Trusted insiders can harm an enterprise in all kinds of ways, including intellectual property theft, financial fraud, sabotage and even unwittingly allowing external actors to gain network access through account compromise. Among the more damaging acts is insider-assisted espionage, especially of the cyber variety.

Many people think of spying as being primarily between the foreign intelligence services of nation-state governments. One of the best-known examples is that of Robert Hanssen, a Federal Bureau of Investigation (FBI) agent who spied for Soviet and Russian intelligence against the U.S. from 1976 to 2001, and who is currently serving 15 consecutive life sentences without the possibility of parole.

But the threat of spying is a prevalent and growing threat in the private sector as well. China in particular reportedly manages what may well be the most systematic and pervasive program of corporate cyber-espionage in the world. It stands accused of stealing data across many sectors, from quantum computing and nanotechnology to agriculture and utilities, and then exploiting the information for military and commercial advantage.

The Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security has published a joint analysis with the National Security Agency (NSA) and FBI warning that China “leverages cyber operations to assert its political and economic development objectives.”

The CISA analysis notes that: “Chinese state-sponsored cyber actors aggressively target U.S. and Allied political, economic, military, educational, and critical infrastructure personnel and organizations to steal sensitive data, emerging and key technology, intellectual property, and personally identifiable information (PII).”

China regularly uses the social media career platform LinkedIn to recruit insiders as spies, and has hacked Marriott, United Airlines, Yahoo, Anthem, Equifax and clandestine dating sites like Ashley Madison to glean compromising travel, health, financial and other highly personal information that can then be used to blackmail individuals into spying.

Nor is China alone in the world of espionage. Iran, for example, has increasingly been targeting the suppliers and manufacturers of industrial control systems used in electric utilities, manufacturing and oil refineries. And Russian intelligence services have reportedly gone after everything from Swedish vehicle makers to American stock exchanges.

These examples illustrate how private industry has become one of the top espionage targets. Making matters worse, the huge increase in telework spawned by the coronavirus pandemic has opened vast new opportunities for foreign spying at every level of the workforce.

Often this espionage leverages the privileged access enjoyed by corporate insiders who attain positions of trust and then are exploited for their access to technology systems and data – either indirectly through coercion, blackmail or bribery, or directly as in the case of a foreign national or American with birth ties to another country.

Regardless of whether they are willing participants or have been forced into their roles, can these insider-spies be identified before they commit damaging acts of espionage?

At CYDERES, a business unit of cybersecurity pioneer Fishtech Group, we believe the answer is yes. Our 24/7 managed service, Insider Threat Detection & Response (ITDR), is optimized to pinpoint any insider behavior that is malicious, negligent or even unwitting. That includes potential spies as well as IP thieves, fraudsters, saboteurs and compromised accountholders.

At the heart of the ITDR service is a model that ‘reasons’ like a team of insider threat experts and uses statistical probability, machine learning and other AI techniques to proactively identify high-risk individuals.

The model analyzes a broad set of data sources, including network security logs, printer and badge records, performance evaluations, travel records and publicly available third-party information to paint a detailed and contextualized picture of insider workforce risk.

In the case of potential spies, ITDR applies data as evidence to the model to identify employees who, for example:

  • Disregard company policies about installing personal software or hardware.
  • Clear their security logs to hide actions taken.
  • Attempt to find, alter or remove monitoring tools.
  • Attempt to gain access to sensitive areas without authorization.
  • Download unusually large files or print long documents.
  • Conduct probing activity on networks.
  • Work odd hours without authorization.
  • Travel to high-threat countries, trade shows or border cities.
  • Exhibit signs of financial stress.
  • Appear to live beyond their means.
  • Openly express anti-U.S. government sentiments or support known U.S. adversaries.

A few of these behaviors on their own can appear innocuous but, when combined with additional network or non-network data and run through the model, they create early indications of insider espionage.

ITDR’s model outputs are ingested, validated and triaged through the CYDERES Cloud Native Analytics Platform (CNAP) and the results are delivered to our customers in the form of detailed incident alerts and associated evidence, optionally coupled with recommendations for mitigation actions and policy or procedural changes.

Armed with this intelligence and insight, corporate security analysts and decision-makers can launch investigations, comply with the legal and auditing requirements associated with such activity and implement policy and control changes to bolster their insider risk mitigation programs – giving them a fresh advantage in the face of increasingly sophisticated threats of insider espionage.


#   #   #


Note: This post concludes our five-part series of CYDERES Insider Threat Profiles. Previous posts in the series can be found here:

The IP Thief

The Compromised Accountholder

The Fraudster

The Saboteur