Rethinking "Red Flags" - A New Approach to Insider Threats
A whole threat and whole person approach to efficient and effective insider early warning is needed.
Malicious insiders pose an existential threat to any organization. Insider theft, fraud, sabotage and violence continue unabated. Victims are left damaged, sometimes terminally. Technical countermeasures only address part of the problem and are increasingly expensive, complicated and difficult to integrate. New regulations are adding additional requirements to overburdened staff. Throughout this all, insider program funding remains insufficient. The bottom line – the job isn’t getting any easier.
At the core of the insider mitigation process is the insider “red flag” methodology, a legacy approach that is increasingly failing us. The evidence is all around; insider incidents increasing in number and impact, most with abundant (but generally unactioned) “red flags.” How often do we look back following an incident and immediately recognize clear indicators? Far too many times.
The reasons for this failure can be found within most organizations. First, insider threat early warning programs often lack the attention, expertise, funding, incentive programs, information-sharing processes and programmatic approaches necessary to be successful. Second, organizational cultures often undercut the effectiveness of early warning programs through denial, privacy concerns, lack of accountability and a cognitive bias toward technical cybersecurity. Third, faulty assumptions such as “it won’t happen here,” “red flags are reported and responded to,” and “people will do the right thing” undermine the process. Finally, there is “social shirking,” meaning no one wants to be a tattletale, many folks avoid conflict and some pass the buck on this important issue.
But all is not lost! There is some good news – significant opportunities exist for stopping insider attacks, around which an affordable and effective early warning system can be created.
These opportunities are created by the simple fact that insider attacks are generally not impulsive in nature. Regardless of motivation, the insider plans for months or even years before action. And no matter how hard they try to cover their tracks, they leave evidence during the slow progression from idea to action. This evidence is observable; the changes in attitude and behavior are discernable and detectable.
More importantly, these relatively slight changes in attitude and behavior serve as predictors of how an insider will react to greater stress. In essence, minor events will showcase a natural reaction, allowing one to predict reactions to major events. By knowing that specific personalities are negatively affected by specific events, one can identify “tripwires” for more significant problems.
To summarize, insiders tend to slowly evolve toward action and often provide indications of their progression. Leveraged properly, these indicators can be used to track, predict and stop attacks.
The Insider Kill Chain
To exploit this behavioral evidence, we first need to understand the “insider kill chain.” This is the path that an insider takes as they move toward action.
The first stage is “personality temperament.” Essentially, this is the nature of person you hired. For our purposes, an important personality differentiation is whether this person is predisposed either toward “self-healing” or “self-destruction.” Elements that sway a personality toward self-destruction (and insider attacks) include violent tendencies, psychological imbalance, vengefulness, etc. Malevolent qualities known in psychology as the “Dark Triad” of narcissism, psychopathy and Machiavellianism can also increase an insider’s self-destructive nature.
The second stage is a “precipitating event.” Our focus is on stressors that create emotional change, such as personal or professional crises.
The third stage is a “conflict,” which is often a self-expression like dissatisfaction with a superior, colleague, or the entire organization.
The fourth stage is “determination,” which is often exemplified by refinement of a mindset like increased risk-taking, open hostility, social withdrawal, identification with violence, etc.
The fifth stage is “preparation,” often taking the form of reconnaissance, acquisition of materials, drafting of manifestos and other attack precursors.
Finally, there is the “attack.” This is the endpoint of resentment that has been building against an organization or system that the insider believes has unfairly treated them.
Just as there is a critical path or “kill chain” for each attack, there are critical stages of life. The ages between 35-45 years old are particularly relevant to insider threat mitigation. These are the ages known for reevaluation of life choices and life goals. For our purposes, this is a critical time because it is the highest point of the symbiotic relationship between one’s personal and professional lives.
Known commonly as a “mid-life crisis,” divorce and career change are highest during these years. As you can imagine, a strong partnership can carry someone through a bad work situation and a good professional situation can carry someone through relationship stress, but the simultaneous collapse of both often results in increased psychological vulnerability for the employee and increased risk for their employer.
Applying the Insider Kill Chain
So, how do you use the insider kill chain to your advantage? You do so by creating an early warning system that is more effective and efficient than the traditional “red flag” methodology.
Greater effectiveness is achieved by taking a holistic “whole person” and “whole threat” approach. A “whole person” approach is contextual and psychosocial, using personality, environment and precipitating events to identify insider risk. A “whole threat” approach addresses the common root causes that result in different attacks forms (data theft, fraud, sabotage or violence). It leverages common sense and objectivity to understand the insider personalities relevant to your organization, the precipitating events that can turn those personalities to malicious action and the corresponding tripwires that require your action.
