loader image

Hostile Actors and Insider Threats

Hostile Actors and Insider Threats

As digital footprints have grown, the upcoming generation being the first with no real gaps in their cradle to grave online presence, our attack surface has expanded.

As old border mechanisms have become less relevant in the connected world, it has never been easier to reach a target or disseminate information. Social norms have shifted to and continue to do so with acceptable and unacceptable behavior or activity perhaps harder to narrowly define than during previous decades.

From the impact of the Cambridge Analytica scandal on the restriction of access to information by platforms to the increasing use of covert online identities in espionage, security risk is evolving at an unprecedented rate. PAEI is at the heart of it.

Fingerprints can be retrieved from digital photographs. insurrection can be planned on message boards, populations can be subjected to influence operations through open social media, spies can be tracked through jogging apps...

Hostile actors can deploy cyber attacks through social engineering on a scale never previously thought achievable.

A central challenge for governments and corporations arises from the natural conflict between what someone acting within the confines of law and expected standards can do to protect their interests versus what can be done by an unconstrained adversary or an uncontrolled insider threat operating in the grey zone. Helping you understand threats and helping you mitigate risks is not just a cybersecurity issue and we are here to assist.

The challenge ahead is in meeting hybrid security threats with a hybrid response.

Insider Threats are, by nature, fluid and manifest differently dependent upon their terrain.

At Shopify this recently took the form of support staff stealing PII from customer transactions, resulting in a 1.27% share price drop, whereas at Stradis Healthcare an ex-VP accessed and modified the shipping system, targeting deliveries of PPE to medics during a pandemic.

Whether insider trading at Amazon, or sabotaging Tesla, the impact is almost always financial and reputational harm to the client-victim.

There is, however, no common approach to defining these threats, which is perhaps why they persist.

Large companies such as Verizon focus on “careless” employees and misuse of assets, while cybersecurity specialists focus on privileged users, presumably because their actions are easier to catch by virtue of a smaller pool to scan for patterns of behaviour and suspicious system activity.

What is clear, is that across three well-measured categories (employee or contractor negligence, criminal and malicious insider, and credential theft by hackers) the frequency of incidents continues to increase year on year whomever is generating the statistics. Negligence is most attributed to poor security, such as weak passwords, careless wifi connection, using outdated software, and poor data handling, while malicious insiders across industry sectors focus on sabotage, data theft, and fraud.

The question which cannot be answered through the countless annual reports and digests which now cover insider threats is whether the increase is due to an escalation in the manifestation of threats or whether it arises from better recording – or indeed misclassifications within that recording. The area is immature, highly variable in definition and application, and is caught in the usual ecosystem of industry being created from the existence or growth of a problem.

With the largest portion of internationally recorded insider threat incidents arising from error or negligence as opposed to intent or malice, and statistical measurement being relatively immature or too open to interpretation, at SOCINT we have created a refreshed definition with appropriate classifications to enhance data capture and analysis as follows:

“A malicious insider threat is a person who intentionally exploits their position or privileged access to systems or information for unauthorised purposes or personal gain ; A negligent insider threat is a person with privileged access to systems or information who exposes those systems or information to unauthorised access due to poor security practices or their own careless or reckless actions; An unintended insider threat is a person with privileged access to systems or information who exposes those systems or information to unauthorised access as a result of events beyond their reasonable control.”

This revised definition is accompanied by additional meanings as follows:

An insider is any employee, contractor or connected party, supplier, or other partner working in any authorised capacity whether full-time, part-time, permanent or temporary. A malicious insider may join the organisation with the intent of committing an unauthorised act and such premeditation shall be considered as more serious in nature. An insider threat incident may occur at any point during the employment lifecyle, or after the employment lifecycle as a direct consequence of it. An insider could be triggered by direct exploitation or targeting, financial inducement, a change in personal circumstances including wellbeing, or by any other means. Threat incidents may have internal, local, regional, national, or international impacts and may affect a single office, a single agency, a group of agencies, government, or national security as a whole. A public incident is one which enters the public domain, an operational incident impacts government or agency activities but does not become public knowledge, and a hybrid incident becomes public knowledge and impacts operations.”

Adopting this fuller definition and additional meanings with embedded categorisation will assist in any policy or legislative change proposals, establishing uniform incident recording standards and developing targeted mitigation.

Scenario 1:

X joins HMG as a contractor with the intent of sharing confidential internal emails sent under the project with hostile state embassy staff in exchange for payment. X leaves the contract on day 10. On day 15 X shares the information and a counter-intelligence strand of work outside of the UK is compromised, impacting national security. Details are also published by the hostile state broadcaster’s local outlet, drawing public criticism.

Incident recording:

This is recorded a hybrid incident with international impact affecting national security.

X is a malicious insider triggered by financial inducement.

X joined with the intent.

The primary incident occurred after the employment lifecycle as a direct consequence of it.

Scenario 2:

Y is suddenly taken ill at their place of work and has to be taken to hospital by ambulance, they do not have the capacity to lock their workstation. During the incident, P uses the workstation to search a database for details of a pending enforcement action and passes the ops planning information to a local OCG the department is investigating. P has recently developed a substance abuse problem following marital breakdown and buys from the OCG. No other areas or agencies are affected by the disrupted enforcement and the event is not publicly known but the OCG withdraw from the target location and continue to offend.

Incident recording:

This is an operational incident with local impact affecting a single agency.

Y is an unintended insider.

P is a malicious insider triggered by a change in personal circumstances but did not join with intent.

The incident occurred during the employment lifecycle.

The 2013 CPNI Insider Data Collection Study[1] was not designed to quantify the threat extent but provides insights into personality traits and behaviour drawn from 120 insider threat case studies between 2007 and 2012 – though the incidents had occurred within the period 2002 to 2012.

CPNI identified the five primary threats as:

“unauthorised disclosure of sensitive information; process corruption; facilitation of third party access to an organisation’s assets; physical sabotage; and electronic or IT sabotage,” and stated the most frequent types of insider activity identified were “unauthorised disclosure of sensitive information (47%) and process corruption (42%).”

Permanent male staff were significantly more likely to be identified as insider threats, with more than half of cases being identified in the first year of the employment relationship, and 60% of all cases arising from staff with less than five years of service. The number of premeditated insiders was low, at 6%, and one third of the cases were found to be influenced by multiple motivating factors. The two largest recorded motivations were financial gain (47% of cases) and ideology (20%) of cases. Financial gain was most closely linked to corruption while the release of sensitive information was most closely linked to cases motivated by a ideology and a “need for recognition.”

CPNI state a clear link was identified between insider incidents and poor management, poor auditing, poor training, poor security practices, poor communication between departments, and inadequate governance.

Due to the timelapse between incidents and the study, and a reliance on recollection-based evidence gathered in interviews, the weight of the conclusions is lower than desirable and evidence of some subjective assumption or opinion and bias is visible within the incident descriptive texts, e.g. “over-inflated sense of his own value and contribution to the organisation,” and within the personality trait descriptors, e.g. “Superficial (e.g. lacks a sense of identity and is hard to get to know.”

There are also a significant number of parallels between the CPNI descriptions of insider threats and organisational weaknesses, and the extensive range of studies and publications relating to whistleblowers - whose actions are subject to the protections of the Public Interest Disclosure Act.

While redefining insider threats, it was necessary for us to draw a distinction between a threat to an organisation’s leadership or culture caused by the exposure of its own malpractice and a threat to an organisation by an insider exploiting or exposing privileged information for other reasons. In reality, this is almost always going to be uncovered in the course of investigation and requires enhancement of investigative standards and practices across client operations part of a change package.

We recommend that serious organisations adapt or adopt the Core Investigative Doctrine from the policing environment, in particular given it arose from several Commissions into investigative standards which identified gaps, failings, and bias in long-established processes.

Turning to the characteristics of malicious insiders, the 2015 Association of Digital Forensics Security and Law study entitled Identifying Common Characteristics of Malicious Insiders (Liang, Nan and Biros, 2015)[2] reiterates that the term “insider threat” receives significant international attention but is “deprived of sound empirical investigation.” The study itself was focused on developing a method of text mining to develop understanding of insider threats but is of interest for other reasons.

The study is helpful in further rationalising what shapes an insider’s actions, based upon years of prior academic research, drawn out in summary as follows:

Organisation – Culture and hierarchy, security rules and culture, and policy.

Individual – Motivations, calculation, circumstances, beliefs, wellbeing.

Environment – Opportunity, social norms, ethical framework.

System – Access, vulnerability, monitoring, integration, and prediction.

The study additionally highlights twelve core psychological indicators associated with insider threats, suggested by Greitzer & Frincke (2010):

Disgruntlement - Employee observed to be dissatisfied in current position.

Accepting Feedback - The employee is observed to have a difficult time accepting criticism.

Anger Management Issues - The employee often allows anger to get pent up inside.

Disengagement - The employee keeps to self, is detached, withdrawn and tends not to interact with individuals or groups; avoid meetings.

Disregard for authority - The employee disregards rules, authority or policies.

Performance - The employee has received a corrective action based on poor performance.

Stress - The employee appears to be under physical, mental or emotional strain or tension that he or she has difficulty handling.

Confrontational Behavior - Employee exhibits argumentative or aggressive behavior or is involved in bullying or intimidation.

Personal Issues - Employee has difficulty keeping personal issues separate from work.

Self-Centeredness - The employee disregards needs or wishes of others, concerned primarily with own interests and welfare.

Lack of Dependability - Employee is unable to keep commitments or promises; unworthy of trust.

Absenteeism - Employee has exhibited chronic unexplained absenteeism.

Combined with system measures (access and audit logs, anomalous usage flags), removing the more emotional traits cited in the CPNI report and substituting them with the 12 core psychological indicators - embedded in vetting reference questions, well-design psychological questionnaires, and self/line-manager scored appraisal frameworks – there is a significant opportunity for clients to enhance data capture through the lifecycle of employment which will facilitate more detailed study of insider threats and the development of efficient predictive models to mitigate them before manifestation.

Our work in this field allows us to understand the insider threat landscape continues to evolve while understanding and action in place across sectors remains static at a point in time which is no longer relevant.

From implementation of ethical, automated PAEI vetting and risk management, to investigative training and policy development, we can help clients get to grips with insider threats and mitigate the impact of external influence at the point of recruitment and throughout the employment life cycle.

To discuss what can be done to help your organisation reduce its exposure to insider threats, contact us today.

[1] CPNI Insider Data Collection Study, 2013
[2] Identifying Common Characteristics of Malicious Insiders
[3] Thousands of attempts to view porn and harmful content at Cabinet Office last year


Related Articles

The Long Walk

Hostile Actors and Insider Threats https://socint.org.uk/wp-content/uploads/Anna%20-%20Insider%20Threats(Final).mp4 As digital footprints have grown, the upcoming generation being the first with no real gaps in their cradle to…

Losing Narratives

Narrative isn’t a toy, you see. Yet it’s played with all too often by people who don’t understand it. Narrative is a weapon in the hybrid warfare arsenal and has tendency of backfiring if not handled with care.


This psychology not only continues to redefine our shared values, incorporating disinformation into our talking points and group behaviours, but profits the whole sector which both feeds upon and drives it. This is Disinfonomics.