The Mind of the Inside Attacker
Cyberattacks are a persistent problem for nearly every enterprise. If a company has not yet faced one, it is only a matter of time until they do. Big, small and in-between, all companies possess data that may be worth something to someone else — and thus worth stealing.
Much of the focus has been on external attackers. Indeed, they do pose a significant threat. But inside attackers are a concern as well. Data on how much of a threat they pose is inconsistent. Verizon’s 2022 Data Breach Investigations Report says that around 18% of data breaches are attributable to insider activity.
Data from the previous decade suggests an even greater threat. A report from 2010 by Verizon and the US Secret Service found that up to 49% had been committed by insiders. A 2013 report from Clearswift revealed that 58% of survey respondents believed that their security incidents were the result of insider activity.
These differences are at least partially attributable to varying definitions of insider threats. Research methodologies and sample sizes vary as well. And companies have likely become more attentive to this risk. Regardless of the percentage, costs are hardly inconsequential. A Ponemon Institute report found that the average cost of an insider attack was $15.4 million — and in the case of criminal insider activity, $4.1 million.
Even as monitoring of insider activity increases, it has not eliminated the possibility that trusted employees may play a role in leaking data.
They certainly have the means: access, credentials, knowledge of how the systems that manage data are designed. One study found that 74% of its survey respondents believed they would be able to access protected data and 35% said that they had accessed data without permission. And they often have motive as well. Poorly treated employees, given the right set of circumstances, may have little compunction about exfiltrating data to even the score.
Further, the diminished risk may have again increased in light of the new working environment. A 2021 report by Code42 and the Ponemon Institute suggests that employees are 85% more likely to leak data than they were prior to the COVID-19 pandemic. And a Carnegie Mellon study indicates that trade secrets are the top targets, followed by source code, proprietary software, and customer information.
All of this indicates an urgent need to identify and neutralize the potential for employees and contractors to perpetrate these attacks. A lively array of literature has attempted to profile the types of employees who are most likely to do so and the situations that are most conducive to these activities.
Dan Costa, technical manager of enterprise threat and vulnerability management at the Carnegie Mellon University Software Engineering Institute; Rajan Koo, CTO of DTEX Systems; Khester Kendrick, assistant professor of practice at the College of Applied Science & Technology at the University of Arizona; and Frank L. Greitzer, president and principal scientist at PsyberAnalytix, discuss how to react when the threat is coming from inside the house — and how to make sure bad actors don’t intrude in the first place.
Types of Insider Threat
The CERT National Insider Threat Center (NITC) at Carnegie Mellon’s Software Engineering Institute defines a malicious insider as “a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”
A rough categorization of insider threats has emerged, starting with their roles in the company. While some are permanent employees, others may be part-time or work in contractor roles that nonetheless afford them access to proprietary data. While many insider attacks are motivated by personal spite or revenge, it has become increasingly common for moles to be placed within an organization with the explicit goal of accessing data.
Their activities have been broken down by the NITC into espionage, fraud, information technology sabotage and intellectual property (IP) theft.
In the case of espionage, the insider is usually working with a foreign entity to exfiltrate sensitive information that could be used to the benefit of that entity. They are typically low-level male employees of foreign extraction who voluntarily collect this information — that is, they are not induced by outside actors.
Fraudsters obtain personal information available through their professional activities and typically use it to commit financial crimes — using credit card numbers and other identifying information to make purchases, for example. They may be male or female and often have little technical expertise. That is, they are not IT types with sophisticated ability to extract information.
Saboteurs work for a variety of purposes, either personally or financially motivated, to cause damage to systems or destroy valuable data. They are most often male former employees who use their technological skills following termination or exit from their role.
And IP thieves usually steal information purely for financial or professional gain — the theft is typically devoid of any moral or political motivation. They are usually technically skilled males in their late 30s who use their authorized access to obtain sensitive information which they then sell to the highest bidder. Three-quarters of known IP thieves were authorized to access the data they stole. They are usually on the way out the door or have already left — some 65% have new jobs lined up.
Psychological Profile of the Inside Attacker
A number of commonalities have emerged in studying the personality types of people who commit insider attacks. Many appear to possess traits typical of the Dark Triad — a set of pathological personality traits that includes narcissism, psychopathy, and Machiavellianism.
Narcissists tend toward grandiose displays of self-promotion and are profoundly entitled. They are often domineering and controlling. Psychopaths tend to be cold and impulsive. They often seek excitement with little regard to the consequences. And people with Machiavellian traits are highly manipulative and largely concerned with advancing their own interests. Lack of empathy and entitlement in particular appear to be common characteristics of inside attackers.
