Ten Steps for Assisting Malicious Insiders
By Brian T. Contos

I recently finished writing a book titled “Enemy at the Water Cooler.” In writing this book, I drew from my experiences working around the world over the last decade with virtually every type of business vertical and government entity. Specifically, the book chronicles real life stories of insider threats and the countermeasures that organizations implement to manage them. This article will share some of the lessons learned concerning the mistakes some organizations have made that actually help insiders succeed.

Why Are Insider Threats a Concern?
Insider threats are the easiest to perpetrate, hardest to prevent, and most politically-charged to manage of all threats. There is no security panacea for insider threats. There is no piece of software that someone can install, box that can be plugged in, policy that can be written, or guru that can be hired that makes an organization 100 percent secure. Security is a process that requires vigilance, awareness and is a merger of people, processes and technology. Finding the best combination of these variables to mitigate risk helps achieve a strong security posture.

Insiders can take many forms. They may be well-intentioned employees that simply made a mistake. And that mistake may lead to a vulnerability that can be exploited. They may be disgruntled employees or contractors, cleaning crews, or even plants from competitors, foreign governments or terrorist organizations. Some insiders join an organization with surreptitious intent.

Most don’t have malicious motives at the beginning, but later subscribe to one or more of the following motivations: greed, power, revenge, politics, fear, general malice and/or excitement. Also, it doesn’t take a cyber security guru to cause a problem primarily because he is trusted and has elevated physical and logical security access. Consider a simple example of a sales manager that has access to his company’s customer database. He needs access to do his job; so it isn’t unusual for him to log-in to the database, download information, and print out reports. However, what if he is downloading the customer files and sending them to a competitor via e-mail? Or printing out sensitive information that could accidentally be left behind in an airport? Here are some real world examples of such threats:

Three Coca-Cola employees were charged with stealing confidential information and samples of a new drink in hopes of selling them to competitor Pepsi, which reported the incident and worked with Coca-Cola and authorities to investigate. Coke’s chief executive, Neville Isdell said that the breach “…underscores the responsibility we each have to be vigilant in protecting our trade secrets. Information is the lifeblood of the company.” A 63-year-old, former system administrator who was employed by UBS PaineWebber, a financial services firm, allegedly infected the company’s network with malicious code. The malicious code he used is said to have cost his company $3 million in recovery expenses and thousands of lost man-hours. He was apparently irate about a poor salary bonus he received. In retaliation, he wrote a program that would delete files and cause disruptions on the UBS network. After installing the malicious code, he quit his job. Following, he bought “puts” against UBS. If the stock price for UBS went down, because of the malicious code for example, he would profit from that purchase. His malicious code was executed through a logic bomb. The attack impaired trading while impacting over 1,000 servers and 17,000 individual work stations. A Chinese national — a programmer at Ellery Systems, a Boulder, Colorado software firm working on advanced distributive computing software — transferred the firms’ entire proprietary source code to another Chinese national working in the Denver area via the Internet, The software was then transferred to a Chinese company, Beijing Machinery. Subsequently, foreign competition directly attributed to loss of the source code drove Ellery Systems into bankruptcy.

Assisting the Insider
Countermeasures for insider threats fall into three categories: incident prevention, incident detection and incident management. No one method works without the others, but especially, since prevention only has finite scalability, detection and management capabilities are critically important because insiders are trusted and have privileged access. This is why banks have video cameras, security guards and alarm systems designed to watch employees and non-employees alike, instead of just a big, steel safe and a sign reading, “Don’t rob me.” So if the intent is to make your organization vulnerable to insider threats, here are some surefire techniques.

1. Ignore the human element
Insiders are not the nameless faceless attacker on the other side of some ocean. They aren’t the socially awkward male (SAM) as the FBI calls them in reference to the pale-skinned, teenage hacker in his mom’s basement hunched over a keyboard with highly caffeinated drinks and cheese food products at arm’s reach. They are just like you, your boss, the consultant, the cleaning crew and Jim down the hall that you play basketball with on Wednesdays. Not thinking differently about insider threats compared to external threats will act as a safety net for the insider. So, even if the insider is caught, managing him may be such a nightmare that the situation may just be ignored. Also note that your employees are one of the best defenses against insiders – so keep them unaware, uneducated and untrained regarding insider threats so that they don’t know what to look for or how to report a potential issue.

2. Don’t bother with boring policies and procedures
Insiders don’t mind policies and procedures; especially those in the dusty red binder sitting atop the microwave in the break room. They are typically outdated, forgotten, not well communicated throughout the organization, and rarely have contingencies for insiders. For the insider to be successful, make sure that policies are not in place that govern what procedures need to be followed for malicious insiders. Make sure that the process is not practiced, updated and communicated. And most importantly, do not get executive sponsorship and buy-in by major stakeholders. Once there is a united front between executive management, IT, human resources, legal and other relevant groups, an insider’s actions may be dealt with efficiently and effectively, so avoid this at all costs.

3. Don’t implement preventative measures and forget about defense-in-depth
Prevention is an important factor for stopping an external attacker. Perhaps they can’t get past the firewall, through the VPN, or logon to a server. Just ensure that prevention stays at the perimeter; in this way, an insider need not worry about those pesky safeguards; besides, defense-in-depth is just a suggestion like stopping at red lights. Make sure that the following measures are not used:

Strong access controls Multi-factor authentication Network segregation (firewalls, router/switch ACLs, VLANS, etc) Host- and network-based intrusion prevention Encryption Need-to-know access, least privileges, and separation of duties Role-based authentication

4. Don’t define what you’ve got
Why waste time discovering what is in your environment? The insider will be much happier if you don’t have any idea what assets you have, what they do, where they are and who is responsible for them. Also, keeping track of patch levels and vulnerability information and classifying data based on sensitivity just sounds like a drag. Nine out of ten insiders agree that your time would be better spent subscribing to the philosophies of ignorance or apathy.

5. Don’t collect logs
This is analogous to driving an automobile without looking at the gages; nobody has the time for such trivialness. Firewalls, intrusion detection systems, anti-virus solutions, network gear, operating systems, applications and so forth all generate copious amounts of logs and alerts to help you understand what’s going on. But if you aren’t collecting the logs and alerts, you have no idea what is going. No news is good news, and you’ll always have plausible deniability. Besides, managing a network reactively is more exciting than being proactive. Since insider threats become apparent through subtle indicators within logs, you are ensuring that your organization won’t have the most remedial information necessary to detect their activity.

6. Don’t analyze logs
Some forward-thinking individual at your organization may have implemented a mechanism to collect all the logs and alerts and store them away. Fear not, your insider can still be successful if the process stops there. Simply dumping a flood of logs into a database, backing the database up to tape, throwing the tapes in a box, and forgetting about the box until its scheduled destruction date is a great way to let the insider continue on while your organization has a false sense of security. Collecting information is only step one. It must be followed by real-time analysis to enable forensic investigation to be of any use. So not having an advanced investigation capability that allows for an automated method of going through the logs with correlation (that look for known behaviors), pattern discovery (that looks for what you don’t know to look for) and anomaly detection (that identifies deviations from the norm) will keep your insider safe. Most insider activity isn’t identified by a single red flag, but rather a combination of events, anomalies against a baseline, and suspicious, reoccurring patterns. Removing these variables from the equation equates to less risky opportunities for the insider.

7. Don’t demand a solution that provides real value
Log collection and analysis is fun; so don’t worry about methods for reducing false positives, prioritizing events, leveraging visual analytics, incorporating investigation tools and creating reports. Don’t ask for output that yields actionable information for efficient and effective risk management. Why not just implement some basic scripts or some simple software that requires staring at log files and working on your GREP, SED and AWK skills? An advantage of this model is that security analysts who can tell the difference between a real attack, false positive, and network noise will be so bored and burned out by this brute-force analysis method, that turnover will be high; and you’ll get to meet lots of new and interesting people. With this model, the insider will also have more than enough time to rob you blind and move on to the next organization before you discover his tracks.

8. Don’t consider physical security
This is pretty straightforward. If you want the insider to get deep into your organization, put all your efforts into IT security and forget about physical access controls, video surveillance, monitoring environmental variables such as power and HVAC, and any type of correlation between the logical and physical events. This way an insider can saunter around the organization without any record of where they are going, what they are doing, who they are doing it with, and when they did it. And instead of trying to bypass logical, preventative controls that can be time-consuming, they simply walk out the door with a $5,000 sever containing information that will lead to $5 million in legal bills, public relations expenses, compliance fines and lost revenue. This will give you a chance to brush up on your legal lingo.

9. Don’t consider IT governance and compliance as part of your solution
Just keep reminding yourself how boring compliance is and how compliance doesn’t equal security. Using a well-constructed methodology that addresses IT governance such as ISO-17799 for business relevance joined with NIST 800-53 for technical checks is useful for automated controls testing and increasing effectiveness around security and compliance. Additionally, layering various forms of regulatory compliance -- such as Sarbanes-Oxley and PCI -- can further increase operational efficiencies, reduce risk and help with audits. Try not to focus on IT governance and compliance because they have significant ties to mission-critical systems, access controls and sensitive data, just like insider threat scenarios. You may inadvertently be hampering your insider’s success while you were really just trying to pass an audit.

10. Don’t have a centralized system to manage it all
The insider will thank you for not having a cohesive mechanism to leverage event collection, analysis and remediation. With no central core, you’ll be sure that virtually nothing will get detected or resolved efficiently.

Summary
Insiders benefit when organizations fail to recognize that insider threats must be thought about differently than external threats. Since the enemy is murky, process must be in place to affect policy even in the most political situations. Technological solutions must be able to assemble even the most subtle characteristics of malicious insider activity though correlation, anomaly detection and pattern discovery. Finally, the entire solution must revolve around a core that facilitates closed-loop, holistic and extensible incident detection and incident management.

About the Author
By Brian T. Contos, CISSP, is the Chief Security Officer of ArcSight.