To really understand something, you’ve got to reduce it to its principles.”  — Milton Friedman

 

It’s been a tough couple of years for insider risk professionals. Covid disrupted the work environment and prompted increased inadvertent insider activity, the explosion of remote work expanded organizational attack vectors and raised monitoring challenges, and the ‘The Great Resignation” meant more of the data theft that accompanies employee departures.

The perfect storm of diminished employee visibility, increased employee stress, and overburdened monitoring continues to create a conducive environment for harmful insider action. And if that wasn’t enough, nation states and organized criminal groups are employing sophisticated espionage and social engineering tradecraft to steal credentials. It’s no wonder that we’re witnessing an increased number and cost of insider events.

As we start to evolve our mitigation strategies and tactics to address this ‘new normal’, it makes sense to remind ourselves of the basics of insiders – and how we can define their personalities, critical events, potential indicators, and attack progression.

Common Characteristics of the insider

As defined by the Intelligence and National Security Alliance (INSA), the following are the insider ‘terms with greatest resonance and most widespread use’: unintentional insider threat, theft of intellectual property or national defense information, insider fraud, sabotage, and workplace violence.

And thanks to a growing body of case studies, we now have common personality characteristics, precipitating events, and indicators for each insider type along with a general progression toward action. They help us understand the common root causes that can lead a variety of different insider actions. They serve as a starting point for organizations to further refine as they tailor their risk mitigation to their specific business and environment.

Inadvertent or negligent

These insiders act without malicious intent but become a threat through negligence or outside manipulation.

While hard numbers are always suspect in quantifying insider events due to the assumed high level of non-reported or mis-reported events, it’s safe to say that a significantly large percentage of insider events result from inadvertent or negligent behavior and one in particular – credential theft through social engineering – is growing rapidly. It’s also safe to say that the ‘critical path’ for inadvertent actors is far shorter and less observable than for malicious actors.

Common personality characteristics of negligent insiders include being flighty, unfocused, disorganized, scatter-brained, stressed, strained.

Common precipitating events are often new personal or professional distractions.

Common indicators include personal cell phone/computer overuse, unwittingly providing sensitive information to outsiders, discussing sensitive matters with uncleared personnel, leaving sensitive documents or devices accessible to others, posting confidential organizational details to social media sites and consistent failure to meet deadlines.

IP and data thieves

These insiders seek to benefit themselves or others by stealing valuable data or materials. They may be working alone or in collaboration with an outside malicious actor.

Common personality characteristics include entitlement, narcissism, anti-social behavior, and a desire to control all things.

Common precipitating events include a negative personal financial event, failed promotion effort, poor performance review, unmet career aspirations, resignation, or termination.

Common indicators include “borrowing” office items for home use, attempting privilege escalation, conducting questionable downloads, violating cybersecurity policy, working out of profile hours, transferring data and/or printing during out of profile hours, stealing inventory and bringing unauthorized recording equipment into work.

Fraudsters

These insiders seek personal gain through their attacks.

Common personality characteristics include egotism, entitlement, privilege, and self-importance.

Common precipitating events include significant additional expenses, negative personal financial events, and unmet career and/or lifestyle aspirations.

Common indicators include living beyond one’s means, debt collection, violations of financial policies, intentional data manipulation, use and/or close association with a known supplier, minor fraudulent expenses, violations of insider trading, demonstrating excessive control over financial duties and exhibiting shrewd or unscrupulous behavior.

Saboteurs

These insiders strike out against an organization with intent to harm its functionality.

Common personality characteristics include anger, vengefulness, vindictiveness, disengagement, and destructive behavior.

Common precipitating events include confrontation with management, poor performance review, failed promotion effort, demotion, workplace embarrassment and termination.

Common indicators include the testing of security procedures, defacing company website pages, “accidentally” breaking a component in a critical machine, contaminating a clean room, altering enterprise software, misconfiguring products to cause failure and workplace harassment or violence.

Violent offenders

These insiders seek to strike out against the organization to cause bodily harm to people within the organizations, possibly even themselves.

Common personality characteristics are aggression, emotional detachment, confrontation, disengagement, strain, and a lack of remorse.

Common precipitating events include negative family or relationship events.

Common indicators are the same as those for sabotage, which includes emotional outbursts, failure to communicate and/or work in groups, bullying, difficulty taking criticism, boundary violations, violent threats, physical altercations, and reflections of extremist beliefs.

Life Stages

Just as there is a critical path or “kill chain” for each insider attack, there are critical stages of life. The ages between 35-45 years old are particularly relevant, as they’re the ages known for reevaluation of life choices and life goals and the highest point of the symbiotic relationship between one’s personal and professional lives.

Known commonly as a “mid-life crisis,” divorce and career change are highest during these years and are closely bound. Case studies indicate that a strong marriage or personal relationship can carry someone through a bad work situation and a good work situation can carry someone through a bad relationship, but the simultaneous collapse of both often results in increased psychological vulnerability for the employee and increased risk for their employer.

Event Evolution

The insider ‘critical path’ or ‘kill chain” is the progression that an insider takes as they move toward action.

The first stage is “personality temperament.”  Essentially, this is the nature of person you hired. For our purposes, an important personality differentiation is whether this person is predisposed toward ‘self- destruction’ versus ‘self-healing’. Elements that sway a personality toward self-destruction (and insider attacks) include violent tendencies, psychological imbalance, vengefulness, etc. Malevolent qualities known in psychology as the “Dark Triad” of narcissism, psychopathy and Machiavellianism can also increase self-destructive nature.

The second stage is a “precipitating event.” Our focus is on stressors that create emotional change, such as personal or professional crises.

The third stage is a “conflict,” which is often a self-expression like dissatisfaction with a superior, colleague, or the entire organization.

The fourth stage is “determination,” which is often exemplified by refinement of a mindset like increased risk-taking, open hostility, social withdrawal, identification with violence, etc.

The fifth stage is “preparation,” often taking the form of reconnaissance, acquisition of materials, drafting of manifestos and other attack precursors.

Finally, there is the “attack,” the endpoint of resentment that has been building against an organization or system that the insider believes has unfairly treated them.

The Environment

An organization controls the personalities of those they work with by who they hire in the first place. While understanding the need to hire quickly in today’s environment, hiring decisions have tremendous impact on an organizations’ insider risk resiliency.  Move fast but move smartly.

And just as you can design a building to enhance an organization’s security measures, you can design the work environment to enhance your insider risk program, building in the strongest insider threat countermeasures allowable by your organization’s culture, capabilities, and resources. Of course, this is easier in the traditional office environment, but there are a series of measures to be taken with remote workers to increase communication, enhance collaboration and build teamwork. Put simply, you can have your organizational environment work for — or against you.

 

Related News

Val LeTellier is a veteran intelligence officer. Before his career as a CIA case officer, he served as a State Department Diplomatic Security Special Agent. He has since worked with CACI, Booz Allen and Raytheon in creating specialized communication, virtual operations, and digital surveillance risk mitigation programs. He recently co-founded 4th Gen Solutions to develop next generation tradecraft capabilities for IC front-line operators.