Why Insider Threat Teams Need Access to External Resources

November 27, 2018

To learn how Business Risk Intelligence (BRI) is an essential source of external data for ITP teams, download our BRI for Insider Threat Programs overview.

The events of the past year have demonstrated how external actors can work hand-in-hand with insiders to carry out a variety of malicious schemes. In particular, the charges made earlier this month by the U.S. Department of Justice against a Chinese government-controlled firm serve as an example of how nation states and corporate competitors can recruit insiders to steal proprietary data in hopes of gaining a competitive advantage.

The influence of outsiders over malicious insider activity underscores the importance of external data for insider threat programs (ITPs). Internally focused tools such as data loss prevention (DLP) and user and entity behavior analytics (UEBA) programs are often effective for detecting abnormal activity, but they fail to provide a complete picture with regard to a user’s actions. To understand the nature of a malicious insider, investigators must be able to leverage external data and resources, particularly with respect to:

Deep & Dark Web (DDW) Activity

Unless a malicious insider is incredibly sloppy, any engagements they might have with external actors in DDW communities are unlikely to be discovered through an ITP’s examination of its internal data. Without visibility into external channels, ITP teams are unlikely to proactively identify and mitigate such activity.

It is not uncommon for malicious insiders and external threat actors to connect and correspond in covert DDW forums and marketplaces. Through these channels, external actors may solicit employees within a specific sector or organization in hopes of finding someone willing to assist them in conducting an attack. Alternatively, malicious insiders have been known to utilize these same channels to advertise their authorized access to certain assets or information.

In addition to monitoring for insider recruitment, gaining visibility into DDW activity also enables ITP teams to identify previously compromised customer data, intellectual property, and other sensitive information being advertised by malicious insiders on underground marketplaces. This allows teams to determine whether this data was compromised by an insider, and take appropriate mitigation and response actions.

Information Sharing and Finished Intelligence

As insider threats continue to evolve, relying solely on internal resources and expertise will eventually cause ITP teams to fall behind in their efforts to combat threat actors’ latest tactics, techniques, and procedures (TTPs). By openly collaborating with, and learning from, trusted insider-threat experts operating in a variety of sectors, ITP teams benefit from a collective body of knowledge and experience which serves as a sounding board for assessing and adapting to emerging trends.

Social Media Activity

In the words of David L. Charney, insider threat events always originate within the minds of individuals, and social media can be a useful resource for gaining insight into an individual’s interests and activity beyond an organization’s internal network, as well as the psychological triggers and motives behind suspicious activity. For example, an employee’s social media account may reveal recent travel to a suspicious location, potential collusion with external threat actors, extravagant spending habits, or financial difficulties, all of which are potential indicators of insider-threat activity.

External actors, mostly Chinese intelligence services, have also been known to leverage professional networking sites to recruit insiders, specifically seeking out certain skills or employees at a particular organization, and offering them temporary opportunities as consultants or guest speakers in order to get them to share internal knowledge about specific areas of interest.