Posted on by Insider Threatin
Insiders have been known to collude with others, both with coworkers (i.e., other insiders) and outsiders. In our previous post on insider collusion and its impact, we explored 395 insider incidents of collusion and found that insiders working with outsider-accomplices had greater financial impact to their organization than those working with other insiders. When an insider works alone, or when an insider works with others within their organization, User Activity Monitoring (UAM) / User and Entity Behavior Analytics (UEBA) tools have the ability to identify one or multiple insiders as engaging in anomalous or suspicious activity. When insiders are working together, further analysis can correlate that suspicious activity and provide insight into where data may have moved. But what insight do organizations have when an insider reaches out to others to commit a malicious act? In this post, we explore a subset of these insider-outsider collusion incidents that involve an insider's significant other (i.e., current or former partners or spouses).
These individuals, while not employees of an organization, may have more access to an organization's assets (e.g., facilities or employees) or be viewed with more trust than a typical 'outsider' by virtue of their association with an employee. It follows, then, that these outsiders have the potential to cause more damage. The goal in reviewing these incidents and sharing real examples from the CERT National Insider Threat Center (NITC) Insider Incident Corpus is to understand the complexity of circumstances that surround some insider threat incidents.
At least 28 incidents of an insider colluding with a significant other have been identified within the NITC Insider Incident Corpus. These incidents represent approximately 7% of insider incidents involving collusion. The incidents took place between 2000 and 2016, so it is likely that there are additional incidents that have not yet been recorded. Twenty-three (82%) involved fraud and five involved theft of intellectual property (18%). Three of the fraud incidents also involved the insider working with a coworker in addition to a significant other, as did three of the theft of intellectual property incidents.
In 11 of the aforementioned incidents (39%), insiders were recruited by their significant other to commit malicious acts. Motivating factors primarily included the financial gain for the significant other.
Unlike other incidents where an insider is working with another outsider, like a friend or other relative, these incidents occasionally involve physical abuse and intimidation by the significant other.
Additionally, five insiders were indirectly motivated to commit malicious acts because of stressors or circumstances related to a spouse or significant other. In at least three incidents, an insider committed fraud after the spouse experienced job loss. In at least two other incidents, insiders had spouses unable to work and cited financial stress that resulted.
Beyond explicit collusion and scheming between spouses, insiders have been known to use their spouses' names or assets as a form of concealment.
Organizations may want to consider preventative or corrective measures that address scenarios like those discussed above. From a detection standpoint, establishing anonymous reporting mechanisms for coworkers to alert an organization to the insider threat posed by (or perhaps even the potential pressures imposed on) an individual may also be valuable in these scenarios. These circumstances underscore the need for continuous monitoring to account for insiders' new or developing conflicts of interest or relationships with suspicious individuals.
For other recommendations for your insider threat program, please refer to the CERT Division's Common Sense Guide to Insider Threats - 5th Edition for recommendations based on an analysis of over 1,000 incidents in the CERT Insider Threat Incident Corpus.