The December 5 attack by Saudi Air Force officer Mohammad al-Shamrani at Pensacola Naval Air Station has again called into question the value of insider threat indicators or “red flags”.
Media reporting indicates that the attacker, who killed three U.S. Navy sailors and injured eight others before being shot dead by police, exhibited readily observable anomalous behavior in the proceeding weeks and months:
- He lodged a complaint in April against an instructor who mocked his mustache in front of about other students.
- He obtained a Florida hunting license in April that allowed him to take advantage of a loophole in federal law banning foreign nationals from buying a gun (which he wasn’t allowed to take onto Pensacola Air Base or aboard a return flight home). Following a 15-month process, he took possession of a 9mm handgun and multiple extended magazines.
- He began making social media postings that were increasingly religiously extreme, anti-Saudi, anti-American. Notably out of profile for a Saudi military officer were an absence of admiring content about the King and Crown Prince of Saudi Arabia, and a consistent interest in groups and individuals considered terrorists by his government.
- His behavior was described as “sullen”, “angry” and “strange” by fellow students following his return from home leave.
- Days before the attack he hosted a dinner party for himself and three other Saudi trainees where they all watched videos of mass shootings together.
- Hours before the attack he posted a hate-fueled manifesto on Twitter, saying “I’m against evil, and America as a whole has turned into a nation of evil. I’m not against you for just being American, I don’t hate you because your freedoms, I hate you because every day you supporting, funding and committing crimes not only against Muslims but also humanity’”. The posting condemned US support for Israel and included quotes from Osama bin Laden and Anwar al-Awlaki.
The red flags were there – but why wasn’t al-Shamrani identified as an insider?
The Insider Threat: A Whole Person, Whole Threat Approach
Malicious insiders pose an existential threat to any organization. Insider theft, fraud, sabotage and violence continue unabated. Victims are left damaged, sometimes terminally. Technical countermeasures only address part of the problem and are increasingly expensive, complicated and difficult to integrate. New regulations add additional requirements to overburdened staff. Nevertheless, insider program funding remains insufficient. The bottom line — the job isn’t getting any easier.
At the core of the insider risk mitigation process is the insider ‘red flag’ methodology, a legacy approach that increasingly is failing. Evidence of this failure; insider incidents increasing in number and impact, most with abundant (but generally unactioned) ‘red flags.’ How often do we look back following an incident and immediately recognize clear indicators? Far too many times.
The reasons for this failure can be found within most organizations. First, insider threat early warning programs often lack the attention, expertise, funding, incentive programs, information-sharing processes and programmatic approaches necessary to be successful. Second, organizational cultures often undercut the effectiveness of early warning programs through denial, privacy concerns, lack of accountability, and a cognitive bias toward technical cybersecurity. Third, faulty assumptions such as “it won’t happen here,” “red flags are reported and responded to,” and “people will do the right thing” undermine the process. Finally, there is ‘social shirking;’ meaning no one wants to be a tattletale, many avoid conflict, and some pass the buck through inaction.
But all is not lost! There is some good news — significant opportunities exist for stopping insider attacks, and an affordable and effective early warning system can be created around them.
These opportunities are created by the simple fact that insider attacks are generally not impulsive in nature. Regardless of motivation, the insider plans for months or even years before action. And no matter how hard the attacker tries to cover their tracks; they leave evidence during the slow progression from idea to action. The evidence is observable changes in attitude and behavior, which are discernable and detectable when you know what to look for.
More importantly, these relatively slight changes in attitude and behavior are predictive; showing how an insider will react to greater stress. In essence, minor events will showcase a natural reaction, allowing one to predict reactions to major events. By knowing that specific personalities are negatively affected by specific events, one can identify ‘tripwires’ for more significant problems.
To summarize, insiders tend to slowly evolve toward action, and often provide indications of their progression. Leveraged properly, these indicators can be used to track, predict and stop attacks.
THE INSIDER KILL CHAIN
To exploit this behavioral evidence, we first need to understand the “insider kill chain”. This is the path that an insider takes as they move toward action.
