Breaking Down the Insider Threat Identification

Threatswitch Team
June 27, 2016

At the heart of any Insider Threat Program is this essential question: How do we identify who is an insider threat or is at risk of becoming one?

An organization can tighten processes, establish policies, put in additional safeguards, enforce separation of duties, etc. But in the end, if a malicious insider is determined, he or she can figure out an organization’s vulnerabilities and exploit them. Preventative measures can only take you so far and if you overdo them, you risk making your current business operations so inefficient that you nullify the benefit of your added security. What organizations really want is a capability that can identify (predict and/or detect) an insider threat.

The application of predictive analytics towards the identification of insider threats is an emerging field of study. No one has claimed a complete solution yet, if such a thing exists at all. Data scientists have attempted to approach the problem at various levels of depth and at different points in the lifecycle of an insider threat:

  • Predicting the likelihood that someone will become an insider threat

One tactic is to construct models that attempt to quantify various environmental “stressors” that behavioral scientists believe can cause a person to engage in insider threat activity. In these types of models, researchers attempt to capture personality factors, behavioral abnormalities, life events, psychological trauma, job issues, financial vulnerability, etc. The assumption here is that potential insider threats can be profiled and display certain measurable behaviors and characteristics that are statistically separable from the larger population of normal employees. This approach takes a wide view of the insider threat problem and attempts to identify potential insider threats before they do anything that is detrimental to the organization whether it is workplace violence, espionage, or sabotage.

  • Predicting the likelihood that a pattern of workplace activity may be a precursor to insider threat

The bulk of the analysis here circles around observable employee behavior and individual user activity while at work. A predictive model is targeted towards identifying normal and abnormal workplace behavior rather than attempting to build a psychological profile. Insider threats are typically defined not by one ill-conceived move or naïve mistake, but rather by a collection of incidents and behaviors that together point to an employee as a potential insider threat. Ask are they deviating from normal behavior in their role? Are they working hours that are out of sync with their team or their regular schedule? Is data monitoring recording a high degree of data movement going through their system? Taken on the whole, these might collectively point to a need to investigate more closely.

  • Predicting the likelihood that a potential insider threat is committing espionage

Some of the more promising research reduces down the problem space towards identifying and analyzing indicators of data exfiltration. Such an insider would go through a sequence of suspicious actions that are precursors to data exfiltration. He/she would explore data stores and systems, analyze these sources for interesting information, collect that information (often using tools on their own machine: excel sheet, notepad, SharePoint), and prepare that information for removal (if they're on a closed network, they may consolidate desired data and piggyback it as a package on top of data extraction for legitimate business purposes). Also, the insider would presumably be very interested in an organization's security infrastructure and would likely probe updates to security software settings and monitoring capabilities.

The difference between the above approaches is really at the level of granularity that researchers decide to tackle the insider threat problem. A true solution would ideally encompass all three avenues in a tiered analytics approach. For example, an Insider Threat Data Exfiltration model’s outputs could feed into an Insider Threat Workplace Activity model whose outputs could feed into the Insider Threat Behavioral Stressors model:


In the end, it is extremely difficult if not impossible to accurately determine the one person who might be a real insider threat amongst a sea of honest employees. The key is to make an assessment to investigate for insider threat based on the employee as a whole, the collection of their actions and behaviors and what incidents may be raising a red flag. Ultimately, making the call is not about effectively determining who is an insider threat, but who is most likely to be one, based on all the information that is available. To really know for sure, an organization should consider setting up an internal “Honeypot” (essentially a trap for a suspected insider threat) that will leave no doubt of someone’s malicious intent. There is budding research on how to setup such a trap but that is a topic for another blog….

Keep Reading

Posts by Topic

Subscribe to our