Attending BlackHat is something that most security professionals look forward to. It’s an opportunity to meet similar folks on both sides of the security aisle, have a drink, share stories and compare notes.
FBI at Black Hat
One presentation really stood out for me at this year’s conference: the Insider Threat presentation by FBI’s former CISO, Patrick Reidy. In the presentation, Reidy talks about the FBI’s approach to combating insider threats. What I really enjoyed was the striking similarity between the FBI’s analysis and what Imperva has been talking about for the past year. Even the FBI’s own resourceful research conclusions are in line with ours.
I used to look at all insider threat cases in more or less the same way. I always assumed that at one point, there would be an attempt to capture credentials or hack/use a system admin/privileged account in order to gain access to data. While CERT (CMU) would definitely agree with me on this point (see next paragraph), the FBI’s conclusions tell a different story. This makes me believe that there is a fundamental difference in cybercrime that occurs in government and non-government targets.
Interesting Findings
While CMU marked 90% of all IT sabotage coming from system admins, in the FBI’s case – only 0.8% were system admins, and only 1.5% of all incidents included privileged system administrator account usage.
The numbers indicate a very significant difference between the expected targeted users who own system privileges in government versus non-government organizations. The number of Insider incidents originating in system admins are very high everywhere except within government. Common sense says that since government employees in agencies such as the FBI must have access to privileged and sensitive information, the Insider in government organizations could be anyone.
Are you malicious?
One other interesting fact from Reidy’s presentation was the difficulty in uncovering malicious insiders. During the presentation, he talked about a major problem in detecting users in an organization that start out with no malicious intent, but turn in time to the dark side for money or other ulterior purposes.
I agree. It is close to impossible to monitor each employee’s connections and private affairs outside of an organization, and to keep the finger on the pulse of things like financials and friends to gauge whether there is a potential problem that should be flagged. This means that someone has ample opportunity to become an insider threat or engage in espionage.
(Source: Patrick Reidy, Combating the Insider Threat at the FBI: Real World Lessons Learned – BlackHat USA 2013)
5 Lessons Learned
Reidy summarizes key lessons learned in his research with some calls to action for organizations:
1. Insider threats are not hackers
- Frame and define the threat correctly and focus on the insider threat kill chain
2. Insider threat is not a technical or “cyber security” issue alone
- Adopt a multidisciplinary “whole threat” approach
3. A good insider threat program should focus on deterrence, not detection
- Create an environment that discourages insiders by crowd sourcing security and interacting with users
4. Avoid the data overload problem
- Gather HR data and data egress/ingress logs
5. Detection of insider threats has to use behavioral based techniques
- Base detection on user’s personal cyber baselines