The first stage is “temperament.” Essentially, this is the nature of the insider. For our purposes, an important personality differentiation is whether they are predisposed either toward “self-healing” or “self-destruction.” Elements that sway a personality toward self-destruction (and insider attacks) include violent tendencies, psychological imbalance, vengefulness, etc. Malevolent qualities known in psychology as the “Dark Triad” of narcissism, psychopathy and Machiavellianism can also increase an insider’s self-destructive nature.
The second stage is an “event.” Our focus is on stressors that create emotional change, such as personal or professional crises.
The third stage is “conflict.” Often this is expression of dissatisfaction with a superior, colleague, or the entire organization.
The fourth stage is “determination.” This is refinement of a mindset such as increased risk-taking, open hostility, social withdrawal, identification with violence, etc.
The fifth stage is “preparation.” This often takes the form of reconnaissance, acquisition of materials, drafting of manifestos, and other attack precursors.
Finally, there is the ‘’attack.” This is the endpoint of resentment that’s been building against an organization or system that the insider believes has unfairly treated them.
Just as there is a critical path or kill chain for each attack, there are critical stages of life. The ages between 35-45 years old are particularly relevant to insider threat mitigation. These are the ages known for reevaluation of life choices and life goals. For our purposes, this is a critical time, because it is the highest point of the symbiotic relationship between one’s personal and professional lives. Known commonly as a “mid-life crisis,” divorce and career change are highest during these years. As can be imagined, a strong partnership can carry someone through a bad work situation and a good professional situation can assist someone through relationship stress, but the simultaneous collapse of both often results in increased psychological vulnerability for the employee and increased risk for their employer.
So, how do you use the insider kill chain to your advantage? You do so by creating an early warning system that is more effective and efficient than the traditional “red flag” methodology.
applying the insider kill chain
Greater effectiveness is achieved by taking a holistic “whole person” and “whole threat” approach. A “whole person” approach is contextual and psychosocial, using personality, environment and precipitating events to identify insider risk. A “whole threat” approach addresses the common root causes that result in in different attacks forms (data theft, fraud, sabotage, violence). It leverages common sense and objectivity to understand the trusted insider personalities relevant to the organization, the precipitating events that can turn those personalities to malicious action, and the corresponding tripwires that require action.
Greater efficiency is gained by focusing on the incidents of greatest impact by narrowing the attention to critical materials, data and processes, and those with access to those items. Tailoring the system to the organization’s risk tolerance, culture and financial resources further enhances the likelihood of success.
But how to best observe and assess this behavior? Well, it turns out that humans are quite good at detecting insiders; they naturally create behavior baselines for everyone they know, they have a ‘sixth sense’ for deviations from those baselines (for anomalous behavior), and they can instantly evaluate actions within context. In fact, independent behavioral observation is a leading way that malicious insiders are discovered.
And remember, the insider kill chain takes place within the organizational environment – which can be controlled. Just as a building can be designed to enhance and enforce an organization’s security measures, an environment can be designed to enhance and enforce an insider risk program. Put simply, the organizational environment can work for or against you.
the 14-step framework
To assist in creating a “whole person” and “whole threat” insider threat early warning system for an organization, this framework outlines best practices for knowing the predisposition, precipitating events and tripwires of potential insiders, so that threats can be better identified.
The framework is designed with an understanding that there are matters that can be controlled and those that cannot. Reinhold Niebuhr’s “Serenity Prayer” applies here; “Lord grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference.” As noted earlier, we control the environment. To a much lesser degree, the personalities of those we work with by can be controlled by whom we hire in the first place. As the environment is where we can administer the greatest mitigation, the framework is focused on building into the environment the strongest insider threat countermeasures allowable by the organization’s culture, capabilities and resources.
Step #1: Identify critical materials, products, data and processes.
Often referred to as the “crown jewels”, this list is usually longer than one realizes, as it must include anything that can be monetized or used by attackers in malicious ways. This includes business disruption and reputational harm.
Step #2: Identify everyone who has/had access to the critical items.
This is also a longer list than normally understood, and includes partners, vendors, suppliers, cleaning crews, etc. Ensure that access is examined from a holistic perspective, including absolutely all persons with access at all times (including former employees and those entering during non-business hours).
