Insider Threat: Tackling the Complex Challenges of the Enemy Within

Written by Kevin Townsend on January 8, 2025. Posted in Canada.

The insider threat is a simple term for a mammoth and complex problem. It ranges from national security through theft of corporate intellectual property to malicious harm and accidental incompetence.

Here we concentrate on the malicious insider threat. This involves foreign agents, legitimate but malcontent staff, criminally-bribed employees, and more. Just as these threats are diverse, so are the possible solutions.

National security

National security can suffer from both malcontents and foreign agents. Edward Snowden is the iconic example of a malcontent insider leaking documents that harmed national security. He is now a Russian citizen and charged in the US with offenses against the Espionage Act. He was probably not a traditional spy or foreign agent but a malcontent insider. He was apparently transiting Russia on his way to Cuba / Ecuador when he was marooned at Moscow airport after the US revoked his passport – and was allowed to stay because he could not leave (and it gave Russia propaganda opportunities).

His motivation seems to have been a belief that secret global NSA (and GCHQ) surveillance practices should not remain secret. He stole thousands of classified documents and passed them to journalists. This motivation is partially vindicated by the reaction of Europe – it led to the formulation and enactment of GDPR, which has become the underlying blueprint for many global privacy regulations.

However, Snowden’s motivation is irrelevant here: the NSA failed to recognize and prevent the insider threat posed by a contractor working for the NSA.

Monetary theft

On August 8, 2024, the Justice Department disclosed its disruption of a North Korean IT worker fraud scheme. It announced the arrest of a Nashville, Tennessee man (Matthew Knoot) for facilitating the employment of NK IT workers (probably physically located in China) to work remotely for US firms. The firms thought they were remotely employing a US citizen, and sent him (actually Knoot) a company laptop. Knoot installed RDPs and allowed the NK personnel to work remotely.

The Justice Department announcement suggests the purpose is primarily financial, with the workers’ pay being transferred to North Korea and siphoned into the nation’s weapons program. A subsequent report from Mandiant shows this example is only part of a large problem.

“We have observed the operators leverage front companies to disguise their true identities; additionally, U.S. government indictments show that non-North Korean individuals, known as ‘facilitators’, play a crucial role in enabling these IT workers in their efforts to seek and maintain employment,” explains Mandiant. “These individuals provide essential services that include, but are not limited to, laundering money and/or cryptocurrency, receiving and hosting company laptops at their residences, using stolen identities for employment verification, and accessing international financial systems.”

Advertisement. Scroll to continue reading.

The report points to an earlier example of one facilitator impacting more than 300 US companies and earning at least $6.8 million – most of it probably fueling NK weapons development.

Mandiant defines the motives behind this fraudulent employment as being ‘financial gain’ and maintaining long term access ‘for potential future financial exploitation’. It also notes, but hasn’t definitively observed, the possibility of espionage or disruptive activity.

KnowBe4 is an example victim of a fake hiring via a facilitator. The firm dispatched a company workstation. But it immediately detected anomalous activity which included “various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.” Within 25 minutes of the first alert, KnowBe4 contained the device. “No access was gained or compromised on KnowBe4 systems,” confirmed chief executive Stu Sjouwerman.

Commercial IP theft

The demise of Nortel in 2009, a company that had once accounted for more than one-third of the valuation of all the companies listed on the Toronto Stock Exchange, is a complex issue. Nevertheless, there is a correlation with its downfall and the rise of China’s Huawei selling similar but cheaper products. According to Brian Shields, Nortel had been hacked.

This hack was also complex, ostensibly involving access to executive email accounts (traditional hacking) and the employment of Chinese PhD students (insiders). A Global News report published on August 25, 2020, states an unnamed expert commenting on Nortel’s “usage of Chinese PhD students hired by Nortel to steal research”.

The report continues, “Many of these allegations are consistent with a February 2020 U.S. Department of Justice indictment that alleges Huawei was involved in a decades-long conspiracy to steal technology from numerous victim companies in efforts to grow its market share, the expert said.”

It is impossible to verify all these suggestions, but the alleged activity is consistent with adversarial nations using insiders to effect IP theft for economic gain. These days, this is potentially easier to achieve via cyberattacks, but the apparent ease by which North Korean IT workers can infiltrate important and large corporations would suggest that it continues.

However, theft of intellectual property for commercial gain is not limited to international activity. In 2004, the Cameron and Tyler Winklevoss twins sued Mark Zuckerberg accusing him of fraud, copyright infringement and misappropriation of trade secrets after working on their ConnectU social networking project, to help develop Facebook. Zuckerberg denied the accusations, but nevertheless reportedly (by ComputerWorld) agreed to pay the twins $65 million in 2008.

This agreement was meant to be confidential and was not confirmed. Nevertheless, it provides insight into the lucrative potential of taking IP from one employer to another. We can assume it is not an uncommon occurrence, and most cases are settled quietly out of court. In some instances, it will be for direct monetary gain, but in other cases it will be an act of revenge over believed mistreatment by the employer.

The motivations for malicious or potentially malicious activity are various. Sometimes the precise motivation isn’t clear. On October 2, 2024, Swedish TV4 revealed that an employee with ‘a central and safety-sensitive role as a technical expert at the Swedish nuclear technology company’ Studsvik simultaneously worked with the Chinese Communist Party’s United Front. That’s a red flag in more than one sense of the term.

There are only two methods for preventing intentional harm from malicious insiders: don’t employ people likely to cause harm; or detect and prevent their bad intent before harm can be done while they are employed. The first tool is background checking, while the second is becoming focused on sentiment analysis (aka, but less socially acceptable, ‘psycholinguistic analysis’) together with old-fashioned network anomaly detection. Neither are foolproof, and both need to be implemented as part of a wider employment process.

Background checking before employment

There are many specialist background checking firms. These companies collect data from as many public sources as possible and can, for example, rapidly determine whether a US candidate has a criminal history. Background checks through third party specialist firms can provide valuable information that can aid employment choices.

But they should not be used alone. A US firm would have difficulty in collecting the personal history of an EU resident applying for a remote position. And it would be almost impossible to detect a foreign identity that has been constructed via the full resources of an adversarial foreign nation. AI can be used to create a fictional character or alter the appearance of an existing character. False but corroborating social media accounts can be created to provide background. Full employment histories and personal references can be generated from university to jobs – all in or from foreign firms that cannot be confirmed. US firms would have difficulty in verifying such candidates. And all of this will become easier with rapidly improving gen-AI until even criminal gangs will be able to create false identities for real people.

Third-party background checking can only go so far. It must be supported by old fashioned and experienced interview techniques. Omri Weinberg, co-founder and CRO at DoControl, explains his methodology “We’re primarily concerned with two types of bad actors. First, there are those looking to use the company’s data for nefarious purposes. These individuals typically have the skills to do the job and then some – they’re often overqualified. They pose a severe threat because they can potentially access and exploit sensitive data or systems.”

The second type includes those who oversell their skills and are actually under or way underqualified. “While they might not have malicious intent, they can still cause significant damage through incompetence or by introducing vulnerabilities due to their lack of expertise. For the overqualified potential bad actors, we’re wary of candidates whose skills far exceed the role’s requirements without a clear explanation. For the underqualified group, we look for discrepancies between claimed skills and actual experience or knowledge during interviews.”

This means it is important to probe the candidate during the interview to gauge the true skill level of the candidate. “it’s essential that the person evaluating the hire has the technical expertise to make these determinations,” he added.

Stephen Kowski, Field CTO at SlashNext, also uses in-house and third party screening for new hires. “Thorough background checks are always conducted for all potential hires,” he explained. “A combination of in-house vetting and specialized third-party agencies is used to ensure comprehensive screening. This multi-layered approach helps identify potential risks and verify credentials more effectively.”

He notes the additional complexities of recruiting remote foreign workers. “Data protection regulations like GDPR can complicate cross-border background checks. Some countries have strict laws limiting the types of information that can be collected or shared about individuals. Navigating these legal complexities requires careful consideration and often specialized legal expertise.”

In the final analysis, he concludes: “If any doubts persist or critical information cannot be verified, the safer option would be to pass on the candidate.”

We have no way of knowing how often third party background checks and/or interview techniques succeed in screening out potentially harmful recruitment; but we do know it isn’t always successful. Just as risk management teaches us to expect a malicious compromise and have security layers in place to provide rapid response, so must we learn how to detect and respond to a malicious (or careless) insider who is already employed.

Detection during employment

The two ways to detect an employee who has dubious intent are through what they do and what they think. The former has similarities to detecting an intrusion; that is, network anomaly detection. Note that KnowBe4 detected a North Korean remote employee ‘through various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software’. But also note, if the employee has been with the company for a long time, and has reached a senior position, he or she may be better able to disguise or hide misbehavior.

The second method is through monitoring the mood of individuals – effectively ‘sentiment’ analysis that can come from the science of psycholinguistic analysis. This may appear intrusive when conducted by technology, but is little different to leaders monitoring their staff for signs of burnout so they can help the employee. Why not do the same to help the company through technology?

The process is known as ‘sentiment analysis’. We do it automatically and often subconsciously whenever we talk to someone – we want / need to know the mood of that person. Moods evolve rapidly, but the descent into discontent evolves gradually and is often revealed slowly through written communication.

Government perceptions

EO13587, issued by President Obama, established a government insider threat program run by the National Insider Threat Task Force (NITTF). The purpose is to protect classified information from unauthorized disclosure (think Snowden and Chelsea Manning), but the process is applicable to all industries. In its own words, “The primary mission of the NITTF is to develop a government-wide insider threat program for deterring, detecting, and mitigating insider threats.”

NITTF is run from the Office of the Director of National Intelligence. It is not a sentiment analysis tool, but is packed with advice on how to recognize evolving insider threats.

Academic perceptions

The Carnegie Mellon Software Engineering Institute gave a presentation discussing their work on text analytics to uncover insider threats. It’s a hugely complex area. The technology exists to provide sentiment analysis, but it must be used with care. The presenters stress the need that any text analysis used to discover sentiment must be part of an organization-wide approach including HR and Legal. Privacy legislation and norms must be considered. If it appears that an organization is surreptitiously spying on its employees, that will automatically generate bad sentiment and be counterproductive.

“These are folks we’ve already entered into trust relationships with, and in the average case, we want to support, protect these folks, support folks who are experiencing and demonstrating concerning behaviors and activity that, in our research, we’ve seen precede the harmful acts that malicious insiders have gone on to carry out against the organization,” say the presenters. The primary purpose of sentiment analysis should not be to catch insiders, but to prevent the cause of insider threats.

The future

We will see a rapid advance in the technologies and tools that can be used to this end through the continuing advances of gen-AI. In January 2024, Sean Trott published a paper showing that GPT-4 can be used to elicit judgments for various psycholinguistic norms.

The science involved is already being used – primarily to discover sentiment in social media. As the individual insider threat continues to grow, it is only natural that commercial organizations will develop tools that uncover sentiment within specific companies. The biggest constraints are privacy laws – but laws are flexible. They have been repeatedly bent to allow data scraping by, for example, OpenAI. The time will come when the full power of gen-AI and machine learning can be applied – must be applied – to internal employee sentiment analysis.

When that time comes, companies will be well-advised to plan carefully and tread softly.