DTEX i3 team confirms people are the most effective insider threat sensors; identifies several other early warning indicators.
It’s been four months since Jack Teixeira was cast into the public eye for allegedly leaking national secrets online, and already the Pentagon has another insider investigation underway.
According to a Forbes exclusive published 29 July, the Pentagon is looking into a “critical compromise” of communications across 16 Air Force facilities by one of its engineers.
According to a search warrant, the engineer stole $90,000 worth of government radio technologies and had unauthorized administrator access to technologies, including possible access to FBI communications.
The warrant also details testimonials from witnesses and co-workers alluding to the engineer’s antisocial behavior; they told investigators he “sold radios and radio equipment, worked odd hours, was arrogant, frequently lied, displayed inappropriate workplace behavior and sexual harassment, had financial problems, and possessed [Arnold Air Force Base land mobile radio] equipment.”
“A colleague had twice reported him because of “insider threat indicators” and unauthorized possession of Air Force equipment, investigators said”
The engineer is also said to have had a USB drive containing administrative passwords, radio programming files belonging to the US government, and ‘confidential restricted’ installer files.
Looking at Teixeira’s case just four months earlier, there are several parallels to be drawn:
- There were early warning indicators of risk all along.
- These indicators of risk were beyond the scope of cyber; in fact, the most important indicators originated from ‘human sensors’ (a.k.a. ‘psycho-social’ sensors)
- The idiom, “See something, say something” only went so far – but not far enough.
- The most important indicators (spoiler, they’re behavioral) fell through the cracks.
- These indicators were only acknowledged after the fact (i.e., in response to the leak)
- At some point in time, there was breakdown in employee-employer loyalty.
Hindsight is Overrated
They say hindsight is a wonderful thing, but when there is clear evidence to show this could have been prevented, then who is keeping score?
Like Teixeira’s Discord leaks, this ‘critical compromise’ had all the early warning signs of an insider threat waiting to happen.
It might be a sober reality, but both data loss incidents might have been avoided altogether with the right insider risk mechanisms in place.
“See Something, Say something” – It’s Time to Do Something
“It takes a community to protect a community” – Federal Law Enforcement Training Centers
“See Something, Say Something” is a campaign that was born following the September 11 attacks. The objective is to raise public awareness of the indicators of terrorism and terrorism-related crime, as well as the importance of reporting suspicious activity to state and local law enforcement.
Since 9/11, the campaign has taken on a broader purpose, particularly in cybersecurity, with enterprise and federal entities incorporating reporting mechanisms as part of their insider risk programs.
Having robust systems and processes in place for reporting suspicious behavior, no matter how small, is extremely important in providing contextual information that can be aggregated and correlated against other data inputs. When communicated back to the business, this mechanism also fosters a culture of trust, where employees feel valued and safe in their ability to contribute to the company’s security efforts.
At the same time, the buck cannot afford to stop here – and this latest investigation is living proof.
Those leading insider risk programs or strategies must ensure there are mechanisms in place to ensure that human sensor data does not go to waste.
DTEX i3 | Putting Human Sensors to Work
DTEX i3 research shows that people are the most effective insider threat sensors. Having effective reporting programs that are tied into a universal risk score, the i3 team has uncovered a significant number of early warning indicators that have allowed enterprise organizations to mitigate an insider incident before any actual impact occurs.
“Looking at the findings of our investigations, the organizations that could ingest and correlate HR data with other sensor data were able to identify and deter insider risk faster and more successfully compared with organizations that relied on cyber or organizational data,” said Armaan Mahbod, Director, i3 Security and Business Intelligence at DTEX.
This latest Pentagon case is another example that demonstrates the power of psycho-social sensors.
“The human employee is a critical sensor that can play a major part in organizational security. As this latest Pentagon case shows, the individual’s antisocial behavior was clearly unconventional to the corporate culture because it had been reported as being suspicious.”
Other early warning indicators observed by DTEX i3 include:
Unauthorized administrative access: “In many cases, the abuse of privileged access is associated with non-malicious activities (such as pirated media), but in some cases, we have seen individuals abuse credentials for system sabotage because they are disgruntled with leadership or other organizational changes. We have also seen several cases where administrators were identified utilizing credentials that should have been discontinued,” Mahbod says.
“DTEX i3 recommends organizations monitor and review all activities related to admin accounts within the organization. Businesses should also make sure they have clear expected use policies and ensure those policies are communicated to employees.”
Transfers from unauthorized removable devices: DTEX i3 research has linked at least 40% of USB storage and transfers with password files. This opens the door to external threat actors, for example if an application has a backdoor to exploit. There’s also the risk that the insider will transfer files for malicious gain.
Executing portable applications: The research has also found that at least 60% of organizations have one or more individuals that execute portable applications either from their corporate device or an unauthorized removable device. “Often this the employee is trying to do their job more effectively, but we have seen cases of malicious intent,” says Mahbod.
To learn more about the common early warning indicators associated with insider threats, download the DTEX i3 2023 Insider Risk Investigations Report.
The Big Picture: Quantifying and Actioning Risk
When the data is out, it’s out. But there are steps organizations and government entities can take to be less reactive and more proactive:
- Address motivation by fostering a trusted workforce underpinned by bidirectional loyalty. When employees feel trusted, respected, protected, and valued, they shift from a place from needing to contribute to wanting to contribute – this translates to cybersecurity, too.
- Capture only the data that matters to accurately identify and quantify insider risks. This includes data inputs across human, cyber, physical and organizational sensors. Think less white noise, and more meaningful data (i.e., ‘actionable’ data) to stop genuine risks from falling through the cracks.
- Have robust mechanisms in place to provide reporting of suspicious behavior and processes for actioning that information through aggregation and correlation of other data.
Many indicators for insider risk look weak or harmless in isolation. It’s only when multiple pieces of the puzzle come together do they form a complete picture.
It is only by understanding this big picture, left of boom, will organizations stand a chance at preventing incidents of critical comprise or data loss.