Yesterday we featured people hacker and social engineer Jenny Radcliffe on typical signs of an attacker who is trying to get at you from outside of the business.
That person has a considerable disadvantage though – they are not able to access the systems and network that a person inside the business can. The insider threat has never gone away, and Jenny said that in many cases of inside attacks, watching the human behaviour as well as the online behaviour of our people may help raise suspicions and identify suspect behaviour.
So is there typical insider threat behaviour? Jenny said that when someone on the inside has malicious intent, they may not always behave in a typical way and that there might be some ways to potentially spot this.
“Typically, the first thing is you are looking for someone who is easily distracted, restless and yet is at work for long hours, someone who sticks around a lot, but is not necessarily focussed on the job but rather the details of how the organisation operates” she said.
“Similar to the outsider threat on the end of the phone, look for someone who is very nosy and curious. The type of person who you have a long conversation with, yet think ‘I know nothing about them’, but to whom you have given a lot of information, more details than you would normally give or any type of unusual facts, because they are all of possible use.”
Jenny said we should be careful not to generalise when trying to pinpoint unusual behaviour, but that common flags might include: frequent conversations on personal mobiles away from their desks, as well as things like a lack of personal effects in their workspace.
She said: “A blank desk might make me suspicious as genuine people tend to leave clues about themselves around their workspace. Someone being very careful not to do this could be a flag, when taking other behaviours and clues into context.”
Another typical trait is someone who is “interested in everything”, as most jobs are project based and people tend to predominantly focus on their own areas, their own work problems, projects and issues. Someone on the inside who is looking to breach the organisation, or cause trouble in some way is often interested in a wider breadth of information than the majority of people who are more narrowly focussed as a rule. With malintent, certainly at the beginning of the process all information both specific and non-specific is worth having as the details of the attack are being planned.
She said “Often a malicious insider can be confident and chatty and finds the time to talk to everyone, not just about the job, but about the people, the routines and the operational details of the business. When you know what to look for this behaviour stands out, because usually, people are mostly interested in the areas that affect themselves and their jobs, rather than everything and anything about the company.”
The problem is in trying to distinguish between behaviour that looks suspicious, but is genuine, and that which is actually a signal of a threat, and this is a difficult distinction to make.
“The problem is that it is not helpful to be suspicious of everyone all of the time, and much seemingly suspicious behaviour turns out to be genuine enough, when investigated. However, it is the lack of suspicion that most people have, that attackers rely on to ultimately get past.”
We moved on to the person who has “flipped” and turned on the company but is still working in their job and trying to appear “normal.” Jenny said that typically that person is suddenly very disruptive within the organisation, despite trying not to be detected as a threat.
“Their motivation, if they are serious, has now changed from one of getting on with their job and the routine of that, to one of collecting information, of planning how and when to target the company. This change in perspective can manifest in unusual behaviours as they are motivated more by revenge or malice than by wages and work,” she said.
Jenny also said that a genuinely malicious person will spend a lot of time, and “cognitive bandwith” on planning their attack and going over details. Concentration gets more difficult as they try and process the “deception” of normal routines and days, and, as with any lie, it becomes more difficult to act out their normal role, alongside the “truth” of how they really feel.
So you have the focussed distraction of an obsessive with the carefulness of a person covering their tracks and trying to be “ultra-normal.” This is stressful and stress signals often manifest in behaviours associated with our brain processing fight or “flight behaviours”. This could be everything from smoking more and taking more breaks, to a change in normal behaviours and mood.
A talkative person becomes quieter, the laid back person more uptight. The problem, according to Jenny, is that no one set of signals is a given, it depends on the person and the context to a great extent, as to whether a “read” is accurate. There is one thing most insider threats tend to share though, Jenny said. “They don’t want to stand out, and this takes up a lot of brain power.
“This level of deception is a huge task that requires effort, management if you will. Whilst everyone else is on a sort of automatic pilot, your insider threat is, by nature, preoccupied and overloaded. This can, and often does make them careless in unexpected ways, in unexpected behaviours.”
With many insider threats in hindsight, there were patterns of behaviour that were definite red flags, from changed attitude and hours, to the distractedness Jenny mentions from the burden of “the cover story.” If that sort of action is your biggest concern, then this may be the advice that saves you.
Jenny Radcliffe was talking to Dan Raywood