finances if you are heavily indebted. If you're going through a bankruptcy, you're required to report that on what is called your SF 86. The details essentially your life history
02:02
to the government.
02:05
And, uh, that way there's nothing that's hidden or that you're trying to hide from the government so sexually they know that you're deeply in debt
02:15
and that you're you got a plan and you're working to try and fix that. Because obviously money is that motivating factor.
02:21
The next one is going to be traveling
02:23
outside of the country. So,
02:25
uh,
02:27
not to say that, you know, going to certain locations for a plan. Family vacation should be considered strange. But if all of a sudden someone just up and leaves goes to this foreign country that they've never talked about, never had any interest in that would be
02:45
probably indicative of some suspicious behavior and, more than likely, some pipe of insider threat activity,
02:52
which may reflect that they're going to another country to meet some type of contact. Who's going to push them in that direction of being that insider threat
03:01
and lastly, will follow that up with contact. So does this person have a lot of foreign contacts that they would have no reason to have?
03:10
Oftentimes, you're required to report that again on your SF 86 just due to those foreign relationships and someone from a foreign government or foreign company trying to pressure you into some type of relationship, which we talked about earlier.
03:28
The next one is going to be physical access rosters. So card logs, door logs, Sinan sign out rosters. Generally, if you have somebody who works in 8 to 5 and all of a sudden you start seeing them show up eight o'clock at night, repetitive Lee, that could be include Something is going on
03:46
the same thing with Sinan Sign out rosters.
03:49
However, that goes a step further. Maybe someone signs in. They don't sign out. They do that habitually to try and hide their tracks. Those could be indicators. That person
03:59
could be an insider threat.
04:01
The next category is gonna be cyber actions will kind of cover that in depth. After we get through, the rest of these will come back to that.
04:09
So moving on will go to foreign travel again. Like we talked about the unexplained new out of character travel. That's not, you know, I have this really great interest in going to Australia. I talked about it all time. Finally, I've saved up enough money to go to Australia. It's really cool. I'm taking pictures of it.
04:27
What this talks about is that someone all of a sudden
04:30
they're kind of acting quirky. And then next week they take a bunch of lead and they're off to this country that you've never heard of. And it's out of character for their pattern of life.
04:44
The next category is going to be finances. So this could be undue athletes that you know that your buddy Joe makes $50,000 a year and you make $50,000 a year. You know how hard it is. You guys often times talk about that and you know, you drive
05:02
this, you know,
05:03
old car, and he drives an old car and all the sudden Joe comes in and he's got this brand new Jaguar.
05:11
That's kind of showing that undue affluence, especially if he hasn't an area a lot of money or won the lottery. It's very odd that all of a sudden he is now able to afford this brand new Jaguar
05:23
are. If you decide to go to Joe's House one day and all of a sudden he has completely redecorated the house with these two or $3000 draperies, that could be indicative that he has come under some undue afterwards.
05:39
Conversely, if someone has massive amounts of debt, they have more depth than than they would ever be able to pay off in their lifetime. And for their their level of income. That could be an indicator that they are a potential insider threat
05:57
or if they have a potential gambling habit on, it's out of control. They could be an insider threat, especially they have access to this very special and unique information. They would would be more likely to want to sell that information to two,
06:15
cover their gambling debts or to cover their massive debt.
06:19
The next category is material transfer. So this talks about either downloading large amounts of material are gathering up the material, throwing a garbage bag, walking out of the FBI building like Robert Hanssen dead.
06:33
Uh,
06:34
so any type of removal of sensitive material
06:40
would be an indicator that that person could be an insider threat
06:45
the next one. Our social indicators of things that they're saying internally and things that they're saying externally. So if you have this employee who comes to work and he's been very chatty, had has a good history and all of a sudden you see a marked shift in his behavior, he's no longer chatty. He
07:03
is hostile towards his co workers. That could be an indicator, that one. There's something going on with them,
07:09
too, that he might be an insider threat and then externally water his social relationships like Is there a marked change in how he interacts outside of work? Especially if you have co workers who kind of hang out together outside of socials, outside of work, in a social setting,
07:28
moving on communications. So if you're looking at how an employee uses their social media, Ah, lot of times you have companies that kind of monitor employees and their social media presence. And all of a sudden you see this company, this this boy, start
07:44
bashing your organization, saying how much they hate working there. It's going to work. Salt mines
07:48
That could be an indicator. That person has the potential to be an insider threat
07:55
and likewise misplaced loyalty. Generally, that applies to government, where someone is starting to say that they disliked the United States of America. They prefer this other country. That would be an example of misplaced loyalty.
08:11
So going back to cyber actions
08:13
Ah, there are again subcategories from cyber action. So again we have reconnaissance.
08:20
That would include doing Web browsing, database searches or net scanning of your
08:26
of your organization's network to try and figure out vulnerabilities, just like a hacker with that would be indicative of someone who is becoming an insider threat.
