A Department of Homeland Security Center of Excellence led by the University of Maryland

In training the next generation of scholars and practitioners, START offers its students a chance to publish their work on this blog.

Tracking the insider cyber threat

Tracking the insider cyber threat

Monday, July 13, 2015

Zach Scheinerman, UWT: Behavioral Indicators of Insider Threats Intern

Movies like Live Free or Die Hard or Blackhat depict the world of cybercrime as one in which basement-dwelling geniuses can turn the world’s machines into their plaything with the click of a mouse or a few taps of the keyboard. As much as an invisible, unpredictable threat shutting down America’s power grid in the blink of an eye makes for good cinema, the vast majority of damage caused by cybercrime or cyberterrorism is far more mundane.

In general, the average hacker is seeking to steal money or data from the company, and rather than a criminal mastermind hiding out in a hidden fortress somewhere, the most common threat to corporate data comes from its own employees, known as “insiders.”

I am a Public Policy MA student focusing on International Security Policy here at Maryland, and this summer, before completing my master’s, I am working with the Behavioral Indicators of Insider Threats project at START.

But who are insiders? The technical definition of an insider is a person who uses his or her legitimate access to information to damage it, leak it, or otherwise treat it in an illegal or malicious manner. Most commonly, insiders are male employees between the ages of 17-40 who work in the Information Technology department of a given company and are tasked with managing networks and related computer systems.

Like all employees, some information workers can become disgruntled with their job, especially when they are passed over for promotion, denied a raise or have personal problems outside of the office. But the difference between a potential insider threat and your average employee is that the insider has access to sensitive data, or at least the means of getting to it.

Terminating such an employee therefore carries with it the risk that he could use his access privilege for personal gain, so companies need to be aware of that possibility and plan for it. Should the employee be fired, the following weeks or months is the most likely time for there to be an insider attack against the computer systems of his former company. Very often companies forget to remove the password or user login that allows the terminated employee to go back into the cyber infrastructure of his former employer and wreak havoc.

Insider threats are most commonly motivated by either a desire for money, a desire for revenge against the company that wronged them, or both. Contrary to popular expectations, as long as the insider has the access that he needs to bypass the defenses of the company’s network, the actual technical skill required to steal money, damage files or commit other forms of mischief is not great.

In other words, most cyberattacks more closely resemble the plot of Office Space than any big budget blockbuster. That being said, even a single insider attack can pose serious damage to the company that he is targeting. The problem is compounded if the insider is working for a government agency or has the potential to leak sensitive or classified information.

And that is why START’s work in the cyber threat field is so important. I’m grateful to be a part of the team that analyzes insider threat literature; ultimately developing a profile of the sort of person who is most likely to carry out an attack against the company’s data, finances or products. We will then create and test hypotheses in hopes of determining the best way to spot, stop or deter insiders before they carry out their attacks against employers.