MODULE 6 – Insider Threats

Last lesson, noob, so pay attention.  I told you early on that social engineering was the most important tool in our drawer.  Well, that tool is nothing without some “help” on the inside of a target company.  The security industry rather uncharitably calls these helpers, Insider Threats.  We prefer to call them… accomplices.  [in addition to dialogue you can also use this as a display definition somewhere, maybe Hackerpedia?] Insider threats are people with authorized access to a company’s resources, non-public data, or internal computer networks, who intentionally or unintentionally use that access to harm the company.  An insider threat does NOT have to be a direct hire employee!  It could be a worker, contractor, supplier, or any individual with privileged or non-public access to a company.

Insider threats come in two types: intentional and unintentional.  The best part? Either will suit our purposes!  Unintentional ones let slip confidential data in any of the many ways you’ve just learned about: phishing; using weak passwords at work; losing company devices.  My favorite – new employees or interns who are looking to make a big splash at their NEXT job by taking information from their current job.  Maybe they’re thinking, professional development?  Maybe night study to climb the corporate ladder? Maybe they’re not thinking!  They don’t understand that all the data on their employer’s computer belongs to the company.  I’d rather go after files on someone’s personal laptop or phone than a secure corporate network.  Thanks for the assist, Chad!  They didn’t mean to do any of those things, but they’re still insider threats. And it still adds up to points in our favor.

Given a choice however, we prefer the intentional insider threat.  Those gems are working with a purpose.  They’re largely motivated by same four things that we covered earlier – money, ideology, compromise, or ego.  The difference this time is that instead of people like us pushing them somehow, they’ve put themselves there. Maybe they didn’t get that promotion they were expecting and now they have an axe to grind against the company: POOF! Thanks for the Dark Web data dump showing them how “wrong” they were about you, Jeff!  Maybe they were short on money. WOOSH! There go the business secrets quietly out the door, straight to your competition.

There are plenty of reasons for insider threats to do what they do.  We just need to be in the right place when they choose to do it.

Lucky for us, there isn’t much in the way to stop a committed insider.  When someone choses the dark side – I mean, our side – are there programs at work to protect the private information and the other employees there?  Not many companies have data compartmentalization programs.  Not all companies track exactly who knows what about the operations of the company. Without that when someone quits, the company doesn’t know what data may be at risk. They may still have files and access to relevant sensitive data, or copies of it.

As they say, a company’s best assets leave the building every night.  Are they going home happy?  Do employees have any training in spotting significant attitude changes that might indicate data theft, misuse, or even workplace violence?  So many opportunities for us.

Review this lesson carefully.  It’s the last before your final exam.  Good luck, noob!



Insider Threat

  1. Definition: Someone with authorized access to a company’s internal system who intentionally or unintentionally uses that access to harm the company. Does not have to be a direct hire employee!  Could be a worker, contractor, or any individual with non-public access to a company.
  2. Significant percentage of attacks on companies are from insiders.
    1. Once again, companies are focused on solving the technical problem while ignoring the human behind the technical problem.
  3. Two kinds of insider threat – Intentional and Unintentional
    1. Intentional insider threats
      1. Motivated by the same things under MICE. Add to that Revenge: Didn’t get a promotion. Got fired. Ideas weren’t accepted at work.
      2. Sometimes they quit and attack the company with their insider info. Sometimes they do it in place.
  • Can lead to violence.
  1. Unintentional insider threat
    1. People who don’t mean harm but don’t follow the rules.
    2. Employees who take company data with them; maybe for professional development, maybe for use in future jobs (competitors). Often employees who are new to the professional workplace. They don’t understand that just because they have access to data they don’t get to take the data without company permission.
  • Not properly securing data makes employees unwitting threats.
  1. The hardest threat to deal with because:
  2. People are companies’ best assets – and they walk out the door every day.
  3. Hard to track knowledge that everyone has.
  4. Employees can typically take info out with them without the data transfer being tracked.
  5. Typically, only large or specialty companies have solid data compartmentalization programs.
  6. Where is the line between an employee discussing certain matters and crossing the line into giving something away that’s not authorized? Not always clear.
  7. Some insider threats are not with malicious intent – most hacks are inadvertently enabled by unwitting employees
  8. Solutions
    1. Be aware of baselines of colleagues: Extroverts who suddenly become introverted and secretive about work they used to discuss freely; introverts who withdraw from workplace interaction even more; employees who begin downloading large amounts of data from corporate systems when they previously hadn’t;
    2. Recognize signs of possible intentional insider threat action:
      1. Excessive questions about restricted corporate information
      2. Interest in sensitive corporate programs or data that are not connected to their work
  • Unusual patterns of copying data from online systems; excessive or unusual use of USB thumb drives to transfer data
  1. Sudden appearance of unexplained wealth
  2. Noticeable negative change in attitude about the company, specific managers, or new policies.