Why Should You Manage Insider Threats Differently than APTs?

3 min read
(May 2, 2024)
Why Should You Manage Insider Threats Differently than APTs?

This article is available in audio format, click play above to listen to the article. 

Insider threat is inherently a human challenge. Effective insider threat/risk programs deter, detect, and mitigate insider risk by combining human, organizational, cyber, and physical sensors and approaches. However, some organizations have developed programs that focus nearly entirely on the cyber components of managing insider risks. This practice often leads to disappointment and wasted investment when the program is less effective, as it prioritizes cyber components over all other sensors and approaches. 

The activities of external adversaries who use compromised accounts to act as masqueraders or impersonators do not look the same as activities by actual employees within the organization, as demonstrated repeatedly with user activity monitoring (UAM) data and research over the last 16 years at MITRE. This does not eliminate the ability of external adversaries to create insider threats by deploying an individual as an employee in your organization, or by influencing the employees in your workforce. To make best use of your limited and valuable insider threat resources (particularly your analysts), the MITRE Insider Threat Research & Solutions team recommends that you focus on leveraging more than just cyber data sources.  

Who Should You Want on Your Team? 

Speaking of insider threat analysts, (whom we really enjoy working with!), we are seeing what was once a decreasing trend but is now an increasing trend of insider threat/risk programs hiring SOC analysts instead of all-source insider threat analysts. This is a demonstrated problem because malicious insiders do not act like Advanced Persistent Threats (APTs), and insider risk analysis involves more than just cyber data. Thus, SOC analysts (those collectively trained to do SOC analyses) can struggle with insider risk analysis. We have all met the amazing SOC analyst who can see both sides well and do both, but they are a rare gem. If you have one of those, please take good care of them so you can keep them. There are practical ways to transition someone from being an SOC analyst to an insider threat analyst role that includes correlation and analysis of data from cyber, physical, human, and organizational sensors.  

For example, cyber APT hunting by SOC analysts leverages a variety of kill chains, movement paths, etc. that insider threat analysts do not have. Just this year, we examined whether employees with malicious intent (general and cyber professionals) used different sequences (e.g., specific order of behaviors) of cyber search, collection, and removal activities than employees with benign intent. A small set of PRI sequences were identified with low false positive rates. These sequences are likely to be rare. The practical research with real employees calls into question the need for insider risk detection solutions and analysts to focus on sequences of actions because those work for APTs. There will likely be more return-on-investment with a focus on specific non-sequential combinations of risky behavior.  

Which New Threat Indicators Should You Pay Attention To? 

Recently MITRE’s Insider Threat Research & Solutions team analyzed the first research data of 150 real employees searching, collecting, and exfiltrating sensitive internal information from an organization’s live production network with malicious intentions. Three new analyses will arm insider risk programs with evidence for informed decisions on proactive insider risk endpoint detection capabilities. If you are interested in hearing all about the last indictors, make sure you catch MITRE’s RSA Session (ANI-W02) Data-Driven Cyber Indicators of Malicious Insider Threat at 9:40am next Wednesday, May 8th under the Analytics & Intelligence track. 

The team also is building a first-of-its-kind insider threat framework that will connect cyber-physical elements with psycho-social pieces—individual and organizational factors. With the framework, we can develop better potential risk indicators and assess gaps in sensors, and then we can advise the commercial community to produce solutions that fill targeted gaps instead of collecting excess information. Ideally, it will bolster the global community’s ability to identify risks before they become threats. Organizations are welcome to contribute data for the framework. The benefits for those who share data early is that they will get to see more of the findings sooner, learn more about themselves earlier, and have an impact on the way that the framework is shaped.