Step #3: Determine the leading vulnerabilities.
Identify how attackers would achieve their goals, whether it be theft, sabotage and/or violence. This is best done by objectively applying the “attacker mentality” through external “red teams”.
Step #4: Determine the most harmful insider attack(s).
These are the insider attacks of greatest negative impact. They could be sabotage, intellectual property/sensitive data theft, insider fraud, unintentional insider threat and/or workplace violence.
Step #5: Determine the most relevant insider profiles.
The answer to the last step should help in the development of a watchlist of the most relevant profiles. A refined understanding of the organization, the various types of employees, and the work environment itself is important to this determination. Certain organizations are more susceptible to certain insider attacks, and certain events are more likely be a “tipping point” for a predisposed insider personality. It can be helpful to get into the head of the attacker and understand what sets them off, how they would strike out and how they would plan their attack. While common insider profiles are provided below, profiles tailored to individual organizations works best.
Step #6: Honestly assess the current state.
Identify where the environment is weakest at addressing the insider kill chain; particularly in engagement and understanding of the employees with the access to critical items. Objectively assess the early warning capability of leaders and managers; how well do they know their people, understand their personalities and how effectively indicators can be identified, reported and addressed. These can be shortcomings ranging from the time an employee is onboarded until they are offboarded, and everything in between. Particular attention should be paid to the current mechanisms, processes and procedures for employees and line managers to report anomalous employee behavior. The goal is to measure the strengths and weaknesses of the environment in identifying the most relevant insider attacks, the profiles of those that should be of concern, the critical events that can most negatively affect certain personality temperaments, and who with access to critical items fits those profiles.
Step #7: Determine the early warning capability of partners.
This includes vendors and clients with access to critical materials. Remember that attackers look for the weakest link; which could easily be a partner or member.
Step #8: Create an empowered stakeholder team.
Put simply, an insider threat program should be “crowdsourced” by a group including representatives from the C-suite, legal, human resources (HR), informational technology (IT), administrative, financial, compliance, security, and the general employee population. Supported by a senior-level champion, this team can help implement cross-organizational communication and information sharing. As 70% of insider attacks occur within 60 days of an employee leaving the organization, it is critical that HR immediately notify on voluntary and involuntary departures and anomalous employee behavior.
Step #9: Determine the early warning program goals.
Using the stakeholder team, set the goals needed to know, understand and help employees. Focus on realizable achievements, match the organizational culture and resources, determine what is not achievable, and create milestones for desired progress.
Step #10: Advertise the program.
Once again use the stakeholder team to demonstrate transparency within the environment. Clearly state what is being done and why. Provide opportunity for questions and recommendations. All of this will help avoid claims of hidden agendas. By highlighting the co-dependency of employee and organizational success, employees will become stakeholders in the program. By explaining that the program is meant to provide early warning of employees that may need assistance from the organization, the program may be viewed as positive rather than punitive. To reinforce points, consider using accepted norms like the public security program slogan “see something, say something”.
Step #11: Determine all available early warning sensors.
These are staff in position to spot indicators; particularly line managers and the HR, IT and security departments. HR can highlight performance and behavioral issues, IT can highlight network anomalies, and security can highlight policy violations. Line managers and employees can provide firsthand observations of unusual behavior. Public record checks can reveal arrests, foreclosures, etc. Don’t overlook that potential insiders can highlight themselves through requests for managerial assistance, organizational change or conflict mediation.
Step #12: Increase the awareness, appreciation and use of profiles and indicators.
Of course, staff will require training to make the program work. Staff will need to understand that behavior and behavioral observations do matter. They will need to know about insider personality types, the impact of precipitating events, and how to spot indicators of a negative response to an event. Part of training may include the proper use of a simple and private reporting mechanism. Some organizations may want to consider making reporting insider threat behavior a requirement. While not a small step, such a policy tends to eliminate employee ambiguity and personal judgement, and reduces missed indicators.
Step #13: Predetermine the respond to a potential problem.
