Analyzing the Insider Threat

May 22, 2017 • Amanda McKeon

What exactly is an insider threat? It’s a term we hear a lot in cyber security circles, and of course, the world of threat intelligence. While its meaning seems self-evident, we’ve found that it often brings to mind different things to different people.

In this episode, we talk to a real expert on the subject of insider threats, John Wetzel, a Threat Intelligence Analyst at Recorded Future. Before he joined the team, John was a Counterintelligence Special Agent with the Department of Defense. He’ll share his experiences, describe the types of insider threats you’re likely to encounter, and explain the difference between those insiders that are out to do harm to an organization, and very real threats that can come from actions (or inaction) by those with no ill intent at all.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and welcome to episode seven of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. What comes to mind when you hear the phrase insider threat? For me, it’s a scene from a scary movie that came out when I was a kid. You know, the one where the young woman is home alone. She’s getting creepy phone calls from someone who’s stalking her, and finally she calls the police to trace the calls and they let her know the calls are coming from inside the house — but that’s me. Still, I think a lot of people have a not completely unrelated line of thinking when it comes to insider threats and cybersecurity. Someone from inside your own organization is out to do you harm deliberately or otherwise through malice or neglect.

Today on our show we’re speaking with John Wetzel about insider threats. He’s a threat intelligence analyst at Recorded Future and before that he was a counterintelligence special agent with the Department of Defense, so he knows a thing or two about today’s topic. Stay with us.

John Wetzel:

Typically we mean someone who’s inside of our company who has access to sensitive information, but that’s not always the case, because our enterprise can extend well beyond the traditional borders, or walls of our network, and to our vendors and our suppliers, and to our partners.

Dave Bittner:

I think when most people think of an insider threat, I think they think of someone with nefarious intentions, but you make the point that there really is kind of a spectrum of insider threats.

John Wetzel:

There really are. When you’re discussing insider threat, we need to realize that it’s not just a binary problem. You start off coming into your company, you’re usually not necessarily malicious. That’s in fact one of the rarest types. Most often, you’re an individual who may fall on lines of being somewhere along the careless or naïve fashion. Then gradually become slightly disenfranchised and then more disenfranchised with the organization, its policies, maybe just as an individual doesn’t like that place. They start to seek places that they can outlash and where they can go and where they can be accepted as a person, as a worker. Someone who can sympathize with their plight.

That’s where you get these areas of extending into forums, into places like Reddit and into places like 4chan, where there are a number of individuals who suffer that same type of plight. Then gradually that can extend onto other forums, onto places along the dark web, along to closed-access forums.

Dave Bittner:

What direction does the initial communication happen? Do we typically have outside bad guys who are seeking out people inside a company or do we typically have insiders who are as you say, sort of disenfranchised, so they go looking for some place to sell the information they may have access to?

John Wetzel:

I really think that the biggest change in how we view insiders is that it’s a two-way street. We have both the traditional insiders who are seeking out as well as having adversaries. It’s not necessarily just nation states. It’s criminal actors who have realized that these insiders contain information — not just sensitive access, but real information that helps them in multiple points throughout a cyberattack.

Dave Bittner:

Take me through some of the details of something like that.

John Wetzel:

When you first start thinking of how an insider works, you think of this lone individual in this James Bond kind of scenario. Where they have all the tools, all the techniques. Everything that they need to complete the mission, if you will, on its own. Very, very rarely is this actually the case. Almost always that insider is going to need resources, whether technical or criminal, in order to be able to fulfill whatever it is their end goal is. There needs to be a partnership that exists between that insider and a criminal network, another organization that supplies them with whatever they need.

Sometimes that can be a non-technically proficient insider who then needs a criminal network or resources to provide technical skills, to provide ways to cash out services, and meanwhile can be a criminal network that needs things such as access to the site, information about how those employee processes work, or even along the lines of “We need to be able to cash out our stolen information from other locations.”

Dave Bittner:

Let’s go through each of these types of insider threats that you describe and go into each of them in a little more detail. You start off talking about the careless.

John Wetzel:

Sure. When people come into our organization there needs to be a learning path for them, along the lines of security as well as the traditional learning paths about job function. Oftentimes, people’s main exposure to security is don’t do this thing or I’ve hit a wall where security has put one up. Very rarely is that a friendly or a transactional relationship. More often it’s “Don’t go there.” As people start maturing in an organization, they move from merely being careless and trying to understand where the walls are, to kind of a purposeful naivety, where they understand that maybe they’re not supposed to be visiting a site, but they want to, because either it makes their job far easier, or mainly just because they feel they don’t need to rely on the rules as much.

