Based on reports in recent news, some forms of insider threat get a lot of attention. Just about everyone has heard of examples of damage caused by a disgruntled employee, workplace violence, or theft of intellectual property. But insider threat is actually much larger than those common examples. At Intel, we’ve been studying this situation and have documented our findings in a white paper we call the Insider Threat Field Guide. In this field guide, we discuss 13 distinct insider threat agent types and the insider events they are most likely to cause, providing a comprehensive approach to identifying the most likely insider threat vectors. We are sharing this guide so other companies can improve their security stance too.
For example, one threat agent type we identified is the “outward sympathizer.” Our identification of this character is unique in the industry—we were unable to find any published analysis of this type of insider threat. We define an outward sympathizer as a person who knowingly misuses the enterprise’s systems to attack others in support of a cause external to the enterprise.
As we developed the field guide, we characterized the outward sympathizer threat as follows:
- An insider of any status that acts in a manner harmful to the enterprise when reacting to external triggering events.
- Harm may occur incidentally (nonhostile) or intentionally (hostile) and may take any form, including violence.
- Actions are most likely reactive and emotional, episodic rather than ongoing.
- Triggering events can be of any scale, from personal to worldwide, and related to any cause.
- Collusion is more likely to occur if the triggering event has wide applicability within the worker population, such as a regional conflict.
- The probability of attack is directly proportional to the impact and intensity of the triggering event, and inversely proportional to the general morale and the security awareness of the employee population.
The outward sympathizer is a complex threat agent and triggering events can vary widely. Perhaps there is conflict in a country in which family resides, or an environmental issue that the insider feels strongly about. It can be difficult to predict what will trigger an outward sympathizer attack because the reason for the attack may be entirely unique to the sympathizer and not obvious to others.
Outward sympathizer activity can occur at three escalating levels. Even the most benign level could potentially have devastating consequences for the enterprise.
- Level 1 – Insider misuses company resources (nonhostile). In this scenario, the insider inappropriately uses company resources to independently support a cause, but the company itself is not attacked. For example, the insider is upset about something so he or she downloads hacker tools onto company servers and uses them to attack someone else. There is no intent to harm the enterprise; in fact the insider probably hopes the company never finds out about it and may assume that his or her identity is protected by firewalls from outside detection. In any case, the attacked entity may believe the enterprise itself is attacking them, and may retaliate in many ways.
- Level 2 - Insider inappropriately discloses company information to directly support an external cause. The information may be posted publicly to embarrass the company, or may be directed to an activist organization to support their intelligence gathering. The actor may be a planted agent.
- Level 3 - Insider directly attacks the company from the inside or enables an attack from the outside. The attack can take any form, including data theft, destruction of hardware or facilities, or internal violence or sabotage. The actor is most likely a disgruntled insider but may be a planted agent. Note that at this level, the line blurs between outward sympathizer and disgruntled insider. The important difference is that outward sympathizers are not triggered to action by something that happened to them personally but instead are upset about something external to the enterprise.
Enterprises should include outward sympathizers in their own insider threat models and plan for mitigation. Because this type of threat agent presents differently than most other characters, particularly at the benign level, it can be hard to detect—in fact, some of their methods may not be traceable back to the individual. The unique aspects of the outward sympathizer are motivation and timing, so the most effective mitigations will target those.
Research by CERT and others suggests that strong tone-from-the-top security messaging is an effective behavioral deterrent, especially for non-professional threat actors. In addition, we use the following techniques to help minimize the likelihood of outward sympathizer events:
- Providing specific examples during annual security training
- Training managers to detect and appropriately handle warning signs
- In conflict regions, ensuring managers and HR communicate quickly and regularly about personal safety and any available corporate support
The technical methods used by outward sympathizers are not unique (as a class) and follow classic attack patterns. Technical controls are environmental, not specific. In particular, although it is common to monitor networks for incoming attacks, it is less common to monitor for outgoing attacks. Other effective technical controls include the following:
- Limiting access to least-privilege
- Checking the internal environment for hacking tools such as Low Orbit Ion Cannon (LOIC)
- Watching for misuse such as outgoing distributed denial-of-service (DDOS) attacks
Intel IT’s Insider Threat Field Guide—including our understanding of the outward sympathizer threat agent—is an innovative way of looking at the full scope of insider threats. I believe other security professionals can use the field guide to identify and prioritize insider threats, communicate the risk of these threats, and optimize the use of information security resources to develop an effective defense strategy. I encourage you to share your feedback on the field guide by leaving a comment below. In addition, if you are looking for more information about our other security solutions, check out the 2015-2016 Intel IT Annual Performance Report. We hope you will join the conversation!