These traits overlap and they often present in a subclinical fashion — that is, someone with narcissistic traits might not necessarily be diagnosed as having narcissistic personality disorder. But the behavior resulting from their tendencies may nonetheless be damaging to those around them — and to the companies they work for.
In some cases, these personality qualities emanate from the top. Narcissistic managers may tend to hire people who share those qualities or reinforce those qualities in themselves. While they may not pose a direct insider threat, their warped view of appealing qualities in prospective hires may lead them to create a culture in which insider threats are more likely.
Inside attackers also demonstrate a distinct set of variations in what is called the Big 5 — a set of personality traits that includes neuroticism, conscientiousness, openness, extraversion, and agreeability. All of the Dark Triad types tend to be low in agreeability, meaning that they can be unpleasant in interpersonal interactions due to their prioritization of self-interest. Psychopaths are very low in neuroticism — they are not easily aroused by negative stimuli and are thus capable of committing unethical and illegal acts without appearing nervous or suspicious. Both people with psychopathic and Machiavellian tendencies are low in conscientiousness, meaning that they may not care much about meeting their professional responsibilities.
Lower agreeableness and conscientiousness, along with higher neuroticism, appear to align with the general profile of the inside attacker. So do self-interest and the pursuit of excitement. Some of these findings are contradictory — psychopaths are low in neuroticism, but neuroticism is typical of an inside attacker. These seemingly paradoxical qualities indicate that a broad spectrum of people are capable of committing these attacks.
Despite the obviously negative impacts of these characteristics, reports of inside attackers often characterize them as appearing normal and even charming, though displaying manipulative tendencies.
Other psychological factors can contribute to the likelihood of an insider attack too: stress, depression, and even addiction. These conditions may be primary influences or may exacerbate some of the existing personality tendencies previously referenced.
Actually detecting these factors is of course another matter entirely. “Most organizations will not be inclined to use psychological testing for privacy, legal, or other reasons. This is understandable,” Greitzer says.
Instead, he advises “increasing awareness of how to recognize certain problematic psychological issues and then sharing those concerns/observations with appropriate resources so that mitigation might be applied to reduce risks.”
Motivations of the Inside Attacker
While the personality profile of the inside attacker is relatively clear, not everyone who possesses those qualities will ultimately commit an attack. In many, if not most, cases there is a precipitating event that leads the insider to act.
The motives of corporate spies are relatively clear: They are usually compelled to act by either financial or political interest. Literature on espionage characterizes their typical motivations using the acronym MICE, which stands for money, ideology, coercion, and ego.
The motivations of other inside attackers tend to be messier and more personal. Existing personality tendencies may be exacerbated by workplace conditions or private circumstances. Unfair privileges — real or perceived — or obvious compensation disparities may lead someone already predisposed to self-interested actions and rule-breaking to actually break the rules.
These types may be further incentivized by financial or professional benefits — or by the ability to punish those they view as responsible for their situations. And personal concerns such as debt, impending layoffs, and medical conditions can be motivating factors as well.
The notion that pre-existing psychological conditions predict how these employees behave, especially under stressful conditions, aligns with the Theory of Planned Behavior. In this construction, a set of beliefs and personality qualities leads to an intention and then, potentially, the enactment of a certain behavior. Psychologists studying insider threats have interpreted intent as including motive — the actual circumstances that tip the balance from thought to action.
This conception dovetails with the capability, means and opportunity (CMO) model. Given the highly specialized skill sets of IT professionals, it warrants serious consideration. These models have been synthesized as the “critical pathway”: a combination of psychological characteristics, personal and professional context, and the ability to execute an attack — culminating in a precipitating event that concludes in the attack itself.
The dominos are all lined up: the potential attacker has control over certain data, the means to export or damage it, and a set of circumstances that makes it feasible.
How to Identify the Risk of Inside Attack
Given the complex array of factors that lead to a typical insider attack, and the lack of capability for thorough psychological testing of prospective and current employees, the tool set for detecting potential attacks is limited. According to one estimate, only 1 in 10,000 cybercriminals is caught.
“The normal hiring process that should involve background checks,” says Greitzer. “In too many cases, the hiring organization does not do a thorough background check — checking former employers, criminal record, and financial records as appropriate.”
