The document discusses insider threat and provides a field guide for characterizing and managing insider threat risk. It defines insider threat and different threat agents. It presents a threat-consequence vector matrix that maps various attack types according to the intent (hostile or non-hostile) and type of threat agent. The field guide can help organizations establish a common framework for managing insider threat, prioritize threats based on available resources, and identify threats for mitigation by customizing the model to their unique environment.

1. SESSION ID:SESSION ID:
#RSAC
Tim Casey
A Field Guide to Insider Threat
Helps Manage the Risk
HUM-T10R
Senior Strategic Risk Analyst
Intel Corp.

2. #RSAC
How do you think of insider threat?
2

3. #RSAC
The problem is becoming more complex
3
Logos and trademarks are the property of their respective owners

4. #RSAC
The Field Guide to Insider Threat
Accidental leak
Espionage
Financial fraud
Misuse
Oportun. data theft
Physical theft
Product alteration
Sabotage
Violence
Reckless
Insider
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State

5. #RSAC
Characterizing Insider Threat

6. #RSAC
Definitions
Insider Threat is the potential for a
current or former employee, contractor,
or business partner to accidentally or
maliciously misuse their trusted access
to harm the organization’s employees
and customers, assets, or reputation.
A Threat Agent is a representative class
of people who can harm an organization,
intentionally or accidentally, and
identified by their unique characteristics
and behaviors.
6

7. #RSAC
Insider Threat Agents
Non-Hostile
Reckless Insider
Outward
Sympathizer
Untrained/
Distracted Insider
Hostile/Non-Hostile
Partner
Supplier
Hostile
Activist
Competitor
Disgruntled Insider
Irrational Individual
Nation State
Organized Crime
Terrorist
Thief
Non-Hostile Non-Hostile OR Hostile Hostile
7

8. #RSAC
Attack Types
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
8

9. #RSAC
Attack Types
IP & Data Loss
Ooops
Ongoing, targeted
IP extraction
Exiting employees
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
9

10. #RSAC
Threat-Consequence Vector Matrix
Analysis by Intel’s Threat Agent Analysis Group
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
10

11. #RSAC
Applying the
Field Guide

12. #RSAC
Demonstrate the scope of the problem
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Employee
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opport. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
60 separate Insider Threat vectors –
Are you prepared for all of them?
12

13. #RSAC
Prioritizing Protection to Optimize Resources
• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Product alteration
• Sabotage
• Violence
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)
13

14. #RSAC
Prioritizing Protection to Optimize Resources
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)
• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Violence
• Product alteration
• Sabotage
14

15. #RSAC
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theft
X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Minimize the Threat
15

16. #RSAC
Intent→ Non-Hostile
Non-Hostile
/Hostile
Hostile
Attack Type↓
Reckless
Insider
Untrained/
Distracted
Insider
Outward
Sympathizer
Vendor Partner
Irrational
Individual
Thief
Disgruntled
Insider
Activist Terrorist
Organized
Crime
Competitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportun. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Provide context for your data
2-day factory
downtime
Lost market lead
in key product
$15M in lawsuits
3% annual shrinkage
16
Example incidents

17. #RSAC
Customize for your threat landscape
The model is open-ended and you can
extend & tailor it to your environment
17

18. #RSAC
How the Guide Can Help You
Having a Field Guide helps you manage risk by:
Establishing a common framework and language for
managing insider threat throughout the organization
and community
Prioritizing threats and optimizing the use of limited
resources
Identifying threats for mitigation
A framework to describe and manage your unique
threat landscape
18

19. #RSAC
Applying the Field Guide in Your Organization
Short term
Share the Guide with key stakeholders to inform them of
the problem scope and enlist them in your team
Assess your particular threats and controls against the Field
Guide to ensure you are managing your most dangerous
insider risks
Medium term
Modify the model to reflect your situation and priorities
Long term
Use the Guide to regularly re-assess your overall insider
threat landscape
19

20. #RSAC
Resources
Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP
Intel Threat Agent Analysis:
https://communities.intel.com/docs/DOC-23914
https://communities.intel.com/docs/DOC-1151
Improving Healthcare Risk Assessments to Maximize Security
Budgets (how to tailor the model for your environment):
http://ow.ly/1W2H308vUfx
CERT Insider Threat Center: https://www.cert.org/insider-threat
We actively engage with fellow travelers utilizing Threat Agent Analysis related to:
 Threat Assessments
 Supplier Management and Supply Chain Risk
 Tools and Visualization
20

21. #RSAC
Questions?