Professional Documents
Culture Documents
A Field Guide To Insider Threat Helps Manage The Risk: Tim Casey
A Field Guide To Insider Threat Helps Manage The Risk: Tim Casey
A Field Guide To Insider Threat Helps Manage The Risk: Tim Casey
Tim Casey
Senior Strategic Risk Analyst
Intel Corp.
#RSAC
2
#RSAC
3
#RSAC
Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Insider Sympathizer Individual Insider Crime State
Insider
Accidental leak
Espionage
Financial fraud
Misuse
Oportun. data theft
Physical theft
Product alteration
Sabotage
Violence
#RSAC
Definitions
Non-Hostile
Non-Hostile Hostile/Non-Hostile
Non-Hostile OR Hostile Hostile Hostile
Reckless Insider Partner Activist
Outward Supplier Competitor
Sympathizer Disgruntled Insider
Untrained/ Irrational Individual
Distracted Insider Nation State
Organized Crime
Terrorist
Thief
7
#RSAC
Attack Types
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
8
#RSAC
Attack Types
Misuse
Opportunistic data theft Exiting employees
Physical theft
Product alteration
Sabotage
Violence
9
#RSAC
10
#RSAC
Applying the
Field Guide
#RSAC
Untraind Outward
Misuse
Reckless Irrational Disgruntled Organized Nation
Distractd Sympathiz Vendor Partner Thief Activist Terrorist Competitor
• Insider
Insider er
Individual Insider Crime State
Attack Type↓
Physical theft
Misuse X X X X X X X X
• Opportunistic data
theft
X X X X X X X X
Product alteration
Physical theft X X X X X X
• Product alteration X X X X X X X X X
Sabotage X X X X X X
• Sabotage Violence X X X
• Violence
13
#RSAC
Untraind Outward
Misuse
Reckless Irrational Disgruntled Organized Nation
Distractd Sympathiz Vendor Partner Thief Activist Terrorist Competitor
• Insider
Insider er
Individual Insider Crime State
Attack Type↓
Physical theft
Misuse X X X X X X X X
• Opportunistic data
theft
X X X X X X X X
Product alteration
Physical theft X X X X X X
• Product alteration X X X X X X X X X
Sabotage X X X X X X
• Sabotage Violence X X X
• Violence
14
#RSAC
Non-Hostile
Intent→ Non-Hostile Hostile
/Hostile
Untrained/
Reckless Outward Irrational Disgruntled Organized Nation
Distracted Vendor Partner Thief Activist Terrorist Competitor
Insider Sympathizer Individual Insider Crime State
Attack Type↓ Insider
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
X X X X X X X X
theft
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
15
#RSAC
2-day factory
3% annual shrinkage downtime
16
#RSAC
18
#RSAC
Short term
Share the Guide with key stakeholders to inform them of
the problem scope and enlist them in your team
Assess your particular threats and controls against the Field
Guide to ensure you are managing your most dangerous
insider risks
Medium term
Modify the model to reflect your situation and priorities
Long term
Use the Guide to regularly re-assess your overall insider
threat landscape
19
#RSAC
Resources
Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP
Intel Threat Agent Analysis:
https://communities.intel.com/docs/DOC-23914
https://communities.intel.com/docs/DOC-1151
Improving Healthcare Risk Assessments to Maximize Security
Budgets (how to tailor the model for your environment):
http://ow.ly/1W2H308vUfx
CERT Insider Threat Center: https://www.cert.org/insider-threat
We actively engage with fellow travelers utilizing Threat Agent Analysis related to:
Threat Assessments
Supplier Management and Supply Chain Risk
Tools and Visualization
20
#RSAC
Questions?