Lesson 3 Part2.pdf
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Tags
Full Transcript
Lesson 3 Part2 So because there are different types of indicators, these indicators can be categorised into the following, virtual, non-virtual and contextual indicators. So we can group the indicators from the previous slides into our non-virtual and virtual indicator types. So non-virtual data inc...
Lesson 3 Part2 So because there are different types of indicators, these indicators can be categorised into the following, virtual, non-virtual and contextual indicators. So we can group the indicators from the previous slides into our non-virtual and virtual indicator types. So non-virtual data includes information about an individual's role in an organisation, performance ratings, compliance with corporate policies, work habits such as the times of day they start and stop working, the people they typically interact with and their physical movement throughout the office. And again, it may be because of poor performance, leaving the organisation, receiving a formal HR warning or a failed background check as we mentioned earlier. So virtual indicators are data that refers to the digital trails that employees leave when they log on and off the corporate network, access systems, download of documents, sent emails and the use of the web. So it might be that they are going to sites that are not permitted by policy or they may be leaving during their lunch hour, nobody knows where they're going or what they're doing. And these things also include the unusual access, logging in outside of work hours, escalation of privileges, connecting unapproved devices, particularly work from home devices and moving large amounts of data as we mentioned earlier. So the contextual indicators are information that we know that was not due to actions by the employee and these can include things like system access roles, their role within the organisation, their geographical location in the organisation and their length of tenure or how long they've been with the company. Now contextual indicators can provide the additional insight into why a user has conducted activity from other insider threat indicators. And it's by using a combination of these three types of indicators that can give us a much, much better insight into what occurred during an incident or even help us predict potential insider threats through anomaly detection. There's a number of products and solutions out there that you can buy that look for particular keywords. So for example, if someone is open to work on LinkedIn or if they are talking with a recruiter, there are systems that will actually pick up this information to let you know that they may be a flight risk or that they may be a potential insider threat risk as well. So insider threat incidents that occur are not always due to malicious intent by a user. The top three causes of insider threat incidents percentage-wise relate to 55% are attributable to negligence, 25% to malicious intent and 20% to credential theft. There are also three types of intent with insider threats and they can be malicious, accidental or complacency. So malicious, as we know, it could be that they're intending to cause harm to the organization, complacent due to just a lack of care or effort to adhere to organizational policies or procedures, and then accidental, they're unintentional, they occurred unexpectedly or by chance. Now, commonly insider threats are usually caused by complacency due to ignoring company policies or accidental actions by the user. Malicious insider threats are much, much more difficult to detect, especially if the person is a technically adept user and they are familiar with the systems and the security controls and find it easy to hide their actions from detection. So I'm going to talk about some case studies here about how these indicators manifest. So when we look at things like downloading and obfuscating files, there was an individual by the name of Abraham Lemma. He was a US government contractor who was arrested on espionage charges. He was of Ethiopian descent but held a US passport and he was charged with providing national defense information to aid a foreign government, conspiracy to deliver national defense information to aid a foreign government, and willful retention of national defense information. Now, Lemma allegedly copied classified information from intelligence reports and deleted the classification markings on them. He then removed the information which was classified as secret and top secret from secure facilities at the Department of State. This material that he took related to a specific country or geographic region, and he accessed, copied, removed, and retained this information without authorization. Among the information that he allegedly sent to his contact were satellite imagery, intel on rebel group activity, and other information regarding US military activity in the foreign country and region in question. According to the charging documents, he used an encrypted application to transmit classified national defense information to a foreign government official. Now, it's very difficult to find a lot of case examples on insider threat, and a lot of them do stem from the USA, primarily because that is where a lot of this data is recorded. In time, Asia and other regions will have a lot of this information, but for now, most of the examples of major insider threats will come out of the USA, but are applicable to all regions and sectors.
