Why Insider Threat Teams Need Access to External Resources
To learn how Business Risk Intelligence (BRI) is an essential source of external data for ITP teams, download our BRI for Insider Threat Programs overview.
The events of the past year have demonstrated how external actors can work hand-in-hand with insiders to carry out a variety of malicious schemes. In particular, the charges made earlier this month by the U.S. Department of Justice against a Chinese government-controlled firm serve as an example of how nation states and corporate competitors can recruit insiders to steal proprietary data in hopes of gaining a competitive advantage.
The influence of outsiders over malicious insider activity underscores the importance of external data for insider threat programs (ITPs). Internally focused tools such as data loss prevention (DLP) and user and entity behavior analytics (UEBA) programs are often effective for detecting abnormal activity, but they fail to provide a complete picture with regard to a user’s actions. To understand the nature of a malicious insider, investigators must be able to leverage external data and resources, particularly with respect to:
Deep & Dark Web (DDW) Activity
Unless a malicious insider is incredibly sloppy, any engagements they might have with external actors in DDW communities are unlikely to be discovered through an ITP’s examination of its internal data. Without visibility into external channels, ITP teams are unlikely to proactively identify and mitigate such activity.
It is not uncommon for malicious insiders and external threat actors to connect and correspond in covert DDW forums and marketplaces. Through these channels, external actors may solicit employees within a specific sector or organization in hopes of finding someone willing to assist them in conducting an attack. Alternatively, malicious insiders have been known to utilize these same channels to advertise their authorized access to certain assets or information.
In addition to monitoring for insider recruitment, gaining visibility into DDW activity also enables ITP teams to identify previously compromised customer data, intellectual property, and other sensitive information being advertised by malicious insiders on underground marketplaces. This allows teams to determine whether this data was compromised by an insider, and take appropriate mitigation and response actions.
Information Sharing and Finished Intelligence
As insider threats continue to evolve, relying solely on internal resources and expertise will eventually cause ITP teams to fall behind in their efforts to combat threat actors’ latest tactics, techniques, and procedures (TTPs). By openly collaborating with, and learning from, trusted insider-threat experts operating in a variety of sectors, ITP teams benefit from a collective body of knowledge and experience which serves as a sounding board for assessing and adapting to emerging trends.
Social Media Activity
In the words of David L. Charney, insider threat events always originate within the minds of individuals, and social media can be a useful resource for gaining insight into an individual’s interests and activity beyond an organization’s internal network, as well as the psychological triggers and motives behind suspicious activity. For example, an employee’s social media account may reveal recent travel to a suspicious location, potential collusion with external threat actors, extravagant spending habits, or financial difficulties, all of which are potential indicators of insider-threat activity.
External actors, mostly Chinese intelligence services, have also been known to leverage professional networking sites to recruit insiders, specifically seeking out certain skills or employees at a particular organization, and offering them temporary opportunities as consultants or guest speakers in order to get them to share internal knowledge about specific areas of interest.
Eric Lackey, Flashpoint’s principal advisor of insider threat program management, is an experienced professional in the areas of insider threat and counterintelligence with over 20 years of experience providing support to criminal investigations, threat intelligence analysis, network investigations, and digital forensics. Prior to joining Flashpoint, Eric most recently worked for one of the largest global financial services institutions on the Global Information Security Insider Threat team. Prior to this role, Eric spent the previous 10 years as a Senior Insider Threat and Counterintelligence Analyst for the Air Force Office of Special Investigations, as part of his 23 years of service within the Department of Defense. Eric holds a Bachelor of Science in Business Administration and a Master of Science in Digital Forensic Science.