SAN FRANCISCO: In 2001 the FBI discovered that one of its own agents had been spying for foreign intelligence services for 22 years. The shock of the Robert Hanssen case led the FBI to build and evolve a sophisticated program for finding insider threats.
Speaking at the RSA Security conference, Patrick Ready, chief information security officer at the FBI, provided a packed session room with real-world lessons on how to detect and thwart insider threats. He started the discussion with a candid observation.
"Insider threats are not hackers," he said. "People like to think of insider threats as hackers but in reality, you're dealing with authorized users, doing authorized things for malicious purposes."
The WikiLeaks incident in which U.S. Army soldier Bradley Manning leaked information to Julian Assange has led to a renewed discussion on the nature of insider threats, Ready noted.
Ready said that in over 20 years of cases, he has never dealt with insiders running hacking tools or escalating their privileges to get what they want to steal.
"These are authorized users," he said. "They have no need for hacking tools."
The impact of insider threats is non-trivial, Ready stressed. In his view, companies that have good insider threat detection programs will be in business in 10 years – while those that don't, will not.
Ready detailed the insider threat kill chain as a process by which an individual goes from being good to bad. It starts with recruitment by an adversary or competitor, followed by the insider doing search and reconnaissance for the data they want to take. The next step is the acquisition and collection of data followed, by the exfiltration of the data.
"The whole time, they are trying to hide themselves," Ready said. "This is not a smash-and-grab operation; they want to stay in place."
Defense Against Insider Attacks
The goal of any insider threat mitigation effort is to deter, detect and ultimately disrupt the activity. The key element in reducing risk is knowing the people in your organization, Ready stressed.
"I'm not talking about user accounts and system access here," he said. "You want to know what risk factors they have that might be a risk to your organization."
Ready added that the more you know about the people in your organization, the more you will know about the potential threat and how to defend against it.
It's also important to know who the enemy is, whether it is a foreign nation or an industry competitor. Knowing who the enemy is allows an organization to consider why they might be infiltrated and what information might be at risk.
Deterrence, Not Detection
A key lesson the FBI has learned over the years, Ready said, is that it is more effective to focus on deterrence not detection.
"We can't possibly find every single threat," Ready said. "We just need to create an environment where it's not easy to be an insider threat."
Part of that deterrence can be the use of crowdsourcing and positive social engineering. Ready suggested organizations should consider providing tools and capabilities to end users to make them part of the partnership to deter insider threats.
Ready also noted a simple example of deterrence that has helped the FBI with data loss. The FBI now provides users with a warning screen about the risk of data loss whenever a USB data key is plugged into a device.
When it comes to detection, Ready stressed that insiders are not always outliers.
"You're not looking for a needle in a hay stack," Ready said. "You are looking for something that should be there. We're looking for a needle in a stack of needles."
Technology Not the Answer
When it comes to technology solutions for identifying insider threats, Ready said that traditional IT defenses like IPS (intrusion prevention systems), firewalls and anti-virus won't help. An emphasis on people and organizational risk factor is the key.
"Beware the silver bullet," Ready said. "There is no big button that says, 'click here to catch spy.'"