A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R A Field Guide to Insider Threat Helps Manage the Risk Tim Casey Senior Strategic Risk Analyst Intel Corp.
How do you think of insider threat?
The problem is becoming more complex Logos and trademarks are the property of their respective owners
The Field Guide to Insider Threat Reckless Insider Untrained/ Distracted Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak Espionage Financial fraud Misuse Oportun. data theft Physical theft Product alteration Sabotage Violence
Characterizing Insider Threat
Definitions Insider Threat is the potential for a current or former employee, contractor, or business partner to accidentally or maliciously misuse their trusted access to harm the organization’s employees and customers, assets, or reputation. A Threat Agent is a representative class of people who can harm an organization, intentionally or accidentally, and identified by their unique characteristics and behaviors.
Non-Hostile OR Hostile Insider Threat Agents Non-Hostile Non-Hostile OR Hostile Hostile Non-Hostile Reckless Insider Outward Sympathizer Untrained/ Distracted Insider Hostile/Non-Hostile Partner Supplier Hostile Activist Competitor Disgruntled Insider Irrational Individual Nation State Organized Crime Terrorist Thief New!
Attack Types Accidental leak Espionage Financial fraud Misuse Opportunistic data theft Physical theft Product alteration Sabotage Violence
Attack Types Accidental leak Espionage Financial fraud Misuse Opportunistic data theft Physical theft Product alteration Sabotage Violence Ooops IP & Data Loss Ongoing, targeted IP extraction Exiting employees
Threat-Consequence Vector Matrix Intent® Non-Hostile Non-Hostile /Hostile Hostile Attack Type¯ Reckless Insider Untrained/ Distracted Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak X Espionage Financial fraud Misuse Opportunistic data theft Physical theft Product alteration Sabotage Violence Analysis by Intel’s Threat Agent Analysis Group
Applying the Field Guide
Demonstrate the scope of the problem Intent® Non-Hostile Non-Hostile /Hostile Hostile Attack Type¯ Reckless Employee Untrained/ Distracted Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak X Espionage Financial fraud Misuse Opport. data theft Physical theft Product alteration Sabotage Violence 60 separate Insider Threat vectors – Are you prepared for all of them? X
Prioritizing Protection to Optimize Resources Food Manufacturer (example) Accidental leak Espionage Financial fraud Misuse Opport. data theft Physical theft Product alteration Sabotage Violence Intent® Non-Hostile Non-Hostile /Hostile Hostile Attack Type¯ Reckless Insider Untraind Distractd Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak X Espionage Financial fraud Misuse Opportunistic data theft Physical theft Product alteration Sabotage Violence
Prioritizing Protection to Optimize Resources Food Manufacturer (example) Accidental leak Espionage Financial fraud Misuse Opport. data theft Physical theft Violence Intent® Non-Hostile Non-Hostile /Hostile Hostile Attack Type¯ Reckless Insider Untraind Distractd Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak X Espionage Financial fraud Misuse Opportunistic data theft Physical theft Product alteration Sabotage Violence Product alteration Sabotage
Untrained/ Distracted Insider Irrational Individual Minimize the Threat Intent® Non-Hostile Non-Hostile /Hostile Hostile Attack Type¯ Reckless Insider Untrained/ Distracted Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak X Espionage Financial fraud Misuse Opportunistic data theft Physical theft Product alteration Sabotage Violence
Provide context for your data Example incidents $15M in lawsuits Lost market lead in key product Intent® Non-Hostile Non-Hostile /Hostile Hostile Attack Type¯ Reckless Insider Untrained/ Distracted Insider Outward Sympathizer Vendor Partner Irrational Individual Thief Disgruntled Insider Activist Terrorist Organized Crime Competitor Nation State Accidental leak X Espionage Financial fraud Misuse Opportun. data theft Physical theft Product alteration Sabotage Violence 2-day factory downtime 3% annual shrinkage
Customize for your threat landscape The model is open-ended and you can extend & tailor it to your environment
How the Guide Can Help You Having a Field Guide helps you manage risk by: Establishing a common framework and language for managing insider threat throughout the organization and community Prioritizing threats and optimizing the use of limited resources Identifying threats for mitigation A framework to describe and manage your unique threat landscape
Applying the Field Guide in Your Organization Short term Share the Guide with key stakeholders to inform them of the problem scope and enlist them in your team Assess your particular threats and controls against the Field Guide to ensure you are managing your most dangerous insider risks Medium term Modify the model to reflect your situation and priorities Long term Use the Guide to regularly re-assess your overall insider threat landscape
Resources Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP Intel Threat Agent Analysis: https://communities.intel.com/docs/DOC-23914 https://communities.intel.com/docs/DOC-1151 Improving Healthcare Risk Assessments to Maximize Security Budgets (how to tailor the model for your environment): http://ow.ly/1W2H308vUfx CERT Insider Threat Center: https://www.cert.org/insider-threat We actively engage with fellow travelers utilizing Threat Agent Analysis related to: Threat Assessments Supplier Management and Supply Chain Risk Tools and Visualization
Questions?