Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Tim Casey
A Field Guide to Insider Threat Helps Manage the Risk
HUM-T10R
Senior Strategic Risk AnalystIntel Corp.
#RSAC
How do you think of insider threat?
2
#RSAC
The problem is becoming more complex
3Logos and trademarks are the property of their respective owners
#RSAC
The Field Guide to Insider Threat
Accidental leak
Espionage
Financial fraud
Misuse
Oportun. data theft
Physical theft
Product alteration
Sabotage
Violence
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
#RSAC
Characterizing Insider Threat
#RSAC
Definitions
Insider Threat is the potential for a current or former employee, contractor, or business partner to accidentally or maliciously misuse their trusted access to harm the organization’s employees and customers, assets, or reputation.
A Threat Agent is a representative classof people who can harm an organization, intentionally or accidentally, and identified by their unique characteristics and behaviors.
6
#RSAC
Insider Threat Agents
Non-Hostile
Reckless Insider
Outward Sympathizer
Untrained/ Distracted Insider
Hostile/Non-Hostile
Partner
Supplier
Hostile
Activist
Competitor
Disgruntled Insider
Irrational Individual
Nation State
Organized Crime
Terrorist
Thief
Non-Hostile Non-Hostile OR Hostile Hostile
7
#RSAC
Attack Types
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
8
#RSAC
Attack Types
IP & Data Loss
Ooops
Ongoing, targeted IP extraction
Exiting employees
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
9
#RSAC
Threat-Consequence Vector Matrix
Analysis by Intel’s Threat Agent Analysis Group
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X XOpportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
10
#RSAC
Applying the Field Guide
#RSAC
Demonstrate the scope of the problem
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Employee
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X XEspionage X X X X X X X X
Financial fraud X X X X XMisuse X X X X X X X X
Opport. data theft X X X X X X X XPhysical theft X X X X X X
Product alteration X X X X X X X X XSabotage X X X X X XViolence X X X
60 separate Insider Threat vectors –Are you prepared for all of them?
12
#RSAC
Prioritizing Protection to Optimize Resources
• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Product alteration
• Sabotage
• Violence
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor PartnerIrrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)
13
#RSAC
Prioritizing Protection to Optimize Resources
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor PartnerIrrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Violence
• Product alteration
• Sabotage
14
#RSAC
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Minimize the Threat
15
#RSAC
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportun. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Provide context for your data
2-day factory downtime
Lost market lead in key product
$15M in lawsuits
3% annual shrinkage
16
Example incidents
#RSAC
Customize for your threat landscape
The model is open-ended and you can extend & tailor it to your environment
17
#RSAC
How the Guide Can Help You
Having a Field Guide helps you manage risk by:
Establishing a common framework and language for managing insider threat throughout the organization and community
Prioritizing threats and optimizing the use of limited resources
Identifying threats for mitigation
A framework to describe and manage your unique threat landscape
18
#RSAC
Applying the Field Guide in Your Organization
Short termShare the Guide with key stakeholders to inform them of the problem scope and enlist them in your team
Assess your particular threats and controls against the Field Guide to ensure you are managing your most dangerous insider risks
Medium termModify the model to reflect your situation and priorities
Long termUse the Guide to regularly re-assess your overall insider threat landscape
19
#RSAC
Resources
Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP
Intel Threat Agent Analysis: https://communities.intel.com/docs/DOC-23914https://communities.intel.com/docs/DOC-1151
Improving Healthcare Risk Assessments to Maximize Security Budgets (how to tailor the model for your environment):http://ow.ly/1W2H308vUfx
CERT Insider Threat Center: https://www.cert.org/insider-threat
We actively engage with fellow travelers utilizing Threat Agent Analysis related to:
Threat Assessments
Supplier Management and Supply Chain Risk
Tools and Visualization
20
#RSAC
Questions?
