CSIAC

Cyber Security and Information Systems Information Analysis Center

/ Journal Issues / Insider Threat and the Malicious Insider Threat / Introduction: Insider Threat and the Malicious Insider Threat – Analyze. Deter. Discover. Prevent. Respond

Introduction: Insider Threat and the Malicious Insider Threat – Analyze. Deter. Discover. Prevent. Respond

Published in Journal of Cyber Security and Information Systems
Volume: 6 Number: 1 - Insider Threat and the Malicious Insider Threat
Authors: Roderick A. Nettles and Michael Weir
| Leave a Comment

Building a quarterly journal that spans broad topical and technical themes can be challenging, and the selection of articles for any one journal intimidating. Over the last five years CSIAC has published special issues on military research laboratories (Volume 5 Number 1; Volume 4 Number 1), focused in on particular relevant technical thrusts (i.e., Serious Games M&S, Volume 5 Number 4, December 2017), and operational considerations (i.e., SCADA, Volume 1 Number 3). This quarter, the CSIAC Journal presents five articles which represent different perspectives on Insider Threat and approaches to understand and remediate that threat. Due to the cost of reproduction and distribution, we are releasing the print journal with the first four articles, and incorporating into the journal a reference to the longer and more complex fifth article available online at CSIAC.ORG. All five articles are included in the PDF version of the journal available online.

In this journal we are proud to identify and include work by two organizations with a long history of research and good counsel regarding Insider Threat – the Software Engineering Institute (SEI) at Carnegie Mellon University and the SANS Technology Institute.

Any collaboration between people in a group requires a certain degree of trust to be successful. Whether in financial, political, military, or social situations, the ability to trust those around you is a primary enabling factor to success. Misuse of that trust to gain advantage for purposes counter to the group’s success can also be a primary factor in the group’s failure. For the last few decades in the cybersecurity realm, the term “Insider Threat” has been used to identify individuals or entities that misuse some level of trust gained within an organization to adversely use information or information systems to the detriment of the organization. The designation is somewhat broad, encompassing intentional and unintentional actions, individuals and groups of people, even human and machine/computer activities. Approaches to the remediation of the Insider Threat are also quite broad, with current best practice combining several to achieve the best results. Physical, technical, behavioral, policy, and process means are all parts of an effective Insider Threat program.

When any concept or technology becomes widely relevant, it begins to differentiate into sub-components on its path to full maturity. New and innovative approaches leverage and augment the foundational ideas that generated the original concepts, frequently evolving to new areas and spawning their own subcomponents. Insider Threat remediation research has made that journey, growing in relevance and maturity, and many alternative paths evolved from those foundational ideas as the methods and technology behind information management (and the methods and technology available to Insider Threat actors) have become more powerful and complex. One piece of the puzzle has remained a constant – the human aspect.

The American origins of Insider Threat conduct go back at least to 1775. Benjamin Church was a British Loyalist and trusted insider who had access to important Colonial letters by virtue of his position. He diverted key messages to British general Sir Thomas Gage in an attempt to undermine American military movements1. The same human motivations that drove his actions have been repeated over and over again in the last two centuries, using different methods and technologies to access and misuse critical information. In the late 1980’s, the CIA initiated Project Slammer in an attempt to gather the most current and relevant information from captured insider spies to discern the primary influencers that enabled their conduct. At the end of that heavily redacted 19902 report, quote:

“Subjects almost invariably conceive of committing espionage after they are in a position of trust. While initial screening continues to be important, focusing on update and monitoring procedures seems increasingly worthwhile.”

In a Counterintelligence Trends document from 19933 summarizing the overall Project, it states clearly that none of the people studied intended to spy at the point they were granted access to information.

With that firmly in mind, this special issue will focus on the “Insider Threat and the Malicious Insider Threat” that pose unique security challenges to all organizations due to their knowledge, proficiencies, and authorized access to information systems.

How do you interpret people’s behavior in the context of the Insider Threat? The next article identifies and amplifies concepts associated with a core concern of many involved with Insider Threat – what about the unintentional insider? Professor Coffey expands on the Software Engineering Institutes’ (SEIs’) Insider Threat Ontology to recommend some ways to incorporate non-malicious behavior within that construct, and provides an exemplar of how it might be used.

If you can’t stop the Insider, how do you mitigate the effects? The following article identifies a truth about compromise (with enough effort, virtually any organization can be compromised) and then proposes methods for most effectively mitigating the effects of compromise. Dr. Cole proposes best-practice methodologies for Detect, Contain and Control with an emphasis on the Insider Threat.

How do you integrate policy and compliance with an effective Insider Threat program? A very different perspective is provided by Christian Moldes in his article on the policy-level components of an effective Payment Card Industry (PCI) compliance program, identifying the effective integration of the objectives of compliance with the organization’s organic actions/processes in place to assure protection of information assets.

