Insider threats are a problem as old as time. So, why are we still not so great at dealing with them?
Or more to the point, why does the security industry not seem to be nearly as developed in its methodology when it comes to identifying these insiders? At least, in relation to how frameworks have been created for other areas of security.
So, when MITRE’s Chief Scientist for Insider Threats Capabilities Dr. Deanna Caputo spoke about the launch of a new framework for insider threats in a
Speaking to Dr. Caputo, the first point that stuck out was that this new framework was not replacing a previous one. It was the first of its kind to address a growing concern.
Insider threats have been on the rise for a while. In 2023, the Verizon Data Breach Investigations Report (DBIR) found that insiders were responsible for 19% of incidents.
But long before this report, in 2018, the team at MITRE received a request from a large financial organization to start compiling data about insider threats to create a framework that will help defenders do a better job of catching them.
Dr. Caputo notes that there is plenty of research out there on insider threats, focused primarily on the technical or psychological components of the issue. But much of what we know about incidents is based on anecdotal cases and are not really data-driven.
“We have great sensoring, meaning we can see everything you do on your computer,” she says, noting the expansion of tools available now for detecting risk factors being adopted by security teams. “But that doesn't mean we know what the risk or even the threat looks like. So we're finding them but kind of tripping over them when it’s too late. Instead, we want to find them before the big harm has been done. And the data is out there.”
Unfortunately though, this data was not being collected and analyzed in a single project where it could be operationalized. This is where Dr. Caputo and her team understood that they could play a role in creating a framework that would look at the full range of risk factors and actions to provide security teams with a better approach to tackling the problem.
After some delays from Covid, late last year Dr. Caputo’s team restarted their outreach to the industry to have them confidentially send in their confirmed insider threat incidents for them to study. This included both cases of malicious actors as well as those unintentional actions which could be classified as errors on the part of insiders.
While collecting data for problem-solving is generally a good thing, the question of who exactly this framework is meant to serve was a bit puzzling.
After all, we already have MITRE’s ATT&CK and D3FEND frameworks. So why are they making another one?
Dr. Caputo answers that as the insider threat space matures, there is a need for a framework that organizations can use as a benchmark for how they are dealing with the challenges.
“Executives are expecting them to see things but the problem is that the signs are not obvious enough,” she says.
There is also a considerable need for direction when it comes to how to prioritize indicators in assessing insider threats.
She points to the fact that many organizations now have a dedicated person whose role is specifically to handle insider threats as a positive development. This is important because it is not just individuals from infosec, the SOC, or HR she says, noting though, that this is a team sport.
The idea is instead to have someone who sees the whole picture across every component of the threat picture and can really connect the dots.
And that requires taking an approach that takes all the factors into account and questions some of our old assumptions about what an insider threat looks like.
Along with the attempt to become a central repository for insider threat data, Dr. Caputo says that her team is looking to make this research different by collecting both the technical cyber data as well as many of the more human psychological factors.
Catching insider threats is a fairly difficult endeavor. She makes the point that identifying the risk is not necessarily from any one action or even rule-breaking.
Moreover, unlike a ransomware attack or terrorism, there is no “boom” moment where we know that the attack has occurred.
A smart malicious actor will keep their head down and do what they need to in order to steal information over the long run without getting caught. If we are only looking at specific actions through our own silos of visibility, then we are probably going to miss significant signals.
Part of the work means reassessing misconceptions.
“We spend too much time on bad things happening in people's lives and we don't account for the risk that good things cause,” says Dr. Caputo. “Humans are never perfect and our judgment is degraded by a lot of things like lack of sleep, fatigue, stress, but stress is good and bad. So the stress of getting married, the stress of buying a house, the stress of having small children all have the equal impact on your decision making. Even though they're very happy things.”
“I think programs are slowly starting to see that we're not just waiting for bad things that happen to our employees,” she says, explaining that, “We need just to account for their whole being, which might mean that good things are overwhelming them. And that sounds so odd. But it's true. It's not that something really bad happened and they decided to do bad things. It's just not that simple.”
There is also the matter of perspective. Dr. Caputo uses the example of financial factors in insider threat activity.
“It’s not about debt,” she says. “The number of insiders for small amounts of money is more about how much that money matters to them. It centers more on how much your debt matters to you and how much do you feel you need to have. Think about financial strain and stress when assessing who is likely to be recruited.”
The challenge here though is in how to identify the likely recruits and their associated indicators. “We’ll find more about how to identify it in the framework,” she says.
The good news says Dr. Caputo is that organizations are getting better at some aspects of the fight against insider threats.
Funding for investing both in people and tools appears to be improving, says Dr. Caputo. While there is room for improvement in dealing with issues like false positives and knowing which indicators are the right ones, she says that organizations are doing much better at having more sensors out there for visibility and to collect relevant information.
Along with the good movement that we are seeing, there is always an opportunity to improve.
Dr. Caputo takes a human-centric approach and offers a couple of tips to consider.
“There’s the misconception that if an employee makes a mistake, that's negligence, but that's not right”, says Dr. Caputo. “If we keep talking about them being negligent, all of our human sensors are going to stop caring, or trying.”
If we want our employees to be part of a “human firewall” that helps by identifying issues and making the effort to do things right, then avoid treating them like anything less than human adults who will make mistakes here and there.
“You have to expect errors and mistakes, genuine human mistakes,” she says.
“We get outsmarted a lot and our adversaries are constantly changing their human social engineering,” says Dr Caputo who has begun referring to new methods to trick humans as zero-day social engineering because it resonated with her technical people.
Just as you would not shame a technical person for not catching a classic zero-day vulnerability, we need to cut our teams some slack when a clever attacker uses an innovative and new idea to get past our defenses.
Turning a misconception on its head, Dr. Caputo is a firm believer that your people are your strongest defense.
Technology will only get us so far. Think about the phishing emails that make it past the filter as a prime example. When one does, how are we empowering our people to identify it and send it on to security?
The same concept holds true for insider threats. Technology will help us pick up tons of valuable signals like exfiltration or accessing sensitive data, but it is often the human referrals of suspicious activity that will help us to fill in the whole picture and identify a threat.
At this point, there is no set date for the framework's release. Dr. Caputo hopes that it might be available at the end of 2024, but says that it is a slow process.
For now, the focus is on collecting quality data, relying on the early adopters to help them get to some findings. It will need time to improve as more organizations join them and share their data.
Dr. Caputo hopes that more organizations will take part in the effort. “No amount of data is too little to participate in this,” she says, adding that, “This can’t be done without help from the community.”
The benefits for those who share data is that they will get to see more of the findings sooner, learning more about themselves earlier, having an impact on the way that the framework is shaped.
Insider threat leaders can advocate for sharing their data with MITRE, noting how combining efforts can help vendors and customers pool efforts for the community’s advancement in getting better at really understanding insider threat issues.
“This gives a way to make more data-driven decisions,” she says. “Don’t underestimate the willingness to have different departments participate because they will see gains as well.”