For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (2012) by Dawn M. Cappelli, Andrew P. Moore, and Randall F. Trzeciak
When the Edward Snowden case hit the press in summer 2013, I was working as the CISO of a mid-sized government contractor organization. At the time, my senior leadership rightly asked if our own insider threat program would have detected Snowden’s activities before he released classified information to the public. I had to admit that the honest answer was no. Because of Snowden’s system administrator position, he was a trusted employee (contractor). He had the keys to the city, or at least some of them.
We may have had better luck catching Bradley Manning. According to Bill Simpich at Reader Supported News (RSN), Manning released some 700,000 documents to the public. That volume of ex-filtrated documents may have been noticed by my automated monitoring system or would have been stopped by my preventative controls (not allowing access to the CD system on classified machines), but Snowden released only a handful of documents (with the promise of more later). My monitoring system would not have noticed that kind of precision, and because he was a system administrator, he most likely had permission to turn off my preventive controls that stopped USB use.
It was because of these developments that I picked up The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Dawn Cappelli, Andrew Moore, and Randall Trzeciak. I wanted to see if there was something else that could be done.
What is clear from reading the book is that there is no technical solution that truly mitigates insider threat risks, which is something many of my colleagues at Palo Alto Networks have also written about. Technology can aid in discovery – and in our case, can safely enable applications without slowing down business productivity. But the tech itself is only a part of an organization’s discovery process. For any insider threat program to be successful, leadership must coordinate across three lines of business activity: policy, training, and information technology (IT) discovery.
Book Organization
The CERT book itself is a bit odd. It is written in an academic style that is not as direct as other technical security books that I have come across. The authors scatter layers of the same information through the chapters. Specifically, they talk about the 16 mitigating controls in at least three locations at various levels of detail. Lists of Indicators of precursor behavior are all over the place and are not consistently presented. To me, the thing they do get right is that they are very explicit about what the risks are and what you can do to counter the risks.
There is good information here. Cappelli and her co-authors recommend specific administrative, technical, and physical controls that they have found useful in detecting and mitigating the insider threat. What’s also helpful is that they define three types of insider threats:
- Insider IT sabotage: Incidents in which the insider uses IT to direct specific harm at an organization or an individual.
- Insider fraud: Incidents in which an insider uses IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or the IT theft of information that leads to an identity crime.
- Insider theft of intellectual property: Incidents in which an insider uses IT to steal proprietary information from an organization.
They make a weak case that certain mitigations, controls and certain precursor behavior go with specific types of insider threats, but they do not show that the data is conclusive. Nevertheless, insider threat programs must look for all potential precursor behavior and apply the correct mitigation control against it.
16 Mitigation Practices
The authors say it right away: “If you learn only one thing from this book, let it be this: Insider threats cannot be prevented and detected with technology.”
There is no magic bullet here. The mitigations this book describes are the same mitigations that any group of CISOs standing around a white board for an hour might come up with. What makes the book valuable is that it is backed up with real data. After analyzing some 700 cases, the authors can make reasonable assertions about what might work. The epiphany for me was that the bulk of the recommendations do not fall within the technical realm. More than half fall into the administrative side, which may be why detecting the insider threat is so hard.
For any insider threat program to work, it must rely on humans communicating clearly across business boundaries, from the executive leadership team down to the employee users regarding policy, from the internal business units to the external trusted business partners about acceptable use, from the managers observing employee behavior and reporting anomalies to human resources, and from the IT department gathering evidence for leadership to make a decision. My colleague, Danelle Au, recently discussed why CISOs have to be the executives that ensure these communications are happening cross-functionally on a regular basis.
The authors describe 16 strategic goals to help prevent an insider threat attack and suggest a number of tactical controls for an organization to put in place to make that strategic goal successful. These include everything from considering insiders and business partners when performing enterprise-wide risk assessments, to a clearly documented and consistently enforced set of policies and controls.
I’ve also seen success in techniques such as periodic security awareness training for all employees, anticipating and managing negative workplace issues, and many more suggested by the authors.
What To Focus On
Assessing my organization’s ability to detect and prevent insider threat activity similar to actions performed by Snowden and Manning was sobering. With the controls I had in place in my previous role, I most likely would not have been successful. The CERT Guide book outlines specific mitigating controls to consider for preventing this kind of activity in the future.
Although the book is frustratingly academic, the specific assertions about what to put in place are backed by more than 700 case studies. It is the authoritative source about what works and what does not for this threat. What I learned from reading this book is that there is no technical solution that truly mitigates insider threat risks. For any insider threat program to be successful, leadership must coordinate across the entire business in terms of policy, training and implementation to ensure four tactical goals:
- Train employees and managers to watch for the signs of potential insider threat behavior.
- Provide mechanisms across the organization to report and review the activity.
- Establish and maintain the apparatus to monitor for potential abuse.
- Mitigate the risk before any damage is done.
The key to the entire program is the human element, and that is why defending against the insider threat is hard.