Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Inside the World of Insider Threats, Part I: Motivation

As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in...
Michael Buckbee
3 min read
Published January 20, 2015
Last updated January 17, 2023

As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in some way involved in the Sony meltdown—see Did North Korea Really Attack Sony? from Schneier. The larger point is that the Sony breach opens the door to a public discussion on a specific topic—malicious insiders —one which many companies have been very reluctant to discuss or comment.

Let’s put Sony in the undecided category for now while we wait for more information, and instead focus on lessons from actual verified insider cases.

Great idea, but where do we find these case files?

Thankfully, Carnegie Mellon University’s Computer Emergency Response Team (CERT) has been collecting insider incident data from the US Secret Service and their own consulting practice. Over the years, they’ve amassed a hefty database of 700 well-documented insider incidents that they’ve been actively analyzing as part of their research. One conclusion worth pointing out is that the underlying motivations differ between internal and external attackers. It’s still important to keep in mind, though, that the same IT controls stopping insiders also stop outsiders!

Motivated

Since CMU CERT is a research organization, it has its own unified theories on insider data crime, which you can, if you’d like, read more about in these serious academic papers. However, as anyone who’s ever read any mysteries or watched crime shows knows, it always boils down to a question of means, motive and opportunity in establishing guilt.

Motives are especially interesting to explore in the world of insider data theft—what are the reasons that trusted employees break bad?

The folks at CMU CERT have looked into this question. Of the 700 cases, they analyzed a smaller set of only those that actually went to trial. Based on this subset, they came up with four motivation categories (see the graphic):insider-threat

  • theft for financial gain
  • theft for business advantage (IP theft)
  • IT sabotage
  • and a miscellaneous with various and sometimes unclear motives.

Stealing for money is the most obvious motive ─ though it covers less than half the cases. The CERT team discovered that this type of fraud was more likely done by lower level, non-technical employees, usually in cooperation with outsiders.

These were employees typically with financial problems who were using their authorization level as a data entry operator or customer support rep to modify credit histories, adjust benefits, or create false login credentials— all for a fee.

According to CERT, their activities were eventually spotted through an examination of log activity, particularly system change and file access logs. However, there was often a very long delay between the actual crime and its detection.

Sabotage!

With the Sony breach on everyone’s mind, we know that non-financially motivated theft can be just as devastating as those driven by dollar signs. What’s interesting about the IT sabotage category is that it’s committed as an act of revenge by the proverbial “disgruntled employee”.

The source of the disgruntlement? The CMU CERT researchers note that the triggering event can be “termination, disputes with the employer, new supervisors, transfers or demotions, and dissatisfaction with salary increases or bonuses”.

Not surprisingly, IT sabotage is committed by technically oriented employees—mostly males—who have figured out how to take over someone else’s credentials. Effectively, these are tech savvy dudes who steal the passwords of other users and then throw the virtual monkey wrench into the IT machinery. This might involve writing a script or program to delete massive amounts of data, or even setting up a backdoor account to launch an attack much later.

The saboteurs were ultimately identified through the monitoring of remote access logs, file access logs, database logs, application logs, and email logs. But the CERT folks points out that since these are more sophisticated thieves than the financially motivated data robbers, they’re good at hiding their tracks by deleting or modifying the log files themselves.

Motivation and Environment

There’s more to motivation than I can fit into this post. The CERT team has come up with some provocative ideas about how environmental factors—perceived risk in getting caught, corporate culture—can shape motivation. There may even be precursor events that point to employees who are data thieves in the making.

We’re getting into “Majority Report”-like precrime territory, but there’s evidence to suggest that the insiders test and probe the company defenses long before the actual attack.

We’ll be taking up this and other topics in my next post in this insider threat series.

Image credit: Evaneleven

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

insider-threats:-stealthy-password-hacking-with-smbexec-  
Insider Threats: Stealthy Password Hacking With Smbexec   
As we’ve been writing about forever, hackers are relying more on malware-free techniques to fly below the radar. They’re using standard Windows software to live off the land, thereby getting...
threat-update-51-–-lockbit-and-insider-threats-for-hire
Threat Update 51 – LockBit and Insider Threats for Hire
Organizations face threats from all sides – both external attackers trying to get in, and internal “trusted” employees going rogue. It was only a matter of time before these two...
is-your-biggest-security-threat-already-inside-your-organization?
Is Your Biggest Security Threat Already Inside Your Organization?
Is your company protected against insider threats? From malicious ex-employees to negligent staff, your biggest cybersecurity concern may already be inside.
what-is-an-insider-threat?-definition-and-examples
What is an Insider Threat? Definition and Examples
Insider threats are internal risks to cybersecurity and data — learn more about insider threats, indicators, and how to detect them and prevent breaches.