#RSAC

SESSION ID: HUM-T10R

A Field Guide to Insider Threat

Helps Manage the Risk

Tim Casey
Senior Strategic Risk Analyst
Intel Corp.
 #RSAC

How do you think of insider threat?

2
 #RSAC

The problem is becoming more complex

Logos and trademarks are the property of their respective owners

3
 #RSAC

The Field Guide to Insider Threat

Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Insider Sympathizer Individual Insider Crime State
Insider
Accidental leak
Espionage
Financial fraud
Misuse
Oportun. data theft
Physical theft
Product alteration
Sabotage
Violence
 #RSAC

Characterizing Insider Threat

 #RSAC

Definitions

Insider Threat is the potential for a

current or former employee, contractor,
or business partner to accidentally or
maliciously misuse their trusted access
to harm the organization’s employees
and customers, assets, or reputation.
A Threat Agent is a representative class
of people who can harm an organization,
intentionally or accidentally, and
identified by their unique characteristics
and behaviors.
6
 #RSAC

Insider Threat Agents

Non-Hostile
Non-Hostile Hostile/Non-Hostile
Non-Hostile OR Hostile Hostile Hostile
Reckless Insider Partner Activist
Outward Supplier Competitor
Sympathizer Disgruntled Insider
Untrained/ Irrational Individual
Distracted Insider Nation State
Organized Crime
Terrorist
Thief

7
 #RSAC

Attack Types

Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
8
 #RSAC

Attack Types

Accidental leak Ooops

Espionage Ongoing, targeted IP & Data Loss
Financial fraud IP extraction

Misuse
Opportunistic data theft Exiting employees
Physical theft
Product alteration
Sabotage
Violence
9
 #RSAC

Threat-Consequence Vector Matrix

Non-Hostile
Intent→ Non-Hostile Hostile
/Hostile
Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Insider Sympathizer Individual Insider Crime State
Attack Type↓ Insider
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X

Analysis by Intel’s Threat Agent Analysis Group

10
 #RSAC

Applying the
Field Guide
 #RSAC

Demonstrate the scope of the problem

Non-Hostile
Intent→ Non-Hostile Hostile
/Hostile
Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Employee Sympathizer Individual Insider Crime State
Attack Type↓ Insider
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opport. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X

60 separate Insider Threat vectors –

Are you prepared for all of them?
12
 #RSAC

Prioritizing Protection to Optimize Resources

Food Manufacturer (example)

• Accidental leak
• Espionage
Non-Hostile
• Financial fraud Intent→ Non-Hostile
/Hostile
Hostile

Untraind Outward

Misuse
Reckless Irrational Disgruntled Organized Nation
Distractd Sympathiz Vendor Partner Thief Activist Terrorist Competitor
• Insider
Insider er
Individual Insider Crime State
Attack Type↓

Opport. data theft

Accidental leak X X X X X X X
• Espionage X X X X X X X X
Financial fraud X X X X X

Physical theft
Misuse X X X X X X X X
• Opportunistic data
theft
X X X X X X X X

Product alteration
Physical theft X X X X X X
• Product alteration X X X X X X X X X
Sabotage X X X X X X

• Sabotage Violence X X X

• Violence

13
 #RSAC

Prioritizing Protection to Optimize Resources

Food Manufacturer (example)

• Accidental leak
• Espionage
Non-Hostile
• Financial fraud Intent→ Non-Hostile
/Hostile
Hostile

Untraind Outward

Misuse
Reckless Irrational Disgruntled Organized Nation
Distractd Sympathiz Vendor Partner Thief Activist Terrorist Competitor
• Insider
Insider er
Individual Insider Crime State
Attack Type↓

Opport. data theft

Accidental leak X X X X X X X
• Espionage X X X X X X X X
Financial fraud X X X X X

Physical theft
Misuse X X X X X X X X
• Opportunistic data
theft
X X X X X X X X

Product alteration
Physical theft X X X X X X
• Product alteration X X X X X X X X X
Sabotage X X X X X X

• Sabotage Violence X X X

• Violence

14
 #RSAC

Minimize the Threat

Non-Hostile
Intent→ Non-Hostile Hostile
/Hostile
Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Insider Sympathizer Individual Insider Crime State
Attack Type↓ Insider
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
X X X X X X X X
theft
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X

15
 #RSAC

Provide context for your data

Example incidents $15M in lawsuits Lost market lead
in key product
Non-Hostile
Intent→ Non-Hostile Hostile
/Hostile
Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Insider Sympathizer Individual Insider Crime State
Attack Type↓ Insider
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportun. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X

2-day factory
3% annual shrinkage downtime

16
 #RSAC

Customize for your threat landscape

The model is open-ended and you can

extend & tailor it to your environment
17
 #RSAC

How the Guide Can Help You

Having a Field Guide helps you manage risk by:

Establishing a common framework and language for
managing insider threat throughout the organization
and community
Prioritizing threats and optimizing the use of limited
resources
Identifying threats for mitigation
A framework to describe and manage your unique
threat landscape

18
 #RSAC

Applying the Field Guide in Your Organization

Short term
Share the Guide with key stakeholders to inform them of
the problem scope and enlist them in your team
Assess your particular threats and controls against the Field
Guide to ensure you are managing your most dangerous
insider risks
Medium term
Modify the model to reflect your situation and priorities
Long term
Use the Guide to regularly re-assess your overall insider
threat landscape

19
 #RSAC

Resources
Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP
Intel Threat Agent Analysis:
https://communities.intel.com/docs/DOC-23914
https://communities.intel.com/docs/DOC-1151
Improving Healthcare Risk Assessments to Maximize Security
Budgets (how to tailor the model for your environment):
http://ow.ly/1W2H308vUfx
CERT Insider Threat Center: https://www.cert.org/insider-threat

We actively engage with fellow travelers utilizing Threat Agent Analysis related to:
 Threat Assessments
 Supplier Management and Supply Chain Risk
 Tools and Visualization

20
 #RSAC

Questions?