Greater efficiency is gained by focusing on the incidents of greatest impact and probability by narrowing the attention to critical materials, data and processes and those with access to those items. Tailoring the system to your organization’s risk tolerance, culture and financial resources further enhances the likelihood of success.
But how to best observe and assess this behavior? Well, it turns out that humans are quite good at detecting insiders; they naturally create behavior baselines for everyone they know, they have a ‘sixth sense’ for deviations from those baselines (for anomalous behavior) and they can instantly evaluate actions within context. In fact, independent behavioral observation is a leading way that malicious insiders are discovered.
And remember, the insider kill chain takes place within your organizational environment – which you control. Just as you can design a building to enhance and enforce an organization’s security measures, you can design an environment to enhance and enforce your insider risk program. The bottom line is that you can have your organizational environment work for or against you.
The 13-Step Framework
To create a “whole person” and “whole threat” early warning system for your organization, this framework outlines best practices for knowing the predisposition, precipitating events and tripwires of potential insiders, so that you can better identify insider threats. The framework is designed with an understanding that there are areas that we control and areas we don’t. Some of you may be familiar with the Serenity Prayer: “Lord grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference.”
As noted earlier, we control the environment. To a much lesser degree, we control the personalities of those we work with – by who we hire in the first place. As the environment is where we can administer the greatest mitigation, the framework is focused on building in the strongest insider threat countermeasures allowable by your organization’s culture, capabilities and resources.
Insider Threat Profiles
To augment the framework, the following are general descriptions of the insider attack types and their commonly related insider profiles. Each profile is made from the personality characteristics, critical events that negatively affect them and the tripwires that should prompt action.
Unintentional insider threat. These insiders act without malicious intent but become a threat through negligence or outside manipulation. Common personality characteristics include being flighty, unfocused, disorganized, scatter-brained, stressed and strained. Common precipitating events include new personal or professional distractions. Common tripwires include personal cell phone/computer overuse, unwittingly providing sensitive information to outsiders, discussing sensitive matters with uncleared personnel, leaving sensitive documents or devices accessible to others, posting confidential organizational details to social media sites and consistent failure to meet deadlines.
Intellectual property/sensitive data theft. These insiders seek to benefit themselves or others by stealing valuable data or materials. They may be working alone or in collaboration with an outside malicious actor. Common personality characteristics include entitlement, narcissism, anti-social behavior and a desire to control all things. Common precipitating events include a negative personal financial event, failed promotion effort, poor performance review, unmet career aspirations, resignation or termination.
Common tripwires include “borrowing” office items for home use, attempting privilege escalation, conducting questionable downloads, violating cybersecurity policy, working out of profile hours, transferring data and/or printing during out of profile hours, stealing inventory and bringing unauthorized recording equipment into work.
Insider Fraud. These insiders seek personal gain through their attacks. Common personality characteristics include egotism, entitlement, privilege and self-importance. Common precipitating events include significant additional expenses, negative personal financial events and unmet career and/or lifestyle aspirations. Common tripwires include living beyond one’s means, debt collection, violations of financial policies, intentional data manipulation, use and/or close association with a known supplier, minor fraudulent expenses, violations of insider trading, demonstrating excessive control over financial duties and exhibiting shrewd or unscrupulous behavior.
Sabotage. These insiders strike out against an organization with intent to harm its functionality. Common personality characteristics include anger, vengefulness, vindictiveness, disengagement and destructive behavior. Common precipitating events include confrontation with management, poor performance review, failed promotion effort, demotion, workplace embarrassment and termination. Common tripwires include the testing of security procedures, defacing company website pages, “accidentally” breaking a component in a critical machine, contaminating a clean room, altering enterprise software, misconfiguring products to cause failure and workplace harassment or violence.
Common personality characteristics include aggressiveness, emotional detachment, confrontation, control-seeking, disengagement, lack of remorse and strain. Common precipitating events include a negative family or relationship event. Common tripwires include emotional outbursts, failure to communicate and/or work in groups, bullying, difficulty taking criticism, boundary violations, refusals to work with others, violent threats, physical altercations and reflections of extremist beliefs.
Workplace violence. These insiders seek to strike out against the organization to cause bodily harm to people within the organizations. Common personality characteristics are aggression, emotional detachment, confrontation, disengagement, strain and a lack of remorse. Common precipitating events include negative family or relationship events. Common tripwires are the same as those for sabotage, which includes emotional outbursts, failure to communicate and/or work in groups, bullying, difficulty taking criticism, boundary violations, violent threats, physical altercations and reflections of extremist beliefs.