CYDERES Insider Threat Profiles: The IP Thief

What motivates an individual to steal intellectual property from an organization? What types of employees are most likely to commit IP theft? How do they pull it off? And, most importantly, can they be detected and stopped by the security team before something bad happens?

CYDERES, the security-as-a-service division of Fishtech Group, thinks the answer to the last question is yes. But to succeed, the security team must first have a detailed understanding of the Who-What-When-Why-How of IP theft.

An excellent resource for understanding insider threats in all their various forms was published nearly decade ago, when researchers at Carnegie Mellon University’s Computer Emergency Response Team (CERT) Coordination Center published The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud).

The CERT authors delved deeply into the actions, attitudes and intentions of different kinds of insiders and came up with useful insights that have admirably stood the test of time. Along with the contributions of other experts in the field, these insights have influenced the design of our insider threat mitigation solutions and services.

Below is a summary of CERT’s profile of an IP thief.

  • Who: Insiders who steal IP are usually current employees who are scientists, engineers, software programmers and sales personnel. The widespread perception that system administrators are among the biggest culprits, CERT found, is not supported by the research results.
  • What: These individuals steal information they worked on directly, such as proprietary software and source code; business plans, proposals and strategic plans; customer information; and product information such as designs, formular and schematics.
  • When: CERT found that most insiders stole at least some information within 30 days of resignation. That time frame actually encompasses a 60-day window: 30 days before leaving and 30 days after having left.
  • Why: The reasons behind stealing IP can vary widely. One-third of IP thieves are looking to start their own business. Another 40% are starting a new job at a competing business. Most of the remainder represent instances of foreign governments or organizations compromising or enticing insiders to gain access to technologically- or commercially-valuable IP. Interestingly, according to CERT, very few insiders steal intellectual property in order to sell it. Rather, they seek business advantage.
  • How: Exfiltration of intellectual property follows one of several tried-and-true pathways, including email, USB drives and removal of physical documents.

For companies worried they may have an IP theft problem but hesitant to launch their own insider threat program, CYDERES provides a range of capabilities through our first of its kind Insider Threat Detection & Response (ITDR) managed service.

ITDR analyzes an organization’s existing trove of user and network telemetry to find clues that an employee is behaving in a potentially adverse manner. It then uses operationally proven AI-based modeling techniques to filter out the excess noise from the data to identify the riskiest players, including IP thieves.

Buried in that telemetry is a wealth of intelligence on the insider’s circumstances and actions, which are an ideal proxy for gauging intent. The probabilistic model underlying our ITDR analytics turns each data point into a model concept and then builds a Bayesian inference network (image below) that captures the relationships between each concept as well as the relative strengths (low/medium/high) and polarities (true/false) between them.

In simple terms, ITDR applies diverse data sources to the model. The data contains indicators of impactful personal or professional events plus a record of day-to-day actions – such as accessing the web or sending an email – and uses the results to assess and prioritize risk from an individual.

There are separate model indicators for behavioral characteristics, network and device activity and more. For the risk modeling component addressing use cases for ‘IP Theft,’ the strong indications relate to financial stress or impending threats to continued employment.

Medium-strength indicators can range from unwillingness to comply with established rules and procedures to anti-malware alerts. Low-strength indicators include an active social media presence or database content changes.

Our CYDERES Cloud Native Analytics Platform (CNAP) ingests the model results and a CYDERES analyst validates and triages them, delivering the results to organizations in the form of detailed incident alerts and the related evidence needed to launch an investigation, comply with legal and audit requirements associated with such activity and enhance future risk mitigation via policy and control changes.

Because it is a managed service, ITDR can be implemented far more quickly than conventional insider threat mitigation solutions, meaning organizations can start mitigating risk via their employees and contractors much sooner.

The Commission on the Theft of American Intellectual Property estimates that annual costs from the loss of IP range from $225 billion to $600 billion. And the 2021 edition of Verizon’s widely respected Data Breach Investigations Report (DBIR) says that around 22% of such incidents are attributable to an assist from or the unilateral act of a trusted insider.

Industry sectors most often targeted, according to a separate CERT blog post, are information technology (35 percent of cases), banking and finance (13 percent) and chemicals (12 percent). But few sectors have escaped the attention of IP thieves.

Given those stakes, mitigating even one act of IP theft could pay huge dividends to an organization, not just financially but also legally, operationally and reputationally.


#   #   #


Note: Future posts in this series will examine other types of insider threat actors, such as The Fraudster and The Saboteur. To learn more about how ITDR can help your organization rapidly deploy an insider threat capability, download our fact sheet here.

2021 Insider Threat Lessons Learned

National Insider Threat Awareness Month, which wraps up today, has given the cybersecurity community an opportunity to reflect on how the threat landscape has evolved in the past 12 months – and what lessons about detection, deterrence and mitigation can be learned from those changes.

As we did a year ago, let’s examine three of the key lessons.

