Embed Size (px)
Citation preview
The 10 Commandmentsof Insider Threat ManagementCounterintelligence Practices Updated for the Digital Age
Cary Williams | Principal Consultant
©2017 LEIDOS. ALL RIGHTS RESERVED. Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
The wording LEIDOS used throughout is a registered trademark in the U.S. Patent and Trademark Office owned by Leidos, Inc.
I have Defender DNA.
Whether it be counterintelligence for the CIA or commercial clients,
early childhood lessons in responsible stewardship
have developed in me a strong commitment to
preserve the things we value.
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
Acts of commission or omission by an insider who
intentionally or unintentionally compromises or potentially
compromises DoD’s ability to accomplish its mission. These
acts include, but are not limited to, espionage, unauthorized
disclosure of information, and any other activity resulting in
the loss or degradation of departmental resources or
capabilities.— Defense Security Service
The likelihood, risk, or potential that an insider will use his or
her authorized access, wittingly or unwittingly, to do harm to the
national security of the United States. Insider threats may
include harm to contractor or program information, to the extent
that the information impacts the contractor or agency's
obligations to protect classified national security information.”
— National Industrial Security Program Operating Manual (NISPOM)
3
Insider Threat Definitions
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
An insider threat is generally defined as a current or former
employee, contractor, or other business partner who has or
had authorized access to an organization's network, system, or
data and intentionally misused that access to negatively affect
the confidentiality, integrity, or availability of the organization's
information or information systems.— Software Engineering Institute (SEI)
Computer Emergency Response Team (CERT)
The threat that an insider will use their authorized access,
wittingly or unwittingly, to do harm to the security of the U.S.
This threat can include damage to the U.S. through espionage,
terrorism, unauthorized disclosure of information, or through
the loss or degradation of Departmental resources or
capabilities.— Department of Justice
4
Insider Threat Definitions
Acts of commission or omission by an insider who
intentionally or unintentionally compromises or potentially
compromises DoD’s ability to accomplish its mission. These
acts include, but are not limited to, espionage, unauthorized
disclosure of information, and any other activity resulting in
the loss or degradation of departmental resources or
capabilities.— Defense Security Service
The threat that an insider will use their authorized access,
wittingly or unwittingly, to do harm to the security of the U.S.
This threat can include damage to the U.S. through espionage,
terrorism, unauthorized disclosure of information, or through
the loss or degradation of Departmental resources or
capabilities.— Department of Justice
An insider threat is generally defined as a current or former
employee, contractor, or other business partner who has or
had authorized access to an organization's network, system, or
data and intentionally misused that access to negatively affect
the confidentiality, integrity, or availability of the organization's
information or information systems.— Software Engineering Institute (SEI)
Computer Emergency Response Team (CERT)
The likelihood, risk, or potential that an insider will use his or
her authorized access, wittingly or unwittingly, to do harm to the
national security of the United States. Insider threats may
include harm to contractor or program information, to the extent
that the information impacts the contractor or agency's
obligations to protect classified national security information.”
— National Industrial Security Program Operating Manual (NISPOM)
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
5
Insider Threat Definitions
Acts of commission or omission by an insider who
intentionally or unintentionally compromises or potentially
compromises DoD’s ability to accomplish its mission. These
acts include, but are not limited to, espionage, unauthorized
disclosure of information, and any other activity resulting in
the loss or degradation of departmental resources or
capabilities.— Defense Security Service
The threat that an insider will use their authorized access,
wittingly or unwittingly, to do harm to the security of the U.S.
This threat can include damage to the U.S. through espionage,
terrorism, unauthorized disclosure of information, or through
the loss or degradation of Departmental resources or
capabilities.— Department of Justice
An insider threat is generally defined as a current or former
employee, contractor, or other business partner who has or
had authorized access to an organization's network, system, or
data and intentionally misused that access to negatively affect
the confidentiality, integrity, or availability of the organization's
information or information systems.— Software Engineering Institute (SEI)
Computer Emergency Response Team (CERT)
The likelihood, risk, or potential that an insider will use his or
her authorized access, wittingly or unwittingly, to do harm to the
national security of the United States. Insider threats may
include harm to contractor or program information, to the extent
that the information impacts the contractor or agency's
obligations to protect classified national security information.”
— National Industrial Security Program Operating Manual (NISPOM)
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
6
Insider Threat Definitions
The threat that an insider will use their authorized access,
wittingly or unwittingly, to do harm to the security of the U.S.
