By Ted Harrington, Executive Partner, Independent Security Evaluators
Many organizations are cognizant of the fact that security threats can originate from the inside, beginning with their own trusted employees and partners. However, many do not differentiate between the various types of internal adversaries and are unaware that different defense strategies are required to thwart each type. This article will analyze the different types of internal threat actors. It will discuss defenses against each, considering both technology and psychology solutions, and aim to do so in a way that is immediately actionable for organizations of all types.
An organization must first understand how security strategies relate to its threat model. Companies must define their threat model, which effectively articulates assets, adversaries and architecture. Not only must an organization understand which assets are worth protecting, but it must also quantify the compromise of its assets in terms of the downside to the company and the potential upside to the adversary. With its threat model defined, the organization will be best able to articulate most effective defense architecture.
To fully understand internal adversaries, one must first consider external adversaries. Most industries elicit four primary categories: Casual hackers, motivated by notoriety, steal content for boasting rights and recognition by their peers. Hacktivists, groups such as Anonymous, attack to make political statements. Organized crime make business decisions and steal assets for monetary gain. Nation states attack to pursue geopolitical and economic interests.
It is important to remember that external and internal adversaries are not opposites here; the differences lie in conditions of trust and access. Internal adversaries could be extensions of the external adversaries discussed above, but they have the additional trust and access typically granted to insiders. Internal adversaries are broken into three types of actors: accidental, opportunistic, and determined. The defenses against these, through technology and psychology solutions, break down into prevention, deterrence, or mitigation.
The accidental insider harms the company through poor decision making. People create and reuse weak passwords, lack discretion online, and are notoriously susceptible to social engineering attacks; people are an organization’s weakest link. This can lead to a trusted and non-malicious employee unwittingly becoming an accidental insider.
Organizations can best mitigate the damage caused by the accidental insider through prevention. Encryption and multi-factor authentication are two examples of technology solutions effective in minimizing the damage. Training, notably through educating people on how their actions can deliver significant harm, is an effective psychology solution.
The primary characteristic of the opportunistic insider is that asset compromise will only happen if/ when there is no repercussion. Job duties might grant an opportunistic insider access to a valuable asset which he may benefit by compromising, and though he did not initially set out to do harm, an absence of disincentives may compel him to attack.
Organizations can best defend against the opportunistic insider through deterrence. If an opportunistic adversary thinks he will be caught, he is less likely to compromise assets. Logging, monitoring, and digital rights management create a trail that leads back to the adversary and are therefore effective technology solutions. The most effective psychology solution is awareness. It is important to make the distinction between training and awareness: while training seeks to educate employees about their individual actions, awareness seeks to galvanize the group of employees to protect assets together. If an opportunistic adversary thinks she is being observed by her colleagues, she is less likely to compromise assets.
The most dangerous type of internal adversary is the determined insider, one motivated to harm the company from within. Two notable subgroups exist within this category: disgruntled insider and malicious insider. The disgruntled insider has become dissatisfied with the company for reasons such as lack of recognition or moral differences. The malicious insider is an agent for one of the external threats previously mentioned. Since the determined insider is motivated by malice, the aforementioned technology and psychology solutions are ineffective.
Mitigation is the best defense against the determined insider. In this, an organization assumes the posture that the adversary has already compromised an asset and therefore makes it difficult to compromise additional assets. One effective solution against this type of adversary is separation of privileges. Through privilege separation, an organization reduces any particular user’s privilege to the absolute minimum that still enables him to successfully perform his role. This results in weaker roles throughout the majority of the company, and only a few all-powerful admin roles. Limiting the power of most roles decreases the likelihood that the determined insider adversary would be powerful.
The internal threat is a real adversary who can do significant damage to most organizations. By understanding the distinctions between the different types of internal adversaries, organizations can design and implement an effective suite of defenses to counter each type of foe.