Defining Insider Threats

WHAT IS AN INSIDER?

• A person…
• The organization trusts
• Given a badge or access device
• To whom the organization has provided a computer and/or network access
• Who develops the organization’s products and services
• Who is knowledgeable about the organization’s fundamentals
• Who is knowledgeable about the organization’s business strategy and goals
• With access to protection information
INSIDER THREAT DEFINITION

• As defined by the CISA “Insider Threat Mitigation Guide”:

• An insider threat is the potential for an insider to use their authorized access or special
understanding of an organization to harm that organization. This harm can include
malicious, complacent, or unintentional acts that negatively affect the integrity,
confidentiality, and availability of the organization, its data, personnel, facilities, and
associated resources
TYPES OF INSIDER THREATS

• Unintentional
• Intentional
• Collusive
• Third-Party
UNINTENTIONAL INSIDER THREATS

• Negligent:
• Exposing an organization to a threat by their carelessness. Insiders of this type are
generally familiar with security and/or IT policies but choose to ignore them, creating
risk to the organization
• Examples Include:
• “Piggybacking” through a secure entrance point
• Misplacing or losing portable storage devices containing sensitive information
• Ignoring messages to install new updates and security patches
UNINTENTIONAL INSIDER THREATS

• Accidental:
• When an employee makes a mistake causing an unintended risk to an organization.
Organizations can successfully work to minimize accidents, but they will occur
• Examples include:
• Mistyping an email address and accidentally sending a sensitive business document to a
competitor
• Unknowingly or inadvertently clicking on a hyperlink or opening an attachment that contains a
virus within a phishing email
• Improperly disposing of sensitive documents
INTENTIONAL INSIDER THREATS

• Insider intentionally takes actions that harm an organization for personal

benefit or to act on a personal grievance
• Examples of motivation
• Disgruntlement related to perceived grievance, ambition, or financial pressures
• Desire for recognition and seek attention by creating danger
• Belief they are acting in the public good
COLLUSIVE INSIDER THREATS

• Intentional or Unintentional
• This type of insider threat manifests when one or more insiders collaborate with an
external threat actor to compromise an organization
• Frequently involves cybercriminals recruiting one or several insiders to enable fraud,
intellectual property theft, espionage, or a combination of the three
• This type of insider threat is typically difficult to detect, since external actors are usually
well versed in security practices and detection avoidance strategies
THIRD-PARTY INSIDER THREATS

• Associated with contractors or vendors who are not formal members of the
organization, but have been granted some level of access to facilities,
systems, networks, or people to complete their work
• Direct:
• Specific individuals act in a way that compromises the targeted organization
• Indirect:
• Flaws in systems that expose resources to unintentional or malicious threat actors
INSIDER THREAT EXPRESSIONS

• Violence
• Espionage
• Sabotage
• Theft
• Cyber
INSIDER THREAT EXPRESSIONS -
VIOLENCE

• Any act of violence, threat of violence, or other threatening behavior that

creates an intimidating, hostile, or abusive environment
• Includes criminal and destructive threats that precedes physical attacks on
infrastructure or threatens/harms the health and safety of individual
• This encompasses both workplace violence and terrorism
INSIDER THREAT EXPRESSIONS -
ESPIONAGE
• Practice of spying on foreign entity to covertly or illicitly obtain information
• Economic Espionage:
• Covert practice of obtaining trade secrets from a foreign nation
• Government Espionage:
• Covert intelligence gathering activities by one government against the other to obtain political or
military advantage

• Criminal Espionage:
• Involves a U.S. citizen betraying U.S. government secrets to foreign nations
INSIDER THREAT EXPRESSIONS -
SABOTAGE
• Deliberate actions aimed at harming an organization’s physical or virtual
infrastructure
• Physical Sabotage:
• Noncompliance with maintenance procedures, contamination of clean spaces, physically
damaging facilities, etc.

• Virtual Sabotage:
• Using technical means to disrupt business operations, deleting code, noncompliance with IT
procedures, etc.
INSIDER THREAT EXPRESSIONS - THEFT

•Financial Crime:
• Unauthorized taking or illicit use of person’s, business’, or organization’s money or property with the intent to
benefit from it
• Examples include:
• Identity theft, money laundering, forgery, tax evasion, bribery, embezzlement, and fraud
•Intellectual Property:
• Theft or robbery of individuals or organizations of their ideas, inventions, or creative expressions
• Examples include:
• Trade secrets, proprietary products
• This applies even if the concepts or items being stolen originated from the thief!
INSIDER THREAT EXPRESSIONS - CYBER

•Includes all the previous expressions, using a variety of vectors related to technology, virtual reality, computers,
devices, or the internet
•Unintentional Cyber Threats:
•Non-malicious exposure of organization’s IT infrastructure, systems, and data
•Insider may not realize they are participating in disruption
•Examples include:
•Phishing emails, rogue software, malvertising, etc.
•Intentional Cyber Threats:
•Malicious actions performed by insider intended to disrupt or cease an organization’s regular business operations
•Examples include:
•Changing data, inserting malware, etc.
INSIDER THREAT CASE STUDY - THE
INSIDER

• An engineer at an aerospace manufacturing company working on

commercial and military satellites sold to the Air Force, Navy, and
the National Aeronautics and Space Administration. He had access
to closely held trade secrets, including anti-jamming technology
and encryption plans for communication with satellites.
INSIDER THREAT CASE STUDY -
INDICATORS
•Stressors:
•Feeling of underappreciation at work and was frustrated that he could not get promoted
•Wife’s deteriorating health and mounting medical bills
•Personal Predispositions:
•Problems With Judgment:
•Sent gifts of $21,000+ to an online romantic interest he has never met
•Concerning Behaviors:
•User Activity Monitoring (UAM) revealed he had inserted a USB device and copied five folders with
detailed mechanical drawings and design information for a satellite program to which he was entrusted
INSIDER THREAT CASE STUDY – ACT OF
ESPIONAGE

•Frustrated with financial problems and his inability to get promoted, the
engineer sent notes to the Russian embassy and consulate soliciting funds
in exchange for sensitive and proprietary software technology and other
satellite information. Over the course of a year, he met several times with
an undercover Federal Bureau of Investigation (FBI) agent who he
thought was a Russian intelligence officer and collected $3,500 for the
information he passed.
INSIDER THREAT CASE STUDY – HOW IT
WAS DISRUPTED

•His actions violated the Arms Export Control Act and International Traffic in
Arms Regulations and posed a threat to national security and potentially
significant financial harm to his company.
•In cooperation with his company’s insider threat team, law enforcement
intervened to prevent the compromise. This intervention led to the insider’s
conviction for the attempted illegal sale of proprietary trade secrets to a foreign
government’s intelligence service. He was sentenced to five years in prison.
KEY TAKEAWAYS

•The insider threat is similar for many organizations in terms of the nature of the threat
•The character and conduct of the threat will manifest in various ways
•Each insider threat will have or had had some level of trust relationship with their
victim
•Organizations should tailor their approach to the insider threat
•Insider threats are both intentional and unintentional
•Not all intentional insider threats are malicious