Managing the insider cyber risk in military organizations

Story

August 05, 2024

On March 4, 2024, Jack Teixeira, a member of the Massachusetts Air National Guard, pled guilty to six counts of willful retention and transmission of classified information relating to national defense. Teixeira, who had held a top secret security clearance since 2021, shared hundreds of pages of highly classified military documents – ranging from sensitive information about the war in Ukraine to details on Iran’s nuclear program – to the social media site Discord. He now faces 16 years in prison.

While external threats from hackers to malware remain a top concern for the military, the Teixeira leak – one of the most serious in the past decade – offers a stark reminder of the risk presented by insiders, particularly considering the massive data lakes created during the past four decades of digitization.

Teixeira’s methodology was relatively straightforward: He uploaded photographs he took of classified documents or transcribing their contents. While Teixeira’s actions were front-page news, insider threats that often don’t make the papers remain a top concern for many. Research shows that more than 70% of executives identify accidental internal staff errors as one of the top threats facing their companies. For the military especially, proactively preventing employees from exploiting access privileges is an urgent matter.

Moving beyond perimeter-based approaches

As agencies amass more and more data, perimeter-based approaches to protecting sensitive information are insufficient. Data loss prevention (DLP) tools, for instance, only inspect data at the point of egress. But there are countless indicators of malicious behavior that traditional DLP tools fail to identify or monitor. Data-security companies can tell stories about catching insiders trying to walk out the door with a substantial amount of data that DLP would have missed. While no technology can stop someone from taking photographs of documents like Teixeira did, his actions were likely accompanied by other risk indicators that flew under the radar.

User activity monitoring (UAM) entails tracking and analyzing the digital footprint of employees in real time to identify data exfiltration or malicious intent. Instead of building boundaries, moats, and bridges, military agencies need a brain of sorts that can understand employee behavior holistically. UAM serves as this brain by interpreting and contextualizing both machine-to-machine and human-to-machine interactions. By monitoring user actions – such as file access, email communication, and application usage – military agencies can efficiently identify suspicious or anomalous behavior while also gauging motivation and intent.

Organizations that use UAM tools report significantly shorter timelines to close insider risk investigations. When UAM is augmented by behavioral analytics, agencies can achieve an even clearer picture of insider risk. Behavioral analytics enables agencies to understand an employee’s baseline behaviors and assign the person a risk score, which can be updated in real time as employee behavior changes. These scores help agencies quickly and effectively respond to changes in behavior that could indicate a looming insider threat.

Following the breadcrumbs

While agencies tend to be laser-focused on protecting classified networks, the clues to malicious intent often lie on unclassified ones. It can be useful to think of indicators of risk in three broad categories: personal predispositions, stressors, and the concerning behaviors themselves. Of course, it is incumbent on every organization to ensure the collection and analysis of breadcrumbs is in accordance with all applicable data privacy laws, company policies, and civil liberties protections.

In a military context especially, agencies have access to a tremendous amount of data about their employees. Police records, travel records, credit reports, and human-resources issues could all hold clues to a given employee’s personal predisposition and stressors. The clues may be even more subtle, though, such as the employee’s tone in email and chat.

Concerning behaviors, meanwhile, may include travel arrangements, browsing job websites, or searching for resume tips. More standard risky behaviors may include working unusual hours, stockpiling large amounts of data, using email to send data, manipulating security controls, or attempting to access restricted data. Former American NSA intelligence contractor and a whistleblower Edward Snowden, for one, downloaded large amounts of data at an agency outpost that lacked modern cybersecurity controls. In the military especially, monitoring print queues is equally important as monitoring online activity. (Figure 1.)

[Figure 1 ǀ Mitigating cyber-related risk in the military means monitoring many user behaviors, including data use, travel patterns, and print activity.]

Being able to make sense of the breadcrumbs spread across systems is the key to proactively mitigating insider risk in the military. The only way to scale real-time monitoring is with a system that can automatically flag questionable actions and proactively respond to potential risk. Without automation and the proper aggregation, agencies will be bombarded by alerts and unable to see the big picture. Risk levels can be evaluated by identifying who has access to information, how sensitive that information is, what behaviors are taking place, and how those details can be tied together. It’s not just about creating an audit trail; it’s about having a comprehensive understanding of a user’s behavior and emotional state.

Not just detecting – protecting employees as well

One of the biggest misconceptions about UAM is that it amounts to an agency spying on its employees. But it’s not someone looking over their shoulder all day. Instead, UAM is about quantifying risk to keep the organization and its employees safe. In one instance, an insider-risk program prevented a U.S. Coast Guard lieutenant from carrying out an act of domestic terror. Other insider-risk programs are focused on preventing suicides.

The ongoing capture of data to provide an accurate, complete picture of insider risk is beneficial to employees as well, as it can help clear their name if a bad actor gains access to their account and begins acting nefariously. Once again, the goal is not to monitor every action an employee takes, but to identify big-picture trends that indicate malicious intent. (Figure 2.)

[Figure 2 ǀ User activity monitoring (UAM) is aimed at providing a complete picture of insider risk and identifying trends that may indicate malicious intent.]

The bottom line

In the military, employees often get walked out the door quite quickly when something goes wrong. Agencies must have cybersecurity technology in place to move at the same speed. While choosing to steal sensitive data may seem like a brash decision, research shows it is rarely impulsive. Instead, it is usually preceded by numerous indicators of risk – indicators that will get overlooked with a perimeter-based approach to security.

Insider risk is already top of mind for military agencies; last year, the United States Military Academy (West Point) even launched an open access journal dedicated specifically to the topic. Departing employees are often disgruntled and pose an even greater risk. Through user activity monitoring and behavior analytics, agencies have tools to ensure they have a comprehensive, contextual understanding of employee behavior across networks – enabling them to proactively prevent current and departing employees from exploiting their access privileges and leaking sensitive information that could put a mission at risk.

Chris Blanchette is director of solutions architecture at Everfox, formerly Forcepoint Federal. He previously held several other positions at Forcepoint and served as an IT Master Chief for the U.S. Navy. He holds a bachelor of science degree in organizational leadership from the University of Charleston (West Virginia).

Everfox • https://www.everfox.com/