As a special feature of our blog—special guest postings by experts, clients, and other professionals—please enjoy this blog entry from Charlie Platt, a director at iDiscovery Solutions and a Certified Ethical Hacker. He advises clients on data analytics, digital forensics, and cybersecurity.
At the airport recently, waiting for boarding, flipping through an issue of United States Cybersecurity Magazine, an article about detecting insider threats caught my eye. It was loosely based on a list of behaviors it claimed were ideal indicators for detecting insider threats. I thought, “Wow, this is great! I know plenty of clients who could benefit from this information.” Insider threats are difficult to detect, and I was excited by the opportunity to get new insight, but I became more and more distraught as I read on. The longer I read, the more I saw myself, and many of my cyber-colleagues, being described by the author’s so-called threat indicators. How could we, the good guys, be mistaken for threats?
I read through the list again, and for each point, I asked, “Is this a reliable indicator of a real threat, or a false positive?” I’ve provided the entire list below with my thoughts on each item.
Remotely Accesses the Network While on Vacation, Sick or at Odd Hours
Would a threat actor access the network at odd times? Certainly possible, but an honest, dedicated employee might also check in while on vacation or out sick. I have spent many sick days at home reading through documents. So have my colleagues. Last vacation, I spent evenings after the kids were in bed logged into the network working on a report due shortly after my return. This triggers both “odd times” and “while on vacation,” yet the activities clearly benefited my employer.
Works Odd Hours Without Authorization
This is fairly similar to the prior indicator, so I will focus on the added caveat “without authorization.” I am assuming we are talking about exempt employees here, where extra work does not impact pay or add additional cost to the company. Dedicated employees work when it’s required, which can be at unexpected and unusual times. Work schedules in today’s world are all about flexibility and self-determined priorities. We entrust our employees to make good decisions on our behalf, get work done and accomplish goals. Now we are going to be suspicious when they do so without asking first? That used to be called self-motivated and able to work independently, and it was considered a good quality for employees to exhibit.
Notable Enthusiasm for Overtime, Weekend or Unusual Work Schedules
This essentially says that if you are enthusiastic and ambitious about your career, if you want to be successful and volunteer when needed, you are a threat and need to be watched. Will interest in how your company works outside of your immediate duties also be considered suspect?
Interest in Matters Outside of the Scope of Their Duties
Well, it’s not like I didn’t know it was coming, but that doesn’t make it any less confounding. Don’t we want employees to take an interest in the company, grow into new positions and take on more authority? From decades of performance reviews, I can’t tell you how often I’ve been told I will be promoted when I’m doing the job at the level above me.
Unnecessarily Copies Material
I agree this one could go either way. A lot of data access and movement to local devices can be a true indicator of theft of IP and exfiltration, and it should be monitored. Despite that, it may also indicate an employee who is researching projects and building a local knowledge base for valid company use.
I personally have extensive local (encrypted) stores of data from past projects that I use regularly for reference and as templates on current projects. A software developer who doesn’t have a “library” of code for reuse, or a consultant who doesn’t keep prior reports for future reference? They may exist, but I haven’t met one.
Ultimately, there is a larger problem at play here. This list is based on an industrial-age mentality, but we are fighting an information-age war. And we’re failing. We need to start thinking about cyber with an information-age mentality. Our employees are highly educated, invested and dedicated to the success of our organizations. We want to encourage this behavior, not inhibit it.