A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide...

SESSION ID:SESSION ID:

#RSAC

Tim Casey

A Field Guide to Insider Threat Helps Manage the Risk

HUM-T10R

Senior Strategic Risk AnalystIntel Corp.

#RSAC

How do you think of insider threat?

2

#RSAC

The problem is becoming more complex

3Logos and trademarks are the property of their respective owners

#RSAC

The Field Guide to Insider Threat

Accidental leak

Espionage

Financial fraud

Misuse

Oportun. data theft

Physical theft

Product alteration

Sabotage

Violence

Reckless

Insider

Untrained/

Distracted

Insider

Outward

SympathizerVendor Partner

Irrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

#RSAC

Characterizing Insider Threat

#RSAC

Definitions

Insider Threat is the potential for a current or former employee, contractor, or business partner to accidentally or maliciously misuse their trusted access to harm the organization’s employees and customers, assets, or reputation.

A Threat Agent is a representative classof people who can harm an organization, intentionally or accidentally, and identified by their unique characteristics and behaviors.

6

#RSAC

Insider Threat Agents

Non-Hostile

Reckless Insider

Outward Sympathizer

Untrained/ Distracted Insider

Hostile/Non-Hostile

Partner

Supplier

Hostile

Activist

Competitor

Disgruntled Insider

Irrational Individual

Nation State

Organized Crime

Terrorist

Thief

Non-Hostile Non-Hostile OR Hostile Hostile

7

#RSAC

Attack Types

Accidental leak

Espionage

Financial fraud

Misuse

Opportunistic data theft

Physical theft

Product alteration

Sabotage

Violence

8

#RSAC

Attack Types

IP & Data Loss

Ooops

Ongoing, targeted IP extraction

Exiting employees

Accidental leak

Espionage

Financial fraud

Misuse

Opportunistic data theft

Physical theft

Product alteration

Sabotage

Violence

9

#RSAC

Threat-Consequence Vector Matrix

Analysis by Intel’s Threat Agent Analysis Group

Intent Non-HostileNon-Hostile

/HostileHostile

Attack Type

Reckless

Insider

Untrained/

Distracted

Insider

Outward

SympathizerVendor Partner

Irrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

Accidental leak X X X X X X X

Espionage X X X X X X X X

Financial fraud X X X X X

Misuse X X X X X X X XOpportunistic data

theftX X X X X X X X

Physical theft X X X X X X

Product alteration X X X X X X X X X

Sabotage X X X X X X

Violence X X X

10

#RSAC

Applying the Field Guide

#RSAC

Demonstrate the scope of the problem

Intent Non-HostileNon-Hostile

/HostileHostile

Attack Type

Reckless

Employee

Untrained/

Distracted

Insider

Outward

SympathizerVendor Partner

Irrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

Accidental leak X X X X X X XEspionage X X X X X X X X

Financial fraud X X X X XMisuse X X X X X X X X

Opport. data theft X X X X X X X XPhysical theft X X X X X X

Product alteration X X X X X X X X XSabotage X X X X X XViolence X X X

60 separate Insider Threat vectors –Are you prepared for all of them?

12

#RSAC

Prioritizing Protection to Optimize Resources

• Accidental leak

• Espionage

• Financial fraud

• Misuse

• Opport. data theft

• Physical theft

• Product alteration

• Sabotage

• Violence

Intent Non-HostileNon-Hostile

/HostileHostile

Attack Type

Reckless

Insider

Untraind

Distractd

Insider

Outward

Sympathiz

er

Vendor PartnerIrrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

Accidental leak X X X X X X X

Espionage X X X X X X X X

Financial fraud X X X X X

Misuse X X X X X X X X

Opportunistic data

theftX X X X X X X X

Physical theft X X X X X X

Product alteration X X X X X X X X X

Sabotage X X X X X X

Violence X X X

Food Manufacturer (example)

13

#RSAC

Prioritizing Protection to Optimize Resources

Intent Non-HostileNon-Hostile

/HostileHostile

Attack Type

Reckless

Insider

Untraind

Distractd

Insider

Outward

Sympathiz

er

Vendor PartnerIrrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

Accidental leak X X X X X X X

Espionage X X X X X X X X

Financial fraud X X X X X

Misuse X X X X X X X X

Opportunistic data

theftX X X X X X X X

Physical theft X X X X X X

Product alteration X X X X X X X X X

Sabotage X X X X X X

Violence X X X

Food Manufacturer (example)• Accidental leak

• Espionage

• Financial fraud

• Misuse

• Opport. data theft

• Physical theft

• Violence

• Product alteration

• Sabotage

14

#RSAC

Intent Non-HostileNon-Hostile

/HostileHostile

Attack Type

Reckless

Insider

Untrained/

Distracted

Insider

Outward

SympathizerVendor Partner

Irrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

Accidental leak X X X X X X X

Espionage X X X X X X X X

Financial fraud X X X X X

Misuse X X X X X X X X

Opportunistic data

theftX X X X X X X X

Physical theft X X X X X X

Product alteration X X X X X X X X X

Sabotage X X X X X X

Violence X X X

Minimize the Threat

15

#RSAC

Intent Non-HostileNon-Hostile

/HostileHostile

Attack Type

Reckless

Insider

Untrained/

Distracted

Insider

Outward

SympathizerVendor Partner

Irrational

IndividualThief

Disgruntled

InsiderActivist Terrorist

Organized

CrimeCompetitor

Nation

State

Accidental leak X X X X X X X

Espionage X X X X X X X X

Financial fraud X X X X X

Misuse X X X X X X X X

Opportun. data theft X X X X X X X X

Physical theft X X X X X X

Product alteration X X X X X X X X X

Sabotage X X X X X X

Violence X X X

Provide context for your data

2-day factory downtime

Lost market lead in key product

$15M in lawsuits

3% annual shrinkage

16

Example incidents

#RSAC

Customize for your threat landscape

The model is open-ended and you can extend & tailor it to your environment

17

#RSAC

How the Guide Can Help You

Having a Field Guide helps you manage risk by:

Establishing a common framework and language for managing insider threat throughout the organization and community

Prioritizing threats and optimizing the use of limited resources

Identifying threats for mitigation

A framework to describe and manage your unique threat landscape

18

#RSAC

Applying the Field Guide in Your Organization

Short termShare the Guide with key stakeholders to inform them of the problem scope and enlist them in your team

Assess your particular threats and controls against the Field Guide to ensure you are managing your most dangerous insider risks

Medium termModify the model to reflect your situation and priorities

Long termUse the Guide to regularly re-assess your overall insider threat landscape

19

#RSAC

Resources

Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP

Intel Threat Agent Analysis: https://communities.intel.com/docs/DOC-23914https://communities.intel.com/docs/DOC-1151

Improving Healthcare Risk Assessments to Maximize Security Budgets (how to tailor the model for your environment):http://ow.ly/1W2H308vUfx

CERT Insider Threat Center: https://www.cert.org/insider-threat

We actively engage with fellow travelers utilizing Threat Agent Analysis related to:

Threat Assessments

Supplier Management and Supply Chain Risk

Tools and Visualization

20

#RSAC

Questions?