“Whether, and how much, to examine in the applicant’s personal history is a matter of debate, and I believe that — given experiences in the recent past with leakers and with domestic terrorism — both the government and private sector need to have more serious discussions about the nature and extent of background checks,” he adds.
Researchers emphasize the need for human resources to collaborate more intimately with the staff that they serve. Devising a strategy for identifying candidates that are not only talented but also trustworthy can go a long way toward eliminating potential threats.
“We rely heavily on the mechanisms that our organizations already use to determine and establish the trustworthiness of potential candidates,” Costa says. “These are things that we’re already looking for.”
Refining human resource policy can also lead to more detailed documentation of anomalous and negative behaviors in existing employees. Post hoc analysis often finds that there were significant behavioral shifts observed in inside attackers — nearly one-third of inside attackers displayed behavior that was flagged prior to the event. Documenting these shifts can help to address pervasive personnel issues that lead to employees already predisposed to disruptive activity to commit these attacks. Patterns of employee abuse and dissatisfaction can be identified before they reach the boiling point.
“We’ve all known that one worker rides the line between ethical and unethical. Employees within a department will always know more than management or a high-level computer system would ever tell them,” Kendrick says. “So, it is important to develop a security culture that allows people to feel comfortable talking about what they see.”
When negative trends are identified, they can be addressed on a systemic or individual level. Ineffective management and pay inequities can be handled proactively. And staff who are displaying signs of struggling can be directed to outside programs to address issues such as mental health, addiction, and anger.
“Proactive interventions are good for the organization and for the workforce more broadly,” Costa says. “We’re not pre-crime, walking somebody out the door. We’re putting them in employee assistance programs.”
“The goal is to identify at-risk individuals and to help them find an ‘offramp’ from the critical pathway leading to the event so as to avoid the incident entirely, or at least to limit the damage,” adds Greitzer.
Still, keeping an eye out for employees who may have otherwise escaped notice is essential. Digital monitoring of atypical behaviors such as downloading information, accessing unauthorized or rarely used networks, and off-hours activity can be key to nabbing an attacker before they can fully execute their plan.
A Code42 study indicates that 42% of data exposure events came from removable media and 32% was due to syncing to cloud servers. Monitoring these types of activities remotely can go a long way toward mitigating insider attacks.
“It’s more effective to seek data-driven evidence across multiple sensors (cyber, physical and psychosocial) to create a comprehensive risk score that can be used to determine a proportionate resolution before an incident occurs,” Koo urges.
And Kendrick emphasizes that employees who are leaving ought to be profiled as well. “Exit interviews for employees leaving a company are also important for identifying insider threats,” he says. “These interviews should be low-stress and frank, allowing employees to speak their mind about what they’re seeing in the workplace. An employee leaving a company is often more willing to speak bluntly than someone afraid of losing their job.”
Ethics of Surveilling for Risk of Inside Attack
While protecting proprietary information is crucial, the ethics of employee surveillance are fraught with potential pitfalls. It is one thing to encourage reporting of anomalous behavior and monitoring access to information and quite another to encourage a snitch culture, which may lead employees to tattle about issues unrelated to potential threats.
“There needs to be a balance between respect, security, and privacy,” Kendrick cautions. “The worst part of this balance is there is no perfect line, no silver bullet. What one person considers reasonable another might consider an invasion of privacy.”
In addition to creating a suspicious, unpleasant work environment, an overemphasis on reporting can create static for the teams responsible for disambiguating normal workplace disruptions and situations that may lead to bigger problems for the company.
“This is a cultural issue — to increase awareness of all staff members about the contributing factors for insider risk and the benefits of a proactive program that emphasizes ‘wellness’ rather than merely taking a punitive/law enforcement approach,” Greitzter says. “This also emphasizes the fact that staff members are not the only entities that contribute to possible insider threat risk. Organizations bear responsibilities for providing a safe and secure work environment.”
There is also a legal aspect to consider — some employee monitoring, and subsequent consequences from what is discovered, may intersect with laws on discrimination. Do mental health conditions that may or may not lead to an insider attack fall under disability protections, for example? These are highly sensitive questions and there are no easy answers.
“While surveillance can have a place, it must be used judiciously to avoid unnecessary intrusion into employees’ personal lives,” Koo suggests. “Instead, organizations should adopt a more nuanced approach. They can create ‘teachable moments’ by using security incidents as opportunities for education and awareness, rather than immediately assuming malicious intent. Fostering a culture of security and trust within the workforce is paramount.”