This threat can include damage to the U.S. through espionage,
terrorism, unauthorized disclosure of information, or through
the loss or degradation of Departmental resources or
capabilities.— Department of Justice
The likelihood, risk, or potential that an insider will use his or
her authorized access, wittingly or unwittingly, to do harm to the
national security of the United States. Insider threats may
include harm to contractor or program information, to the extent
that the information impacts the contractor or agency's
obligations to protect classified national security information.”
— National Industrial Security Program Operating Manual (NISPOM)
Acts of commission or omission by an insider who
intentionally or unintentionally compromises or potentially
compromises DoD’s ability to accomplish its mission. These
acts include, but are not limited to, espionage, unauthorized
disclosure of information, and any other activity resulting in
the loss or degradation of departmental resources or
capabilities.— Defense Security Service
An insider threat is generally defined as a current or former
employee, contractor, or other business partner who has or
had authorized access to an organization's network, system, or
data and intentionally misused that access to negatively affect
the confidentiality, integrity, or availability of the organization's
information or information systems.— Software Engineering Institute (SEI)
Computer Emergency Response Team (CERT)
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
7
Counterintelligence (CI) Foundation
Predates proliferation of modern
information technology (IT) systems
− War Story: Commo Center
investigation ~1989
− REDWOP “Barium Pill” application
Different approach than prevailing IT
product solutions to Insider Threat
− CIIT not ITCI
Background & Context
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
8
Presentation: The 10 Commandments of Counterintelligence
Background & Context
Jim Olson
James Olson
− Distinguished 25 year veteran in
CIA’s Directorate of Operations
− Former Chief of CIA’s
Counterintelligence Center (CIC)
− Currently Senior Lecturer at Texas
A&M Bush School of Government
and Public Service
Jim Olson Photo Source: http://bush.tamu.edu/faculty/jolson/ ©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
9
The “Commandments”
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
10
Proactivity is essential
− Differentiator with other security disciplines
Original Context: DA Operations
− War Story: IO Neutralization
• Ethnic service member
• Did not assimilate well; marginal job performance
• Possible relatives in denied area
• Worked with operational plans
• Contrived “accidental” contact
• Queries for assistance to locate relatives
I. Be Offensive
Photo Source: http://quote.javatpoint.com/author/vince-lombardi
Vince Lombardi
The best
defense is a
good offense.
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
11
Relevance to Insider Threat
− Threat evolves, human element remains
constant
• Focus on the actor, not the instrument
• War Story: Vehicle surveillance
− Identify potential risk indicators before they
otherwise manifest
− Non-technical behaviors essential
• Sole reliance on technical monitoring
inadequate
• Challenges of unstructured data
I. Be Offensive
Photo Source ©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
12
To preempt, you need awareness
Original Context: Necessity of physical surveillance
− War Story: Bus surveillance op
• Heightened terrorist threat
• Targeting of Americans
• DoD school buses
› Predictable places/times
› International school
• Rehearsal witnessed
› Final pre-attack cycle stage
III. Own The Street
Photo Source ©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
13
Relevance to Insider Threat:
Vigilance over the digital highway
− Activities indicative of malfeasance
• Intent, or lack thereof, dictates risk treatment
• 2016 Spotlight Report: Inadvertent (71%) and
unwitting (68%) breaches
− Transparency sets expectations
• Monitoring tools disclosure
− Enforcement is key
• Resultant deterrence
III. Own The Street
Abe LincolnPhoto Source
Laws without
enforcement are
just good advice.
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
14
Original Context: Connect the
proverbial “dots”
− A “small” details may be the most
important
− Myriad collection means
• Surveillance reports, black bag jobs,
access agents, technical collections, etc.
− Must be collated / analyzed
• Can be archived, sans analysis, for
future reference
V. Do Not Ignore Analysis
Photo Source©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
15
Relevance to Insider Threat: Analysis is key
− Data streams must be collated / analyzed
• Otherwise why bother?
• “Due diligence” & “due care”
− War Story: PRI aggregation
• Privileged user—sysadmin
• Security incidents
• Divorce / associated debt
• Sensitive program volunteer
• Failed polygraph
• Drug use / infidelity admission
V. Do Not Ignore Analysis
©2017 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY Cleared by ITC (KB) 2/22/17 PIRA #DIS201702006
Evaluate your risk
Design a program against
identified areas of priority
Solicit buy-in from for successful
implementation
Next Step
Thank you.Questions and Discussion