What about the threat of “Insider Hardware” that isn’t even a person? With the Internet of Things (IoT) becoming a component part of any organization, what about the threat of embedded hardware inside your organization? Eric Jodoin provides a very detailed example of revealing an embedded devices’ information flow using serial port access. It is illuminating both for the ability to access embedded information streams and the reasoning process that can provide insight into how embedded devices can be used in an insider scenario.

How do we get better at finding Insider Threats? Matthew Hosburgh suggests a more contemporary method for actively identifying Insider Threat actors – applying the concepts of Threat Hunting to the problem. Involving people more actively in the hunting of Insider Threat actors using current Threat Hunting tools and techniques ratchets up the capability to find and remediate potential problems. This article also capitalizes on the Insider Threat Ontology from the SEI and identifies insertion points for the Threat Hunting methods.³

We hope that this combination of articles across a broad spectrum of Insider Threat remediation techniques and analyses will help you go beyond the basic, first-order effects of traditional Insider Threat tools and ideas and begin to reason about the wider aspects of how people, technology and policy can combine more coherently to analyze, deter, discover, and ultimately prevent such activities from occurring.

Footnotes

  1. Benjamin Church, probably the first Surgeon General of the US, provided information to the British prior to the Battle of Lexington, reference here: http://clements.umich.edu/exhibits/online/spies/people.html#church
  2. Project Slammer Interim Report, 12 April 1990, redacted and declassified version available here: https://www.cia.gov/library/readingroom/docs/DOC_0000218679.pdf
  3. "Counterintelligence Trends", DCI Counterintelligence Center, January 1993, page 10; approved for release March 2002, available here: https://cryptome.org/2013/06/cia-why-spy.pdf

Authors

Roderick A. Nettles
Roderick A. Nettles
Mr. Roderick A. Nettles is currently serving as the Deputy Director under our current Cyber Security and Information Systems IAC (CSIAC) Basic Center Operations (BCO) contract, developing/implementing means of improving/assuring performance with existing resources to meet and exceed the customer’s requirements. Mr. Nettles is responsible for leading Quanterion efforts to develop and maintain a viable training program under the CSIAC BCO contract using a mix of company, subcontractor and subject matter expert instructed courses. In addition, serving as the Chief Editor of a cybersecurity journal. Responsible for managing all the day-to-day operations of a quarterly publication. As the editor-in-chief, oversee the editorial board and peer-review team of the quarterly publication and ensures each issue is released on time. Mr. Nettles has a bachelor’s degree in Computer Science and Master in Information Technology Management. He has over 20 years of oversight of Cyber Command and Control Mission System weapon system to include Automated Information Systems which enables mission by synchronizing other cyber weapon systems to produce operational level effects in support of Combatant Commanders worldwide. Mr. Nettles was assigned to CONUS NORAD Region (CONR) 1AF/A6 at Tyndall Air Force Base as the Office In Charge , Command and Control Systems Branch. He was responsible for developing cyber defense Table Top Exercise; validated C2 Tactics, Techniques and Procedures with Twenty-Fourth Air Force (24AF), 33d Network Warfare Squadron (33NWS), Canadian Forces Network Operations Centre (CFNOC), Canadian NORAD Region (CANR) & 5 Air Defense Sectors to hardened NOARD's front line Command and Control Systems. Mr. Nettles was charged with eliminating security vulnerabilities systems—secured C2 mission systems. As the Chief of C2 Systems Branch, Mr. Nettles bridged CANR, CONR & 6 sectors to Defensive Cyber Operations combat methodologies. As a Cyber Operational Planner, he led efforts to identify mission key terrain, "Mapped the Mission” for NORAD Network Enterprise.
Michael Weir
Michael Weir
Michael Weir is currently working with Quanterion Solutions, Inc as a Senior Technical Advisor/Subject Matter Expert for the Cybersecurity and Information Systems Information Analysis Center (CSIAC), and with the Griffiss Institute as the developer/facilitator for the AFRL-sponsored Machine Learning Bootcamp, a multi-month immersion program for AFRL engineers. Mr. Weir was previously the Director of the CSIAC, and before that the Chief of Communications and Information Systems at the Eastern Air Defense Sector (EADS), Rome, New York. EADS is one of two NORAD/NORTHCOM air defense sectors in the Continental United States. He was responsible for setting up and maintaining the Sector's cyber posture during and after 9/11 and evolving the data/communication/sensor integration through the following decade. Mr. Weir has Bachelor's degrees in Music Performance and in Electrical and Computer Engineering, and a Master's Degree in Information Systems, along with certifications in the cybersecurity domain.

Reader Interactions

Leave a Comment