Stalking the insider threat


Protection from insider threats

Insider threats remain one of the top counterintelligence issues facing the U.S. government as identified by the National Counterintelligence and Security Center.

In November 2012, the White House issued the National Insider Threat Policy and the Minimum Standards for Executive Branch Insider Threat Programs.  The policy aims to “deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risks through administrative, investigative or other response actions.”

But how can insider threats be detected and mitigated? It starts with privileged account management.

Traditional cyberattacks from external adversaries are often much easier to detect than insider threats. Like a “smash and grab” robbery, the perpetrators cause havoc that’s visible or easy to detect.  The insider, a trusted user already within an agency’s network, might use his access to view, copy or delete documents over the course of days, weeks, months or years.

Most government workers use their privileged access to increase their professional productivity and support the missions of their agency. Yet the most dangerous of the bad actors can be agency workers assumed to be safe. While cyberattackers might be motivated to cause havoc or to test security integrity, true insiders are those who wish to do their agency or government harm or to benefit personally from their privileged access.

Insider attacks offer a low  barrier to entry for adversaries, and they can cause great harm, including  longer recovery times and clean-up challenges depending on the data or other content that is altered or shared.  

Finding an insider threat

The task of analysis and detection of potential insider threat activity in an increasingly cloud-centric IT world brings a new set of challenges to the U.S. government, which also depends on older systems that lack the same level of security offered by newer platforms or hardware systems.

Threat analysis begins with determining what information is the most valuable to external sources. Within government, that could be information about military personnel, negotiations, legal proceedings, blueprints for weapons systems and other areas that require written approval or a required clearance level for access.

Then security officers must secure potential insiders’ avenues for network access, including enterprise file sync and share services, personal cloud storage, email, USB devices, printers and applications.

Fortifying government networks against insider threats depends on securing and establishing best practices and audits for admins with root level or application-level configuration access. Security officers can design practices that stagger access to admin-level areas or even cycle responsibilities between several admins. With that access comes the need for privileged account management that:

  • Starts with least privilege
  • Controls and isolates applications
  • Invokes deny-first whitelisting
  • Manages privileged accounts
  • Audits current accounts to uncover unused privileges
  • Rightsizes threat thresholds for access
  • Employs intelligent monitoring/reporting when passwords change
  • Identifies weak passwords
  • Redefines alerts for the levels of threat

An effective insider threat detection program should also include a series of unscheduled system emergencies of various thresholds to test automated inside threat security processes as well as the workers required to halt a threat. These emergencies can emulate past breaches to ensure that information systems have been adequately remediated or simulate breach events that are in the news. Emergency events can be monitored to relay performance data, response time, changes in process and failure back to those responsible. An outside group may be helpful in ensuring accurate post-emergency analysis.

Agencies must view insider threats as an active, ongoing danger to the U.S. government. Therefore, agency IT teams need solutions that can address today’s and tomorrow’s threats and teams that can apply those solutions to infrastructure, processes and practices.

About the Author

Joseph Carson is chief security scientist at Thycotic.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected