So how do you *prevent* #insider threats?
Short answer is you don’t
Long answer is you spend a lot of money…and still don’t
But you CAN monitor, identify, and react to insiders and insider-like threats #lapsus$
(🧵)
Short answer is you don’t
Long answer is you spend a lot of money…and still don’t
But you CAN monitor, identify, and react to insiders and insider-like threats #lapsus$
(🧵)
https://twitter.com/haroonmeer/status/1506933763808403459
I worked counterintelligence from 2003 to 2016 with US military and civilian agencies. In that time, I investigated, taught, and helped build insider threat programs. One big lesson learned: insider threats are usually caught from the outside. But how?
Because insider threat *always* has an external nexus. Whether it’s a foreign gov, LAPSUS$, or even a reporter looking for a scoop, there’s always an external actor washingtonpost.com/national-secur…
So you to catch an insider, you watch the outside actor. This sounds contrarian, but actually makes a lot of sense when you think about security and behavior 
See, insiders have routine access to all they need, at least at first. And if you look at former cases, you’ll notice a pattern: the insiders only get caught once they do something destructive or once they expand outside their natural access
For security, this means that you aren’t looking for insiders—they’re acting within their established “norm” of behavior. Your monitoring is actually looking for the *change* in that behavior, once the insider starts being more aggressive.
Short aside: once, a BIG ORG was trying to setup tighter behavior controls. So they thought ‘let’s start with what everyone knows is banned: porn at work. So they setup monitoring for that. Immediate alarms 🚨. Porn everywhere
Turns out a big % of engineering had porn on their system. Sure, HR could have fired them, but that would have jeopardized their ability to support their contracts. So: one massive re-education program and 11 months later: no insiders but they had porn controls now!
So how do you monitor for insiders? Well the best approach is a combo of *external* monitoring and *internal* coordination. In a past post, I talked about some of the tactics, including improving employee happiness and external identity monitoring. Let’s talk about coordination
https://twitter.com/johnwetzel/status/1505886350532386817
Coord. is key because insiders are people, not just network users. Look for people who do wrong in different ways. Do you know which users have HR violations? What about excess expenses on corp credit cards? People who bend policy in one area are more likely break it in another
Partner with HR, finance, physical security, legal. This won’t always be easy—legal compliance may restrict what certain parties can share, something you should be familiar with if you’ve ever dealt with outside IR firms via legal. But those relationships are key
Outside partnerships with security and law enforcement is helpful as well. Know your compliance—US defense contractors have to report “suspicious activity” to gov agencies. They may also have other info that can be helpful. Better to work with them ahead of time.
A note on reporting programs: these can be useful, but aren’t a first step. Fostering a security culture and educating are way more critical. If ppl view security as the folks who bring donuts to monthly standups, you’re a lot more likely to get reporting anyhow
And last note: DON’T be creepy. The first thing I hear orgs want to monitor is social media accts. Don’t. First, it’s creepy and destroys trust, which is critical to security. Second, it’s an absolute nightmare of false positives, false negatives, and noise.
Hope this is helpful. I work at @recordedfuture where I work with orgs on insider threat, threat intel, and security. Come there or painlesscyber.com where I post blogs and make goofy security videos.
And this coming Monday (3/28) I’ll be talking insider threats with @Laughing_Mantis on @ShivaSMaharaj’s podcast amplifiedandintensified.com
PS: if you want to learn more, @LisaForteUK is an insider threats guru. @code42 is an insider threat org that had an actual insider and wrote about it. And I wrote a white paper a while ago for FS-ISAC painlesscyber.com/blog/white-pap…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