Lesson #1: Threats Are Quickly Evolving

Disregarding the nearly 50 percent of insider events that can be ascribed to negligent and careless insiders, there are still plenty of malicious actors out there preparing the next insider attack. And they’ve been coming up with novel ways to succeed. Why bother hacking your way into an organization when, for example, you can simply bribe an insider to do it for you? That’s what recent reports say ransomware gangs have been attempting, offering a generous share of ransom payments to the insider who ‘unlocks the back door.’ Most organizations are not yet equipped to detect this and other emerging cyber-attack vectors.

Lesson #2: Vulnerabilities Have Increased

After Covid-19 arrived in early 2020, remote work took firm hold – especially among knowledge workers across a wide swath of industry sectors. With it came a dizzying array of new cybersecurity attack vectors. Along with the more plentiful ‘conventional’ external threat actors, insiders now have better odds of breaching network defenses and stealing intellectual property and sensitive data from the privacy of their own homes. Meanwhile, security teams are scrambling to secure new devices and monitor workers outside the traditional perimeter. Their latest unenviable risk management challenge: the double whammy of a rapidly evolving threat (see Lesson #1) and drastically increased vulnerabilities.

Lesson #3: Don’t Wait to Launch Your Program

Launching an insider threat mitigation program can be a long and complex affair. Detection systems must be selected and deployed, data sources must be connected and staff and management need training in governance and operations. The required commitment in dollars and labor hours before concrete results are obtained can discourage all but the most committed leaders from green-lighting such a program. That said, incidents involving insider threats increased by 47 percent between 2018 and 2020, and no is one predicting the pace will slow. Considering that statistic, coupled with the high cost of cleaning up the mess left behind by an insider attack, the best time to launch an insider threat program was yesterday.

Fortunately, CYDERES Insider Threat Managed Detection & Response managed service is empowering organizations to launch or mature their Insider Threat program very quickly, delivering immediate visibility and results. Learn more in our latest video:

Insider Threats Are Evolving - Fast

Ransomware gangs continue to find creative new ways of exploiting weaknesses in corporate networks. Now they’ve added a dangerous twist that is sure to make the insider threat problem noticeably worse.

In this latest move, gangs like LockBit are actively recruiting corporate insiders to help them breach and encrypt networks in return for what can amount to million-dollar payouts.

According to a recent article in BleepingComputer, ransomware gangs have traditionally consisted of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims’ networks and encrypt devices, with the affiliate usually receiving 70 to 80 percent of the ransom paid. But LockBit and its counterparts are now “trying to remove the middle-man” by messaging trusted insiders directly rather than using affiliates. The article’s author speculates that while it may seem “counterintuitive to recruit an insider for a network [that’s] already been breached… this message is likely targeting external IT consultants who may see the message while responding to an attack.”

Separately, Brian Krebs of Krebs on Security reports on one gang that offers insiders payouts of 40 percent of the ransom payment. The gangs “seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks,” he adds.

This latest recruitment drive does two things: 1) It increases the pool of likely threats by turning otherwise hesitant insiders into enthusiastic ones; and 2) It significantly heightens the risk that an organization will suffer a major (as opposed to minor) data breach, since the recruits will be seeking the largest possible payout for the unique risk they are taking.

Insider recruitment for pay is the latest in a growing list of use cases for which Fishtech Group business unit CYDERES has designed its new Insider Threat Detection and Response (ITDR) managed service (pictured below).

ITDR, which uses models and other AI-based analytics to process user and network telemetry for early indications of insider intent, is optimized for three specific use cases:

  • Data Exfiltration/Sabotage: Detection of excessive file deletions or movements, unusual e-mail activities and consumer web application uploads is critical to preventing the exfiltration or sabotage of data – one of the more prevalent insider threat events. ITDR detects unauthorized or suspicious data access and activity and makes key correlations on file actions and transfers, focusing on ‘crown-jewel’ data in the cloud, apps, databases, file-shares and disks.
  • Departing Employees: Individuals who plan to leave the organization or learn they are about to be off-boarded pose a substantial risk to corporate systems and data. ITDR focuses on detecting network and application access patterns that indicate job searches, outreach to competitors and data exfil intent. Response capabilities include proactive alerts on these activities plus changes in behavior and productivity, and forensic reports for use during post-termination reviews.
  • Account Compromise: With the right tools, it’s possible to pinpoint behaviors that indicate a potential takeover of credentials by third-party actors via negligent or malicious insiders, at speed and at scale. By detecting unusual login volumes, logins from high-risk locations, or geographically/ temporally impossible login sequences, ITDR excels at alerting investigative teams to instances of potential account compromise – before a data exfil attempt happens.

One could argue that by offering trusted insiders a piece of the action, the LockBits of the world are touching on all three of those use cases.

Whatever the event type, it’s been clear for some time that the insider threat landscape is evolving rapidly. Organizations will need to evolve with it. And even as they address their adversaries’ current innovations, they also should count on even more insidious exploits in the future.

#      #      #

Note: Tune in to our recent ITDR introductory webinar to learn more about the powerful capabilities this managed service can deliver to your organization. Or simply reach out here to schedule a live ITDR demo.