Looking Inside the Insider Threat

Posted on by styxsecurity

The 3x rule. This is how I approach an insider threat.

The insider threat has a long timeline and could manifest over weeks or months.

The first thing they’ll always do is poke at your security in a light way that has plausible deniability. Testing if their access card works on the server room door or trying to copy something to a USB drive are typical examples.

This absolutely must lead to a response. It doesn’t need to be all guns blazing, but it needs to be a “we detected this and you should know better” or “why did you try to access the server room?” This does a couple of things; it leads to a potential insider threat now knowing they’re being watched and them having a greater respect for your security. Gossip will spread the word. You might find you have a lot of these attempts, in which case a mass communication might be the way forward initially, as well as asking “why?”.

The second step is often something small leaving the building. It might be they see if they can get in and out with a USB drive with some small, unimportant file they can claim is personal (rotas?) or now they go into the room and have a good look around. “I have been trying to get hold of Bob all day, I really need him and I was told he was in here…” Excellent excuse to be in the server room, isn’t it? (No.)

At this point, you’re potentially one step away from a disgruntled or compromised employee taking the keys to the kingdom. It’s not for me to tell you what to do here, but you should do something effective to curb this behaviour.

The third step is taken when the insider threat has established your security isn’t detecting their violations and they have managed to get somewhere critical or do remove something small from the building in an unauthorised manner.

This is where you get pwned.

How do you sort this? Ask yourself what steps you would take if you were a compromised individual looking to sell the company’s secret sauce or bank account access. Ask managers and long term, trusted employees with a vested interest in the company. Then set up alerts, reporting and other mechanisms to catch step one, interdict on step two and never, ever let it get to step three.

Real-world example; a fixed camera (that was only recording / vaguely monitored) was noted to be moved off target. Inventory showed a lot of expensive stock was missing. Insider had moved the camera (amongst other things) some time ago to create a blind spot. Part of the prevention? Daily checks of all fixed camera positions Vs intended positions and investigation into how they were moved.