The document discusses insider threat and provides a field guide for characterizing and managing insider threat risk. It defines insider threat and different threat agents. It presents a threat-consequence vector matrix that maps various attack types according to the intent (hostile or non-hostile) and type of threat agent. The field guide can help organizations establish a common framework for managing insider threat, prioritize threats based on available resources, and identify threats for mitigation by customizing the model to their unique environment.
6. #RSAC
Definitions
Insider Threat is the potential for a
current or former employee, contractor,
or business partner to accidentally or
maliciously misuse their trusted access
to harm the organization’s employees
and customers, assets, or reputation.
A Threat Agent is a representative class
of people who can harm an organization,
intentionally or accidentally, and
identified by their unique characteristics
and behaviors.
6
9. #RSAC
Attack Types
IP & Data Loss
Ooops
Ongoing, targeted
IP extraction
Exiting employees
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
9
10. #RSAC
Threat-Consequence Vector Matrix
Analysis by Intel’s Threat Agent Analysis Group
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
10
12. #RSAC
Demonstrate the scope of the problem
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Employee
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opport. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
60 separate Insider Threat vectors –
Are you prepared for all of them?
12
13. #RSAC
Prioritizing Protection to Optimize Resources
• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Product alteration
• Sabotage
• Violence
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)
13
14. #RSAC
Prioritizing Protection to Optimize Resources
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)
• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Violence
• Product alteration
• Sabotage
14
16. #RSAC
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportun. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Provide context for your data
2-day factory
downtime
Lost market lead
in key product
$15M in lawsuits
3% annual shrinkage
16
Example incidents
17. #RSAC
Customize for your threat landscape
The model is open-ended and you can
extend & tailor it to your environment
17
18. #RSAC
How the Guide Can Help You
Having a Field Guide helps you manage risk by:
Establishing a common framework and language for
managing insider threat throughout the organization
and community
Prioritizing threats and optimizing the use of limited
resources
Identifying threats for mitigation
A framework to describe and manage your unique
threat landscape
18
19. #RSAC
Applying the Field Guide in Your Organization
Short term
Share the Guide with key stakeholders to inform them of
the problem scope and enlist them in your team
Assess your particular threats and controls against the Field
Guide to ensure you are managing your most dangerous
insider risks
Medium term
Modify the model to reflect your situation and priorities
Long term
Use the Guide to regularly re-assess your overall insider
threat landscape
19
20. #RSAC
Resources
Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP
Intel Threat Agent Analysis:
https://communities.intel.com/docs/DOC-23914
https://communities.intel.com/docs/DOC-1151
Improving Healthcare Risk Assessments to Maximize Security
Budgets (how to tailor the model for your environment):
http://ow.ly/1W2H308vUfx
CERT Insider Threat Center: https://www.cert.org/insider-threat
We actively engage with fellow travelers utilizing Threat Agent Analysis related to:
Threat Assessments
Supplier Management and Supply Chain Risk
Tools and Visualization
20