Inside the World of Insider Threats, Part I: Motivation

As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in...
Michael Buckbee
3 min read
Last updated January 17, 2023

As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in some way involved in the Sony meltdown—see Did North Korea Really Attack Sony? from Schneier. The larger point is that the Sony breach opens the door to a public discussion on a specific topic—malicious insiders —one which many companies have been very reluctant to discuss or comment.

Let’s put Sony in the undecided category for now while we wait for more information, and instead focus on lessons from actual verified insider cases.

Great idea, but where do we find these case files?

Thankfully, Carnegie Mellon University’s Computer Emergency Response Team (CERT) has been collecting insider incident data from the US Secret Service and their own consulting practice. Over the years, they’ve amassed a hefty database of 700 well-documented insider incidents that they’ve been actively analyzing as part of their research. One conclusion worth pointing out is that the underlying motivations differ between internal and external attackers. It’s still important to keep in mind, though, that the same IT controls stopping insiders also stop outsiders!

Motivated

Since CMU CERT is a research organization, it has its own unified theories on insider data crime, which you can, if you’d like, read more about in these serious academic papers. However, as anyone who’s ever read any mysteries or watched crime shows knows, it always boils down to a question of means, motive and opportunity in establishing guilt.

Motives are especially interesting to explore in the world of insider data theft—what are the reasons that trusted employees break bad?

The folks at CMU CERT have looked into this question. Of the 700 cases, they analyzed a smaller set of only those that actually went to trial. Based on this subset, they came up with four motivation categories (see the graphic):insider-threat

  • theft for financial gain
  • theft for business advantage (IP theft)
  • IT sabotage
  • and a miscellaneous with various and sometimes unclear motives.

Stealing for money is the most obvious motive ─ though it covers less than half the cases. The CERT team discovered that this type of fraud was more likely done by lower level, non-technical employees, usually in cooperation with outsiders.

These were employees typically with financial problems who were using their authorization level as a data entry operator or customer support rep to modify credit histories, adjust benefits, or create false login credentials— all for a fee.

According to CERT, their activities were eventually spotted through an examination of log activity, particularly system change and file access logs. However, there was often a very long delay between the actual crime and its detection.

Sabotage!

With the Sony breach on everyone’s mind, we know that non-financially motivated theft can be just as devastating as those driven by dollar signs. What’s interesting about the IT sabotage category is that it’s committed as an act of revenge by the proverbial “disgruntled employee”.

The source of the disgruntlement? The CMU CERT researchers note that the triggering event can be “termination, disputes with the employer, new supervisors, transfers or demotions, and dissatisfaction with salary increases or bonuses”.

Not surprisingly, IT sabotage is committed by technically oriented employees—mostly males—who have figured out how to take over someone else’s credentials. Effectively, these are tech savvy dudes who steal the passwords of other users and then throw the virtual monkey wrench into the IT machinery. This might involve writing a script or program to delete massive amounts of data, or even setting up a backdoor account to launch an attack much later.

The saboteurs were ultimately identified through the monitoring of remote access logs, file access logs, database logs, application logs, and email logs. But the CERT folks points out that since these are more sophisticated thieves than the financially motivated data robbers, they’re good at hiding their tracks by deleting or modifying the log files themselves.

Motivation and Environment

There’s more to motivation than I can fit into this post. The CERT team has come up with some provocative ideas about how environmental factors—perceived risk in getting caught, corporate culture—can shape motivation. There may even be precursor events that point to employees who are data thieves in the making.

We’re getting into “Majority Report”-like precrime territory, but there’s evidence to suggest that the insiders test and probe the company defenses long before the actual attack.

We’ll be taking up this and other topics in my next post in this insider threat series.

Image credit: Evaneleven

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

a-practical-software-approach-to-insider-threats
A Practical Software Approach to Insider Threats
Insider data theft presents multiple challenges for traditional IT security. Insiders are employees who are entitled to be in the network unlike hackers. Standard perimeter security measures won’t work. But...
what-is-an-insider-threat?-definition-and-examples
What is an Insider Threat? Definition and Examples
Insider threats are internal risks to cybersecurity and data — learn more about insider threats, indicators, and how to detect them and prevent breaches.
is-your-data-insider-proof?-five-steps-to-keep-your-secrets-safe
Is Your Data Insider-Proof? Five Steps To Keep Your Secrets Safe
This article explains the five steps you can take to see how prepared you are for a nefarious insider or an outside attacker that compromises an insider's account or computer.
is-your-biggest-security-threat-already-inside-your-organization?
Is Your Biggest Security Threat Already Inside Your Organization?
Is your company protected against insider threats? From malicious ex-employees to negligent staff, your biggest cybersecurity concern may already be inside.