Threat Vector 10.5.23
Ep 6 | 10.5.23

Inside the Mind of an Insider Threat: Unmasking Motivations with Chris Tillett


David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. [ Music ] Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to talk with Chris Tillett. Chris is a senior research engineer at Palo Alto and a member of the advisory board for Titaniam Labs. Chris, your bio on LinkedIn is really short. It says, "Author, speaker, technologist, and failure expert." Before we get in today's topic on insider threat, I want you to talk to me a little bit about what you mean by failure expert.

Chris Tillett: Yeah, that's a title I've earned through pain and experience. I had to really learn by doing. And I have a natural curiosity, so by me looking at something and going, well, I wonder if we did this, how would that impact the network? Or if we did that, how would that impact the systems? It helped me learn and fail fast.

David Moulton: I love it. You've got to be fearless to be able to go into something knowing that the odds could be stacked against you. But no risk, no reward. What is insider threat and why has that become such a growing concern in today's cybersecurity landscape?

Chris Tillett: Insider threats are probably the most difficult thing to address because, in reality, they start in a person's figurative heart. To catch the early traces of it is extremely difficult. There are just some people that are wired to find the loopholes in an organization. When we look at what an insider threat is, in reality, it's anyone who has access to our systems, our data, our information that could use that for their own gain, or the gain for somebody else.

David Moulton: So tell our audience the common motivations or factors that you've seen that lead individuals to become insider threats. And then how understanding those motivations helps in identifying and mitigating those risks.

Chris Tillett: Yeah. So I have -- I call it the 10-80-10 rule. I talked earlier of -- there are people that are just wired to find the holes in your organization. That's about 10% of your employees. Sometimes that's data theft. Sometimes that could actually be money theft. That's also why you put controls in place. Typically, those controls are going to catch people where it starts with a dollar or two, and then eventually they get more and more bold and then they trip a control later on. The other 10% of people that are on the other opposite end of that spectrum are people that we never have to worry about. They will never steal from the organization. As a matter of fact, they won't even borrow a pencil and take it home. It's just not how they're wired and they refuse to do it. To me, those two sides are very easy. You have the ones that are just going to get bold and eventually screw up. And then you've got others that you never have to worry about. The hard part is the 80% in the middle. And the reason why is many of them will never become insider threats, ever. But all it takes is a change in their circumstances, a change in the organization, and all of a sudden, the thoughts creep in. That seed of motivation. The 80% are the hardest to find.

David Moulton: So what are some of those key indicators or behavioral patterns that organizations should be aware of when trying to identify those insiders in their workforce?

Chris Tillett: It's crucial for the management to know their employees and for the SOC to be in communication with that management and track normal across an organization. Having something that does behavioral tracking is absolutely crucial. What is insider threat for HR? What is insider threat for accounting? For IT? When we're using digital assets, we're creating a profile of what is normal. If we're not able to track that, then when a user deviates from that normal, we're not going to catch those beginning indicators. CISOs need to leverage the business units.

David Moulton: Having that baseline on behavior immediately is one of the most important things an organization should do, but that's just my opinion.

Chris Tillett: It's absolutely true, David. And so when you look at that baseline in comparison not only to themselves but their organization and their peers is going to be truly enlightening to the SOC. Being able to evaluate an individual against their peer groups is going to be crucial to see whether or not they're really deviating from their norm. [ Music ]

David Moulton: Chris, thanks for joining me today on "Threat Vector." We'll be back on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.