John Wetzel Profile picture
Mar 24 17 tweets 6 min read
So how do you *prevent* #insider threats?
Short answer is you don’t
Long answer is you spend a lot of money…and still don’t

But you CAN monitor, identify, and react to insiders and insider-like threats #lapsus$
(🧵)
I worked counterintelligence from 2003 to 2016 with US military and civilian agencies. In that time, I investigated, taught, and helped build insider threat programs. One big lesson learned: insider threats are usually caught from the outside. But how?
Because insider threat *always* has an external nexus. Whether it’s a foreign gov, LAPSUS$, or even a reporter looking for a scoop, there’s always an external actor washingtonpost.com/national-secur…
So you to catch an insider, you watch the outside actor. This sounds contrarian, but actually makes a lot of sense when you think about security and behavior
See, insiders have routine access to all they need, at least at first. And if you look at former cases, you’ll notice a pattern: the insiders only get caught once they do something destructive or once they expand outside their natural access
For security, this means that you aren’t looking for insiders—they’re acting within their established “norm” of behavior. Your monitoring is actually looking for the *change* in that behavior, once the insider starts being more aggressive.
Short aside: once, a BIG ORG was trying to setup tighter behavior controls. So they thought ‘let’s start with what everyone knows is banned: porn at work. So they setup monitoring for that. Immediate alarms 🚨. Porn everywhere
Turns out a big % of engineering had porn on their system. Sure, HR could have fired them, but that would have jeopardized their ability to support their contracts. So: one massive re-education program and 11 months later: no insiders but they had porn controls now!
So how do you monitor for insiders? Well the best approach is a combo of *external* monitoring and *internal* coordination. In a past post, I talked about some of the tactics, including improving employee happiness and external identity monitoring. Let’s talk about coordination
Coord. is key because insiders are people, not just network users. Look for people who do wrong in different ways. Do you know which users have HR violations? What about excess expenses on corp credit cards? People who bend policy in one area are more likely break it in another
Partner with HR, finance, physical security, legal. This won’t always be easy—legal compliance may restrict what certain parties can share, something you should be familiar with if you’ve ever dealt with outside IR firms via legal. But those relationships are key
Outside partnerships with security and law enforcement is helpful as well. Know your compliance—US defense contractors have to report “suspicious activity” to gov agencies. They may also have other info that can be helpful. Better to work with them ahead of time.
A note on reporting programs: these can be useful, but aren’t a first step. Fostering a security culture and educating are way more critical. If ppl view security as the folks who bring donuts to monthly standups, you’re a lot more likely to get reporting anyhow
And last note: DON’T be creepy. The first thing I hear orgs want to monitor is social media accts. Don’t. First, it’s creepy and destroys trust, which is critical to security. Second, it’s an absolute nightmare of false positives, false negatives, and noise.
Hope this is helpful. I work at @recordedfuture where I work with orgs on insider threat, threat intel, and security. Come there or painlesscyber.com where I post blogs and make goofy security videos.
And this coming Monday (3/28) I’ll be talking insider threats with @Laughing_Mantis on @ShivaSMaharaj’s podcast amplifiedandintensified.com
PS: if you want to learn more, @LisaForteUK is an insider threats guru. @code42 is an insider threat org that had an actual insider and wrote about it. And I wrote a white paper a while ago for FS-ISAC painlesscyber.com/blog/white-pap…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Wetzel

John Wetzel Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @johnwetzel

Mar 22
LAPSUS$ is the group on everyone’s mind today, having just leaked data around a potential breach of #Okta, a widely-used SSO & identity provider. So let’s take some time to dive into #LAPSUS$, where they came from, how they’ve evolved, and how to defend against them.
LAPSUS$ appeared in only a few months ago, in December 2021. They appear to be Brazilian-based or affiliated, going off of their initial targets and the languages used on their Telegram channels
Notable analysts have described them as “erratic and unusual” (@BrettCallow in Wired) and “competent and incompetent at the same time” because of their seeming inability to monetize their successful breaches
Read 16 tweets
Mar 21
The problem if you’re USG is something like this: you have good information that attacks are imminent but not enough to prevent attacks outright. What do you do?
US intelligence likely based estimates on a wide variety of sources, such as spies, intercepted comms, even implants of their own. So you could KNOW the orders’ been given but not know specifics. Reading for nuance and details is key
So as USG do you warn? Probably, even if you know it’s somewhat futile. And there’s subtle messaging such as the note on “evolving” intelligence—Likely speaks to fluidity of Russia decision more than uncertainty of intelligence
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(