Once you start maturing past that simple naivety you get into this area where it’s more “What can I do for me?” This can expose itself in many different ways. As I potentially seek out other employment, I can be looking at “Will this piece of information, project, other access that I’ve been given help me in a future employment opportunity? Is this something that I can take and show another potential prospective employer that will impress them along the way?” Then further along you’re going to actually dive down into it and say, “Hey, where are the things that I can really truly be selfish about and steal for myself?”

“Can I take a company financial proprietary information? Can I take code samples that I had worked on and then use them for my own purposes?” Finally, you end up with this idea of the most common, I believe, type of insider, which is the moonlighter. This is someone who is purposely taking things, engaging in somewhat willful violation of policies and rules, but also doing it in a way that they don’t necessarily want to jeopardize their employment. They’re engaging in things only when the benefit to them rises to the level that it is of enough interest, enough monetary gain, enough financial interest in order for them to be able to steal that.

Dave Bittner:

Then finally at the far end of your spectrum, you describe the mole.

John Wetzel:

Yeah, the mole is something that gets a lot of emphasis in most traditional insider threat. It’s this idea that someone is persistent, is targeted, is getting into our organization with the purposeful intent to deceive us and to steal. And that is not really how a traditional, either espionage or insider threat, really works. We need to come to the realization that more often than not, we are creating insiders and growing them in our organizations, not bringing them in.

Dave Bittner:

Given that we have this spectrum of vulnerabilities when it comes to insiders, what’s a good strategy to try to protect yourself against it?

John Wetzel:

When I used to work with the Department of Defense, oftentimes what we would do is identify insiders not internally, not based on our internal controls, but externally. How that process would work is there would be communication from another agency, another organization, saying “We have seen this person of a certain height, a certain weight, of a certain gender walk into this restricted location and attempt to hand over classified material to a foreign government.” That’s where your investigation begins, knowing that a breach has already occurred. Your systems and controls have already failed, and now you need to identify where is this person? Where is this potential leak, so that I can hunt down from there.

I think that’s a good model for how we need to start thinking about insider threat. Realizing that the internal controls that we set up are most often going to fail and we need to have some way to signal, not just the breach, but the intent to breach. Someone potentially advertising that they have access, that they have controls, or conversely, some criminal requesting or soliciting access or some other type of information from an organization.

Dave Bittner:

What would those kinds of advertisements typically look like?

John Wetzel:

In research that we’ve done in Recorded Future, we’ve seen a number of different dark web advertisements primarily focused around three principal areas. The first one is actually the area of card cash out. These are sophisticated criminal organizations that are trying to cash out their carding operations through the use of retail clerks who can punch in the fraudulent card information. The second way that we’ve seen these types of criminal organizations solicit or garner information is through the use of insider financial theft. This would be sites or forums that provide individuals space to be able to share insider trading information in return for partnerships with others who will cash in on that and then provide a share of the return.

The third way that we’ve seen these types of insiders work is through this idea of actually the malicious implant. This is a criminal organization, or conversely, the insider saying “I have access. Is there a technical tool, is there some way that we can implant malware and do something truly malicious?”

Dave Bittner:

If I’m a company and I’m trying to prevent insider threats, what about the notion of simply trying to make my company a place where people are less likely to have the types of feelings that will lead them towards this sort of thing?

John Wetzel:

I think that there is a very strong argument that you want to have companies that people are generally happy at. There’s an old saying in counterintelligence that happy people don’t commit espionage. On the other hand, one of the ways that we’ve seen insider threat emerge is even through the use of in Silicon Valley companies where a particular person working for a company may leak out insider information about new product developments or new technology that’s being developed to competitors or to the press in exchange for potentially favorable reviews later on in that individual’s career or other future startups.

Dave Bittner:

What about the notion of the carrot versus the stick, rewarding employees for doing the right thing versus punishing them for making a mistake.

John Wetzel:

I think there is a really serious issue when we talk about security and talk about the issues of punishment, because those two are so closely aligned and you get into a very dangerous area where people are afraid of an insider, because they don’t want to be associated with them, but at the same time they also cannot see anyone around them being an insider, because if you separate it into an us versus them scenario, you can’t believe that anyone around you would ever betray. We’ve seen this scenario play out through the federal government, through other larger organizations that have had serious espionage concerns. When you’re talking about how do we solve that as a corporate policy instance, you get into very, very interesting cases where the policies need to be just severe enough that there is a consequence to it, but we also need to be able to surface those reportings of insiders.