While responses are situation and organization dependent, there are a few notable best practices to consider. First, predetermine lines that if crossed, require further action. Second, maintain an objective perspective of the situation, starting with the premise of innocence and using observation as a starting point for further information collection (not judgement). Finally, predetermine the status that if achieved, prompts the end of monitoring (reverse tripwires). As stated earlier, the intent is to focus on employee welfare. This will enhance morale, positively reinforce stakeholder buy-in, coworker reporting, and overall program success.
Step #14: Institute continuous program improvement.
As with most security programs, conduct continuous evaluation, tabletop exercises, ‘red-team’ exercises, and solicit and incorporate constructive employee feedback and recommendations.
insider threat profiles
To augment the framework, the following are general descriptions of insider attack types and their profiles. Each profile is developed from commonly seen personality characteristics, critical events that negatively affect them, and the indicators that should prompt action. They are presented as a starting point for profiles individually tailored to specific organizations.
Intellectual property/sensitive data theft. These insiders seek to benefit themselves or others by stealing valuable data or materials. They may be working alone or in collaboration with an outside malicious actor. Common personality characteristics include entitlement, narcissism, anti-social behavior, and a desire to control all things. Common precipitating events include a negative personal financial event, failed promotion effort, poor performance review, unmet career aspirations, resignation or termination. Common indicators include “borrowing” office items for home use, attempting privilege escalation, conducting questionable downloads, violating cyber security policy, working out of profile hours, transferring data transfers and/or printing during out of profile hours, stealing inventory and bringing unauthorized recording equipment into work.
Insider Fraud. These insiders seek personal gain through their attacks. Common personality characteristics include egotism, entitlement, privilege, and self-importance. Common precipitating events include significant additional expenses, negative personal financial events and unmet career and/or lifestyle aspirations. Common indicators include living beyond one’s means, debt collection, violations of financial policies, intentional data manipulation, use and/or close association with a known supplier, minor fraudulent expenses, violations of insider trading, demonstrating excessive control over financial duties and exhibiting shrewd or unscrupulous behavior.
Sabotage. These insiders strike out against an organization with intent to harm its functionality. Common personality characteristics include anger, vengefulness, vindictiveness, disengagement, and destructive behavior. Common precipitating events include confrontation with management, poor performance review, failed promotion effort, demotion, workplace embarrassment, and termination. Common tripwires include the testing of security procedures, defacing company website pages, accidentally” breaking a component in a critical machine, contaminating a clean room, altering enterprise software, misconfiguring products to cause failure, and workplace harassment or violence. Common personality characteristics include aggressiveness, emotional detachment, confrontation, control-seeking, disengagement, lack of remorse, and strain. Common precipitating events include a negative family or relationship event. Common indicators include emotional outbursts, failure to communicate and/or work in groups, bullying, difficulty taking criticism, boundary violations, refusals to work with others, violent threats, physical altercations and reflections of extremist beliefs.
Workplace violence. These insiders strike out against the organization to cause bodily harm to people within the organizations. Common personality characteristics are aggression, emotional detachment, confrontation, disengagement, strain and a lack of remorse. Common precipitating events include negative family or relationship events. Common indicators are the same as those for sabotage (emotional outbursts, failure to communicate and/or work in groups, bullying, difficulty taking criticism, boundary violations, violent threats, physical altercations and reflections of extremist beliefs.)
Unintentional insider threat. These insiders act without malicious intent but become a threat through negligence and/or outside manipulation. Common personality characteristics include being flighty, unfocused, disorganized, scatter-brained, stressed, and strained. Common precipitating events include new personal or professional distractions. Common indicators include personal cell phone/computer overuse, unwittingly providing sensitive information to outsiders, discussing sensitive matters with uncleared personnel, leaving sensitive documents or devices accessible to others, posting confidential organizational details to social media sites and consistent failure to meet deadlines.
Just as the security clearance process is based on a whole person approach toward cleared personnel, a whole person and whole threat approach to insider threats considers the totality of factors and precipitating events that result in attack. A successful insider threat program leverages every bit of information available. It considers the red flags, and gives security personnel the information to take action.