CISA Expanding Insider Threat Toolbox
Officials with the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security expect in the coming days or weeks to provide multiple new resources to help organizations prepare for, mitigate and respond to insider threats against critical infrastructure.
The new tools include a guide for establishing an insider threat management team, guidance on the progressive stages an insider might follow, a standard template for reporting insider threat incidents within an organization and a train-the-trainer program for workshops related to critical infrastructure protection. The resources are being developed under CISA’s Insider Threat Mitigation program, which provides an array of support tools for organizations considered a part of the nation’s critical infrastructure.
For example, the program developed the Insider Risk Mitigation Program Evaluation Assessment Instrument with Carnegie Mellon University and released it more than a year ago. The mitigation tool is a 17-page interactive PDF that asks more than 100 questions. When the user answers the questions, the tool generates a numeric gauge of the organization’s vulnerability to an insider incident. It also provides recommendations for establishing or enhancing an insider threat mitigation program based on the user’s score. The tool has been downloaded more than 3,000 times.
Insider threat incidents include current or former employees, contractors or business partners and associates who have, or have had, access to an organization’s network systems, data or premises, and uses their access either deliberately or unwittingly to cause harm. Threats range from cyber attacks or inadvertent mishaps to workplace violence, including active shooters.
One of the most infamous insider cyber attacks occurred in 2013 when Edward Snowden, a computer intelligence consultant contracted to work for the National Security Agency, leaked highly classified information before fleeing to Russia. A little more recently, a former Microsoft employee was sentenced in August of 2018 after pleading guilty to conspiracy to commit money laundering in connection with the spread of ransomware known as Reveton. The ransomware would display a splash screen on the victim’s computer, falsely claiming that a law enforcement agency had found illegal material on the computer and would demand payment of a fictional fine to regain access.
CISA briefing slides provided to SIGNAL Media indicate that out of 42 computer system sabotage incidents against critical infrastructure targets, 58% of perpetrators expressed negative feelings, grievances and/or interest in causing harm. And 31% of the time, others had information about the insider’s plans, intentions or activities.
CISA data indicates that insider incidents involving workplace violence affect as many as 2 million people annually. In 2019, 18,370 assaults occurred in the workplace, and 458 of those were homicides.
Insider assaults impose financial costs as well. “Average out-of-court settlement costs are $500,000, and the average jury award for an insider threat incident is $3 million,” William “Shannon” Brown, chief of the Security Planning Branch within CISA’s Infrastructure Security Division, reported. Additionally, in the wake of a workplace assault, organization productivity can drop by 50% and employee turnover can increase by up to 40%.
CISA’s Insider Threat Mitigation program aims to help individuals, organizations and communities create or improve their insider threat programs. “What that makes us responsible for is public-facing and publicly delivered training, resources, materials and products,” said Brown, who also leads the Insider Threat Mitigation effort. “We have various tools out there that are used by field personnel and delivered as services to CISA stakeholders. We also have our dot gov presence, our web presence, where we have products and resources that are hanging on CISA.gov.”
Program officials are currently working on the new tools, including an insider threat reporting template. “I have rarely met a security professional who did not want a checklist to do something. This particular insider threat reporting template is exactly that. It’s a starter kit,” Brown said. “It’s certainly not anybody’s north star for it, but it is a two-part tool that, much like an incident report, gives you a one-page document to write down or enter information into an insider threat report, maybe a concerning behavior.”
A second piece, he added, “is used by an organization to document an insider threat incident and keep a log of all of the organizational actions that were taken due to the incident,” which industry officials have been asking for.
The template could be available soon. “I don’t want to make any promises I can’t keep, but hopefully, we’ll have that available by February or March of 2023,” Brown suggested.
A couple of upcoming resources derive from the program’s existing Insider Threat Mitigation Guide that Brown describes as “133 pages of awesome” and in which he has, in the last couple of years, found “every answer that I have looked for concerning establishing a program for mitigating insider threat.” The CISA team decided it would be useful to develop separate standalone products for a few of the key sections in the document, including guidance on how to establish an insider threat mitigation team and another informing organizations on the progression toward an insider threat.
Brown recommends a mitigation team include professionals from a variety of backgrounds both inside and outside the organization—security, law enforcement, legal, organizational leadership, human resources and medical personnel, for example, as well as union representatives if a union is involved.
“This group of individuals can look at a reported concerning behavior and make a value judgment, make an informed decision on what the next step should be to either get the individual back on track or to mitigate anything which might occur,” Brown explained, adding that it should be available this month.
Also, this month, the program could release an infographic showing the progression toward an insider threat, which is similar to an existing video, Pathway to Violence. It will depict the stages a person goes through as they become an actual threat. The infographic is designed to help organizations understand how to identify insider threats so they can be mitigated or prevented. It highlights the common progression path of a disgruntled individual as they manifest an insider threat incident from initial grievance to ideation to incident completion.
Brown praised critical infrastructure organizations for taking seriously the insider threat and the need to form mitigation teams. “They really do understand how America works. They understand the specific services that the United States needs to get by day to day, whether it’s healthcare or gasoline at the pump, or getting money out of an ATM,” he asserted. “I feel very strongly that critical infrastructure in and of itself definitely understands that there is a need for insider threat mitigation, whether it’s a specific, formally established program or educating employees on it.”
Still, he sees room for improvement. “We should be doing a lot more of it. I’m not tossing out disparaging comments about insider threat programs. Organizations do perform this function, but where an insider threat apparatus will operate within an organization depends on the organization’s culture,” he noted.
An organization with 300,000 employees may have a robust security program, Brown explained, while others may have programs led by a single human resources manager. “It can show up in a variety of places in different organizations from security enterprises all the way up to simply being a collateral function for human resources.”
CISA provided briefing slides describing a use case involving a successful insider threat program. Without providing identifying information, the slides indicate an employee of a manufacturing facility was offered $1 million by a foreign connection to allow access to a company network and support the introduction of malware for a denial-of-service attack.
The employee reported the incident to the organization’s security team and then worked with law enforcement, ultimately leading to an arrest.
CISA slides also point to a case in February of 2022 in which the former director of metallurgy at Bradken Inc. was sentenced to 30 months in prison and a $50,000 fine for falsifying test results that measure the strength and toughness of steel that the company sold for installation in U.S. Navy ships.
In addition, Brown’s team expects to expand its training efforts with a train-the-trainer program. The team conducted 10 workshops last year for insider threats and security of mass gatherings. Regional personnel also conducted a number of similar workshops for critical infrastructure stakeholders.
Now CISA intends to provide additional insider threat education to those who will be conducting the workshops for stakeholders. “We’ve already done the first one. Call it a beta test version of it. That has been completed,” Brown reported. “We’re working on it to get it completed probably this quarter, and we will deliver that to field personnel who are going to be charged with delivering the insider threat workshop to stakeholders.”
The workshops can be conducted in person or virtually and can include anywhere from about 30 to about 140 attendees. Brown notes that person-to-person training seems most effective even when delivered virtually.
For organizations establishing a formal insider threat program, Brown suggests the following initial steps: identify critical assets in need of protection; establish a reporting process; and create an ability to assess and respond to any threat. “A program should have an established reporting mechanism, and it should have an established ability to assess and then respond to any threat, whether it’s an insider threat, a physical threat or a cyber threat. Security is ineffective unless you have those very basic tenets.”
U.S. Critical Infrastructure Sector
- Commercial facilities that attract large crowds
- Critical Manufacturing, such as primary metals, machinery, electrical and transportation equipment
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater