The Book on Insider Threats Authors Discuss Organizations' Top Internal Risks

For years, people have been concerned about malicious insider threats. But an emerging trend to pay attention to is the malicious outsider taking advantage of an inadvertent insider, says Dawn Cappelli of Carnegie Mellon University.

Cappelli, along with Randy Trzeciak, both leaders with the CERT Program at Carnegie Mellon's Software Engineering Institute, recently wrote the book, "The CERT Guide to Insider Threats," which focuses on the top internal risks at organizations.

And out of their research came the emerging trend of the inadvertent insider. "A few years ago we started realizing that inadvertent insider threats were becoming a problem, but those were mainly cases where people forgot a laptop somewhere that had confidential information it, or data leakage problems," Cappelli says in an interview with Information Security Media Group's Tom Field [transcript below].

The challenge Cappelli now sees is the outsider using inadvertent insiders to get inside networks. "That's a new strategic direction that my team is now working on," she says.

"It's going to be important for organizations to recognize ... the unintentional, and try to determine if there are controls that can be effective both against the intentional insider in an organization as well as the unintentional insider," says Trzeciak.

In an exclusive interview on the insider threat, Cappelli and Trzeciak discuss:

  • The evolution of the insider threat;
  • Key trends to watch in 2012;
  • Advice on how organizations can protect themselves.

Cappelli, CISSP, is Technical Manager of the Insider Threat Center and the Enterprise Threat and Vulnerability Management team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. Her team's mission is to assist organizations in improving their security posture and incident response capability by researching technical threat areas; developing information security assessment methods and techniques; and providing information, solutions and training for preventing, detecting, and responding to illicit activity. Her team members are domain experts in insider threat and incident response, and team capabilities include threat analysis and modeling; development of security metrics and assessment methodologies; and creation and delivery of training, courses, and workshops. Dawn has 30 years of experience in software engineering, including programming, technical project management, information security, and research. She is often an invited speaker at national and international venues, is an adjunct professor in Carnegie Mellon's Heinz College of Public Policy and Management and is currently Vice-Chair for the CERT Computer Security Incident Handler Certification Advisory Board.

Trzeciak is currently a senior member of the technical staff at CERT. He is the technical team lead of the Insider Threat Research team; a team focusing on insider threat research; threat analysis and modeling; assessments; and training. Randy has over 20 years experience in software engineering; database design, development, and maintenance; project management; and information security. Before joining Carnegie Mellon University, Randy worked for Software Technology Incorporated, in Alexandria VA, as a consultant to the Naval Research Laboratory (NRL). He also is an adjunct professor at Carnegie Mellon's Heinz College, Graduate School of Information Systems and Management. Randy holds an MS in Management from the University of Maryland and a BS in Management Information Systems and a BA in Business Administration from Geneva College.

TOM FIELD: To get started, why don't you each introduce yourself, starting with you Dawn. Tell us a little bit about your current work and then we'll talk about the book.

DAWN CAPPELLI: I'm the technical manager of the Enterprise Threat and Vulnerability Management team in the CERT program, which is part of the Software Engineering Institute at Carnegie Mellon University. Part of my team is to serve insider threat centers, so for the past ten years my team has been researching insider threats.

FIELD: Randy, perhaps you could tell us a little bit about yourself.

RANDY TRZECIAK: I'm a technical team lead for the Insider Threat Research Group within the Insider Threat Center. I've been working with Dawn for the past six-plus years on the insider threat problem and, again, from a standpoint of trying to identify what organizations can do to better prevent, detect or respond to insider activity in their organizations.

CAPPELLI: I would also like to add that Andy Moore is also an author of the book. He's not with us today.

CERT Guide to Insider Threats

FIELD: Well the bad news for organizations globally is that the insider threat is probably more acute now than it has been ever, but the good news is you do have this new book out, "The CERT Guide to Insider Threats." Dawn, could you tell us a little bit about the book?

CAPPELLI: We've been working in this area for so long. After ten years of work, we felt like it was a good time to try and take all of the work that we have done and pull it into one place. Our work has really exploded over the last few years and we're going in many different directions and so we thought it was a good time to kind of pull all of the foundational work that we had done into one place, because we have a lot of reports out there, podcasts, blogs, but you know people don't have time for that. They don't have time to keep up on everything new that's coming up. So we thought we would pull it all together into one place to make it easy for people.

FIELD: Well it sounds easier, I'm sure, than it really was. Randy, why don't you tell us a bit about how this book came together?

TRZECIAK: Our team talked about writing an insider threat book for a number of years. We've been very busy over the course of the past ten years with describing the insider threat problem, tried to identify controls for the insider threat problem. In the early stages of our insider threat research, our team was led by Dawn and it was primarily Dawn, Andy and Randy on the team and we're excited with how our work has grown over the course of the past ten years, and it just seemed like at the ten-year point it was a good point for us to pull the ten years of work into one consolidated source of information. Again, as Dawn said, we have lots of information on our website, but it's just a great way to pull all of those years of research into one consolidated piece of information.

Book's Objectives

FIELD: Randy, what would you say the book's objectives are? And I like how you frame this as sort of the culmination of a decade in this work. What do you hope to accomplish with this book?

TRZECIAK: That's a great question. Again, looking back over the course of the past ten years, we're very pleased with how well the work has been accepted. I think we believe that our work is beginning to make an impact in addressing insider threats in organizations, but what we constantly struggle with is how we can reach that larger audience with raising awareness to the insider threat problem and offering solutions to that potential problem.

I think what we hope to accomplish with this book is to allow us to reach a wider audience, to create one place where practitioners can find actual guidance to addressing insider threats in their organizations, but also this book was written for a broad audience. Consistent with our message, we believe that the most effective way to address insider threat is not solely by technical controls alone. Again, we believe that information technology, information security, is an important piece of addressing the problem, but also it should include human resources, physical security, legal, data owners, management, that it needs to be enterprise-wide reaching out across the organization to address insider threats posed by insiders in the organization.

Evolving Insider Threat

FIELD: I'm sitting here thinking about the past decade and how technology has exploded. We've seen social media. We've seen mobility. Dawn, through all of these innovations and others that you have studied, how has the insider threat evolved in the decade that you've been working on it?

CAPPELLI: Well, it's very interesting. Our work has always been based on real cases. When we started this work in 2001, we started collecting every single case we could find. We went back to 1996. At about the 2005 mark, we started looking at those cases and looking at the patterns. How do these cases evolve over time? Because we figure these people come to work everyday. They do what they do everyday. They use authorized access to commit this crime and so there has to be some way for the organization to realize, "I think we might have a pending problem here," so that they can stop the problem before the crime is committed. We created these models and we found very distinct patterns in these crimes, and that's what we've used in all of our work ever since to create solutions. The interesting thing is we still collect cases, and what we find is the technical methods change. People no longer use CDs or disks so much as using USB drives. And as you said, now people have mobile devices and wireless technology, but the basic patterns in the cases don't change. That's why we thought it was a good time to write the book, because all of our work to date has really been looking at the crime from a holistic point-of-view. What's the story? As a manager, you need to be able to see that you may have a problem evolving and that's what we focused on.

Now our work is looking more at very technical solutions, and so we thought this is a good time to stop and write the book. This book should really remain relevant for years, because it's been relevant. We haven't seen those patterns change over the ten years. The technologies and the technical methods will change, and that's where our work will continue to evolve in the future.

Inadvertent Insider

FIELD: Dawn, if I could follow up on that, one of the things we hear about a lot is the inadvertent insider threat. In your experience looking at these cases for over a decade, how many do you see break down as what we would call the malicious threat versus the inadvertent threat, and does technology change that breakdown even?

CAPPELLI: That's a very interesting question. In the past years, people have been more concerned about malicious insider threats. A few years ago we started realizing that inadvertent insider threats were becoming a problem, but those were mainly cases where people forgot a laptop somewhere that had confidential information on it, or data leakage problems where, "Oops, I accidentally sent an e-mail with Social Security numbers in it." A few years ago, the inadvertent started rising up on the radar, but over the past year or two it has really changed quite a bit where external threats are now using inadvertent insiders to get inside networks. That's a new strategic direction that my team is now working on. We're now starting research into these inadvertent insider threats. We think that's a very serious concern.

FIELD: Randy, I would like to talk with you a little bit about trends that we should be looking out for in 2012. What are the key ones that are on your radar right now?

TRZECIAK: If I'm looking forward to 2012, we need to look back across 2011. If we do look back across 2011, there were a high number of very high-profile incidents involving insiders. Now we certainly believe that this has led to an awareness of the insider threat posed to organizations. If you think specifically and notice the executive order that was released by the White House to establish an insider threat force, this is an important step to develop a government-wide program for insider threats detection and prevention. So certainly raising awareness - We believe the number of incidents in the past will lead to actionable steps needed to be taken by organizations to address insider threats within the government and obviously outside the government as well. But if we look towards our impact in 2012 and we hope to play a key role, certainly we're getting more and more requests from outside organizations for insider threat vulnerability assessments. Again, raising awareness to the problem, we can come into organizations and provide assessments to them. Also, we're getting more requests from tool vendors to help us, to allow us to help them better configure their tools to address insider threats within organizations.

If we look at 2012 in terms of the actionable steps needed to be taken by organizations, certainly, as Dawn mentioned, it's going to be important for organizations to recognize the intentional insider threats but also the unintentional, and try to determine if there are controls that can be effective both against the intentional insider in an organization as well as the unintentional insider to an organization impacting the confidentiality, availability or integrity of your critical assets.

Insider Motives

FIELD: Randy, just a quick follow-up to that. A year ago, we all were talking about WikiLeaks and the release of confidential information by insiders that wanted this information to get out. There were some very well publicized episodes. Did that become a trend similar to the hacktivism that we saw where people thought that by releasing confidential information they were serving a greater good?

TRZECIAK: We really don't know the motivations behind any particular insider, especially the case that you mentioned. We don't know the specific motives behind those. But in terms of the way the data was extracted from a network, we can take a look at the technologies that were used. We can take a look at the technical controls that may have prevented or detected that particular activity. And really what the organization should focus on is preventing critical information from leaving a network through unauthorized means to the organization, and really that's what we're trying to focus on in an organization. How can we prevent data from leaving a network that's not authorized to leave a particular network? That's what we're really trying to focus on and really don't necessarily comment on any motives of why it leaves. We're focused on the prevention and detection of data being exfiltrated from an organization's network.

CAPPELLI: I would just like to say that you're right. The threat landscape in 2011 really was very interesting and that's another area that my team is going to begin working on, looking at the different threat vectors and threat actors, and what's that threat landscape, so we can help organizations looks at what's likely to be coming their way. Who are the threat actors? Who are they likely to be targeting? How are they targeting them? What is it that triggers an attack? So you're very right that there were some interesting cases out there last year and we're starting some new areas of work to look at those.

FIELD: Dawn, also among the cases we saw, for instance the RSA security breach where through social engineering fraudsters were able to use phishing to get insiders to accidentally and inadvertently open themselves up to malware, do you look at the phishing victim or the social engineering victim as an insider threat in these cases?

CAPPELLI: When we talk about the inadvertent insider threat, that's one of the things that we want to look at. We want to look at all of those cases where an outsider got into a network through an insider inadvertently and we want to look and see what the patterns are in those cases. Some of these phishing and spear-phishing e-mails are so crafty that simply relying on security awareness training is just not effective. They're just too good. What we want to do is look at all of those types of cases and look and see if there are any patterns that we can use to develop technical counter measures for those types of attacks.

FIELD: That sounds like book sequel to me.

CAPPELLI: Well we certainly hope so and hopefully it won't be ten years.

Advice for Organizations

FIELD: Dawn, a final question for you. We've talked about an awful lot here in terms of the evolution of the threat, trends to watch in 2012 and certainly you're consulting with many organizations today. If you could boil it down, what advice would you give to organizations on how they can best protect themselves against the insider threat?

CAPPELLI: Well interestingly enough, I just put together a presentation for the RSA Conference where it's called, "The CERT Top Ten List for Winning the Battle Against Insider Threat." I hate to give away the punch line, but the number one step that I think needs to be taken is that organizations need to have an insider threat program. We do many assessments, not just insider threat assessments, but different types of security assessments for organizations, and we find many times if we ask who's responsible for detecting insider threats, they don't know. There really is no one who's responsible and that's a serious problem. You can't wait until you think you might have a disgruntled insider before you start worrying about, "What are we going to do to make sure they don't attack us?" People need to start thinking about it now.

Around the Network