Brian Keith Managing Partner of Surveillance Reconnaissance Intelligence Group
The most stunning security failures of the last century have been and continue to be perpetrated by trusted insiders. According to FBI estimates, economic espionage – theft of trade secrets, intellectual property and proprietary information – costs US companies upwards of $400 billion annually. Theft on that order of magnitude dulls our nation’s economic edge and diminishes our competitive advantage. Back in July, my colleague Brian Zegers, wrote a piece titled, Anatomy of a Complex Attack, in which he explained how insiders are one of the key components of the complex attack. Insiders carry out acts of Terrorism, Espionage, Sabotage and Subversion. Therefore, prevention of complex attacks hinges on our ability to detect, define and neutralize insider threats and insider threat networks.
What’s an insider?
Insiders are people with authorized access who use their access to harm an organization. Insiders are spies, inserted or recruited by your adversaries to conduct a wide range of illicit activities. They could be anyone within your organization from executives on down to contractors, vendors or suppliers.
Managing Partner of Surveillance Reconnaissance Intelligence Group
Why should I care?
Given their access and knowledge of your company’s inner-workings, insiders are poised to inflict incalculable damage. Their actions may compromise strategies, thwart security, reveal trade secrets, diminish customer confidence, sabotage relationships and tarnish your reputation. The outcome can be devastating to you, your employees, customers, investors, partners and suppliers. Insiders efforts may also erase hard won competitive advantages or disrupt your operations resulting in missed opportunities, a loss of revenue, lower profit margins, higher insurance premiums, and increased remediation and security costs, to name a few. Predictably, the risk grows exponentially the longer insiders are in place.
Understand the threats first:
Understanding your enemy -threat- is of vital importance. As Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” He went on to state, “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” That’s nothing more than a coin flip, 50/50. No person, company, or government, regardless of the size of its budget, can adequately protect itself without understanding the threats first. Alarmingly, many companies make critically important decisions regarding their strategy and, more specifically, their security with little to no understanding of the threats they face. Ask yourself these questions if you have any doubts about your own organization:
Who are the threats? (specifically)
What is their aim? (what they are trying to achieve; their goal, end state, mission)
When, Where, Why and How will they attack?
If you’re unable to answer these questions with certainty, know two things:
You’re not alone
You need to reexamine your approach to threat assessments
At SRIG, we have spoken with dozens of companies who have claimed, “We get intelligence from (insert governmental organization here).” or “We’ve got it covered.” Neither statement was true. There were also those who believed that employing a few intelligence analysts to monitor social media, read the newspaper, subscribe to Stratfor and watch CNN would provide them with intelligence. They were mistaken. At best, what they had was information; it certainly wasn’t intelligence.
Case in point: A company with whom we had previously spoken, recently discovered that they have been the victims of industrial/economic espionage carried out by a trusted insider. Their statement to us was, “We’ve got it handled.” and “Don’t call us, we’ll call you”. Over the preceding three years this same firm has suffered multiple breaches carried out by other insiders, proving Sun Tzu’s cautionary warning, “If you know neither the enemy nor yourself, you will succumb in every battle.”
How do I get to know the threats?
You need intelligence. Intelligence – information that has been collected, collaborated, corroborated and analyzed. Intelligence is required to answer the Who, What, Where, When, Why and How that define your adversaries. By contrast, information provides neither answers nor clarity but rather begs more questions. Information is plentiful but not terribly valuable, whereas intelligence is rare and high-value. Today, organizations are adrift on an ocean of information, awash with vast quantities of data.
Lacking critical time-sensitive intelligence, people are left to guess and gamble with their decisions or, worse, to take no action at all. Intelligence narrows the gap between possibility and certainty, makes choices clear and enables decisiveness. Analysts cannot detect and define insider threats, if all they have is open-source information. If the threats can’t be detected or defined, they can’t be stopped. Intelligence is the only way to truly know the threats, neutralize them and deter further attacks.
Why won’t conventional security work against the Insider?
Why won’t my existing security work against the Insider?
Here are a few reasons to ponder:
Neither insiders nor complex attacks adhere to convention, they are unconventional
Complex attacks are difficult to detect because they are clandestine, layered operations involving multiple operational and intelligence cycles which are a crucial part of an adversary’s targeting process. These operations are multi-pronged – simultaneously crossing physical, cyber and human domains
Their initial objective is to discover, expose and exploit organizational vulnerabilities through the use multi-disciplined collection methods like: Reconnaissance & Surveillance (R&S), Insiders, Computer Network Operations (CNO) and a variety of Technical Surveillance methods, adversaries will precisely target those gaps
Insiders blend in while gathering in-depth knowledge and developing key relationships to gain broader access
Insiders avoid detection for years or even decades because they have been instructed in the use of intelligence tradecraft to disguise their activities
Insiders with authorized access, like Edward Snowden, know what the organizational tripwires are and how to best avoid or defeat them
Unconventional threats are always on offense, evolving and adapting faster than countermeasures can be developed or deployed. Basing the development and deployment of countermeasures on historical data is backwards and ineffective
An organization always on defense can’t be proactive. They are caught in a vicious cycle of defending against threats of which they are unaware or don’t understand, reacting when their conventional defenses fail, post-event investigations and clean up duties
Occasionally companies discover an insider. However, those are generally the dumb ones and the cut-outs. Cut-outs serve as insularly buffers, allowing an adversary’s core operations to continue, unimpeded. Once discovered, arrested and fired, everyone returns to business as usual without knowing whether they’ve rid themselves of the real insider(s)
Today’s linear conventional approaches only perpetuate the “always on defense” reactive cycle. Therefore, the right approach is cyclical; one in which intelligence drives offensive and defensive operations which, in turn, drive intelligence and so on, in ad infinitum. In Part III, I’ll discuss how to break that cycle and:
What can I do about it?