08:37
Entrenchment is going to be that next stage, which should be again familiar with that anatomy of a hack. So someone who might be installing sensors to figure out what is going on within that network or unauthorized software on their computer. They're making themselves entrenched in the activity.
08:58
The next one is where they actually go in and start exploiting your network. So they're going to x escalate their privileges. They have just certain read processes. They may wantto escalate that re bright.
09:15
Or if they only have a secret clearance, they may want to escalate their privileges up to a top secret clearance.
09:22
Then we'll get a password cracking, trying to get past words either through technical means and or by social engineering for, say, going around two individuals and work and using their
09:35
their leverage is a computer administrator saying I need your passwords like a log into your account and do something and then actually masquerading as that person
09:43
and then account misuse.
09:46
So, uh, doing things with that with your account that they're not supposed to do,
09:50
uh, moving on. From there, we'll go to the extraction of data. So that could include printing large amounts of data again, filling a garbage bag, walking out with downloading massive amounts of data to some place or uploading it to thio, maybe a Google share
10:09
folder. Our office 3 65 soldiers. They shouldn't,
10:13
uh, take that data tube
10:16
removable media. So if your organization doesn't have a digital loss prevention policy in place. If someone who brings in the sport terabyte hard drive and they're downloading the state secrets, that would be a good indicator. That they're insider threat
10:31
are someone who goes to the coffee machine a lot and is making duplicate copies of data. They come across that again with the indicative of insider threat
10:41
living on from There is. How does this person communicate? Are they using encrypted mail at work, such as the old hush male of the new Proton male trying to email their contact information? Are they receiving coded messages? Are they using covert channels trying to hide some of the activity that they're doing?
11:00
The next category is manipulate manipulation,
11:03
changing foul permissions, upper down. So all of a sudden I got access to this document. Someone changes it so I can't access it, see what's going on. That would be an example. Are deleting files, a CZ we talked about earlier, someone who is hacked off with the organization they may want to delete. All of the files
11:22
that are within this
11:24
the
11:24
within this folder are contained again. The secret to Colonel Sanders Chicken and someone deletes that it's gone how do you recover from them
11:35
and or changing the file down? So you've got that again. Colonel Sanders chicken recipe and you added, Ah, lot of too much paprika essentially changes the consistency of the recipe, and it may ruin your business.
11:50
Living under there you have the counter intelligence concerns. So if someone is searching, the human resource is our security databases about themselves trying to figure out what information the company may be gathering about that person to see. If the someone may be on their tracks
12:09
disc array, shirt, destroying evidence that they're going to try and cover
12:13
up any activity or any evidence of active they've done, those would be indicative of an insider threat and then, lastly, someone who was looking at *** or gambling at work again. Those were just blatant violations, generally company policy,
12:30
and that could be indicative of other problems, and it might actually lead to someone
12:35
being an insider threat.
12:35
So again, um,
12:39
not everyone who exhibits some of these
12:43
indicators is going to be an insider threat. When you start seeing
12:48
large amounts of these indicators checked off, that is going to be generally good assumption that might want to look at that person a little bit more
12:56
so,
12:58
uh, kind of out of all that will consolidate that down sensors that you can look at for individuals. So, honey pot hunting that data, What are they doing on your network? Call patterns and call logs. So are they making calls their inconsistent
13:15
with their daily activities? Are all of a sudden are they picking up the phone? Are they calling?
13:20
You know, the Russian Embassy trying thio get information out of your organization.
13:26
Email patterns? Are they emailing individuals outside of your organization? Are they emailing someone another country that your business doesn't necessarily have business dealings with? That would be indicative
13:41
again. Travel on vacation We talked about these strange trips
13:46
to these foreign countries that they've never had any desire are talking about going to before
13:54
maintenance schedule, so that would be a good sensor of looking at someone to see if they might be an insider threat so you can schedule maintenance and go in
14:05
and look a certain information of that person
14:09
keyboard log. So if your organization starts logging information via the keyboard, you could look to see what that person is doing at their work station.
14:20
Uh, wow. System logs
14:22
to see if they changed permissions of files files that created what files they looked at is that in conjunction with their roles and responsibilities, are they looking at new information that they've never had access to before?
14:37
That would be a sensor to see if they're an insider threat.
14:41
Trouble tickets again. So if someone is having massive amounts of computer problems because they're dorking around system, trying to expel trait data are do something to their computer. Thio able them to be that insider threat. They might have
15:00
trouble and are having to smell trouble tickets. And that could be indicative of that person being an insider trip.
15:07
And then again, your I. D s logs. What information is coming in and out of your network
15:13
and then, lastly, system logs. What are they doing on that system? Is there a bunch of security alerts that you may need to review?
15:22
So again, those were just some ways that you could look to see if you could find some of those indicators

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor