How the FBI Catches Workplace Spies
I believe you have my stapler.
CREDIT: 20th Century-Fox
Forget Chinese hackers. The biggest information-security threat to American companies comes from disgruntled insiders, say two FBI staffers.
Patrick Reidy, an information-security officer, and Kate Randal, a forensic psychologist, outlined their argument at the RSA Security Conference in San Francisco last month in a presentation called "Combating Insider Threats: Lessons Learned From the Trenches."
"Everybody thinks of insider threats as being a hacker or running hacking tools on an internal network," Reidy said. "In reality, you're dealing with authorized users doing authorized things for malicious purposes."
Paradoxically, the FBI experts said, the solution to stopping insider threats lies in trusting employees with their own workplace security. Creating a mutually supportive environment may deter a potential malicious insider from acting.
Not just a technical issue
The damage caused by malicious insiders far outweighs their prevalence, Reidy said.
In the past decade, only 19 percent of reported information-loss incidents have involved insider threats. Yet those that did ended up, on average, costing more than $400,000 to clean up. A few resulted in losses of more than $1 billion.
"The major difference between the insider-threat problem and the traditional cybersecurity problem is that we trust our threat," Randal said. "We trust them with our most sensitive and valuable information, and we trust that they're not going to abuse or betray that."
As a result, combatting insider threats isn't a purely technical or "cyber" issue. Psychological factors play a large role.
"It's a people-centric problem," Randal said, "and it [requires] a people-centric solution."
The trick is to figure out who in an organization might be an authorized attacker. To do so, said Randal, managers need to combine technical, contextual and psychological clues.
"The most critical element to an insider threat program is knowing your people," she said. "Who are your people? What are they doing? What potential risk factors or vulnerabilities might they have that could enact some harm or additional risk to your organization?"
"The more you know about your people," Randal added, "the more you'll know about your threat and the better you'll be in a position to defend against it."
Spot the warning signs
Reidy pointed out that few malicious insiders start out that way.
"These are people who, most often, join organizations with no intention of wrongdoing," he said.
Nor are malicious insiders what Reidy called "knuckleheads," people who accidentally leak information by opening malicious email attachments or submitting details to phishing sites. (Such incidents made up about a quarter of those reported in the past decade.)
What typically happens in an insider-threat incident, Randal and Reidy explained, is that a previously honest employee is at some point recruited by a hostile outsider — a foreign government, a business competitor, perhaps even a news-media outlet — or becomes disgruntled enough to decide to steal information.
Often the two factors are combined, as with Army Pfc. Bradley Manning, who tried to pass classified diplomatic cables to major U.S. newspapers before turning to WikiLeaks, or with career FBI agent Robert Hanssen, who contacted a Soviet spy agency and offered to sell American secrets.
"We're real proud of the guy," Randal said sarcastically of Hanssen, adding that the Hanssen case kicked off serious research into insider threats.
After deciding to harm his organization, the typical malicious insider will identify what's worth stealing. The closer he is to it, or the higher the authorization he has to access it, the less time it takes for him to acquire it.
Trust your people, and they'll trust you
Signs that something fishy is afoot may become apparent to other workers, such as an employee who tries to hide communications with outsiders, who asks others to locate data for him or who renames or disguises filenames for no apparent reason.
Reidy emphasized that managers and supervisors need to trust other employees' observations of someone who might be acting suspiciously — and to trust employees to observe best security practices on their own. (Hanssen's co-workers aired suspicions with their supervisors several times before anything was done.)
"Crowdsource security," Reidy said. "Give the tools and capabilities out to the end user, and let the end user make decisions on how to protect their data."
Reidy added that most people are just as smart as security experts, and that most users will make the right decisions if you trust them.
The authorized attacker's final action is to steal the data, which can be spirited out in a number of different ways — by file transfers out of the company network, by burning onto a CD or DVD, by copying onto a flash drive or mobile device, or even by old-fashioned printing of documents.
Again, other employees can be trained to be alert for signs of data egress. Maybe a janitor has noticed that a particular employee is printing out hundreds of pages on nights and weekends. Maybe an IT staffer has seen a large amount of data crossing the network from a single workstation.
Randal said there are also certain personal factors more often seen in people who have become insider threats than in the general population. A failing or failed romantic relationship is common among discovered spies, as are other signs of personal stress.
Other psychological issues may be more deep-rooted. Known malicious insiders belittled co-workers, retaliated or threatened to retaliate against other employees and generally had trouble working as part of a team.
Randal and Reidy summed up their findings into five major points.
First, they reiterated, malicious insiders are not hackers. Defenders need to frame the threat correctly, despite the fact that most threat-detection tools and methods have been designed to combat external hackers, not authorized insiders.
Second, the issue of insider threats isn't a purely technical or "cyber" one. A lot of psychology is involved. So is assessing what sort of information an organization holds that might be valuable to someone else.
Third, it's better to deter authorized attackers before they act. The best way to do this is by creating a workplace environment that gives employees responsibility for security and discourages potential malicious actors.
Fourth, if you're sure something funny is going on, use behavior-based techniques to detect a malicious insider. Bait him with valuable-looking information to draw him out.
Finally, Reidy and Randal said, the science of insider-threat detection is still in its infancy. The lessons may change when more data becomes available — but for now, they're much better than blind guesses.