One interesting case study that I was able to receive when I was part of the Department of Defense, with a contractor, they were trying to institute initial insider threat detection policies. They started with a relatively known area that most users would believe, we’re not supposed to do that. That was through adult materials. They believe that they were not going to find any adult materials on their network, and when they initiated some insider detection methods, they realized that numerous employees throughout their enterprise were accessing and even storing these materials on company networks. This type of awareness now turns a policy problem from “We thought that our policies were being effective,” to “Our policies are being massively violated, what do we do now? Because, we can no longer enforce the punishments that we have, because to do so would literally decimate our workforce.”

They had to come up with new solutions to roll out and re-educate their employee populous in order to be able to bring them back to the baseline that they thought that they were already at. This brings up two really interesting points about policy. The first one is that policies are often written to protect the company, not to inform the employee. I think that the more understandable policies are, the more employees are likely to comply. The second area about policy is that many of the times that the policies that we have written are not necessarily being enforced, and thus, employees may be breaching those policies far wider than we think. When we get to that idea of enforcement versus perhaps incentive, I think you need to first back off to the point of, “Are our policies effective?”

Dave Bittner:

What is your advice to companies who are trying to get a better handle on this notion of protecting themselves against insider threats?

John Wetzel:

I think that companies need to be very aware that there is more than just internal signaling. The idea of insider threat is somewhat of a misnomer in the same way that APTs can’t be so advanced if they are using and relying on phishing emails. The first place that insiders are often going to be detected is external to their network. If you are a company, you need to ask yourself, if we saw a breach external to our network, number one, would we be alerted to it, and number two, what would we do if we were? Being able to come up with an incident recovery plan for exactly that type of instance is something that is critical to maintaining the operations of a business.

Then following on, I think that we need to be very careful when we are constructing our security wall plans to be ensured that we are realizing that insider threat is not just a single attack venue, where insiders are whole and of themselves, but can be utilized in parts throughout an attack. Whether it’s to gain access, whether it’s to share credentials, whether it’s to move laterally throughout a network or whether it is to actually just gain a little piece of information through a conversation which are critically important to executing that attack such as how do I properly form a swift message.

Dave Bittner:

What part does threat intelligence play in protecting yourself against insider threats?

John Wetzel:

Threat intelligence is always going to be that warning beacon with insider threat. It is not a way to prevent it, it is not a way to dive in and really further investigate individual threats, but it can prevent that early warning that we have missed something critical, that our internal sensors did not pick up on. We have missed it because we were looking in the wrong place, and we have missed it because we critically misjudged or were overconfident in our ability to stop this information from escaping our borders.

Dave Bittner:

What about the bias that someone who works for us, we may give them benefit of the doubt that we wouldn’t give to an outsider?

John Wetzel:

I think that plays right into that idea of us versus them. The critical problem when you start making it into a very binary problem is that you end up doing three things. Number one, the person next to me cannot possibly be an insider and so you self-blind yourself to that. Number two, as an organization, you limit the amount of reporting, because no one is ever going to want to report on somebody else who they have to see every day. It creates a very awkward environment and somewhat it’s socially uncouth. Then this third area is that you begin to create these separations which may in fact feed into that idea of isolation that creates insiders in the first place.

I think those are very interesting and difficult problems at an organizational level to try and solve. It’s far easier to have something like an external alerting system which would alert you to hey, are people targeting our networks? Are people targeting our information to try and gain further access?

Dave Bittner:

Our thanks to John Wetzel for joining us.

Before we let you go, don’t forget to sign up for the Recorded Futures Cyber Daily email, and every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

You can also find more intelligence analysis at recordedfuture.com/blog.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

How Small Businesses Can Fight Cybercrime With Threat Intelligence

How Small Businesses Can Fight Cybercrime With Threat Intelligence

December 4, 2019 • The Recorded Future Team

When most people think about threat intelligence, they think about large organizations Perhaps a...

How to Reduce Third-Party Risk With Security Intelligence

How to Reduce Third-Party Risk With Security Intelligence

December 3, 2019 • The Recorded Future Team

Editor’s Note: Over the next several weeks, we’ll be sharing excerpts from the newly released...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...