Blog Post

Ex-FBI security officer: You can’t predict threats like Snowden, but you can deter them

Former FBI Chief Information Security Officer Patrick Reidy had few laughs at the State Department’s expense during his Black Hat presentation on Wednesday, but he wasn’t foolish enough to come out and say that his agency would have detected an insider threat like Edward Snowden. In fact, depending on how Snowden’s behavior patterns and personal traits lined up with other known threats, spotting his plans might have been impossible.

Someone who knows he’s getting a pink slip on Monday printing off a bunch of stuff on Friday evening? “That’s what we at the FBI call a clue,” Reidy joked. But someone taking a few files here and there, all while technically remaining within his access permissions? That’s like finding a needle in, well, a stack of needles.

Too often, Reidy said, “We take one problem — [like] Snowden — and just generalize it everywhere.”

In the statistical sense of the word, he explained, “predicting really rare events may actually be impossible.” A better bet might be taking an employee-centric approach: analyzing behavior at an individual level and trying to deter them from becoming disillusioned in the first place.

A needle in a stack of needles

According to research the FBI conducted on the topic of insider espionage, spotting such behavior is so difficult because there is so little and such unhelpful data to work with.┬áReidy and his team crunched the numbers and they just couldn’t find the red flags that predict an insider threat without also identifying lots of false positives.

This isn’t the NSA trying to spot a U.S. citizen calling Yemen at 3 a.m., hanging up, and getting a call back two minutes later from a different number. There’s a big difference between identifying unauthorized access that often signifies an attack, or analyzing enough network traffic to recognize a nefarious signature, and trying to figure out when someone doing something he’s authorized to do is acting on an ulterior motive.

In the case of the FBI, for example, about 2 percent of its employees are responsible for about 80 percent of the data movement. That hardly produces a standard bell curve. Good luck spotting the outliers in the remaining 98 percent.

That's Booz Allen Hamilton across the hall. You can guess its answer.
VOTE: Hero or villain. That’s Booz Allen Hamilton across the hall. You can guess its answer.

In some ways, Reidy’s talk dovetailed nicely with another Black Hat talk, this one about trying to predict the susceptibility of Twitter users to social bots. The researchers who gave it were trying to figure out if they could identify the characteristics (e.g., personality, followers, Klout score, etc.) of people who’d be more likely to engage with a bot and less likely to report it for spam.

They found that some signals were stronger than others, but mainly they found that it’s difficult to predict with great accuracy who’ll engage in the behavior you’re targeting when the vast majority of people won’t. Only 20 percent of the participants in their study interacted with bots at all, and only 13 percent actually replied. Absent some clearly distinguishing characteristics — some strong signals in the noise — it’s a lot easier to predict that someone isn’t who you’re looking for.

Think like a credit card company

This is why Reidy says the FBI now focuses on analyzing individuals’ behavior rather than aggregate behavior. It creates a baseline for individual employees and then can more easily detect changes that might signal a problem. Think about it how credit card companies analyze behavior to combat fraud: there are certain universal red flags, but often you’ll get a call when something perfectly normal for someone else doesn’t fit your usual spending patterns.

kill chain

Although, Reidy said, even this isn’t enough. The that’s why the agency looks at the whole situation, combining everything they know about individual employees in order to paint a complete picture. Activity logs, HR profile, salary, psychographic profile — it all comes together to suggest whether any changes are worth looking into.

In fact, he added, if organizations have a limited budget to spend on trying to detect insider threats, they should put it into capturing and combining HR data and individual behavior data. It’s not big data, it’s the right data.

holistic fbi

The best offense is a good defense

Of course, you don’t have to detect insider threats at all if you can stop them from materializing in the first place. Of the 65 insider threat cases the FBI analyzed, Reidy said only about 5 percent came in “bad” — like Snowden, who reportedly took a job at Booz Allen Hamilton to access NSA documents — while the rest turned bad.

How do you stop that from happening? On the one hand, Reidy said, the FBI uses positive social engineering to create a more-pleasant work experience. Rather than dictating what people can and can’t do, or treating employees like children (14,000 FBI agents carry guns to work, he joked, but it can’t trust people to carry USB drives?), it just targets the behaviors it doesn’t like as they’re happening. Go ahead and use Facebook, for example, but don’t post sensitive information there.

Thanks to popups on employees’ computer screens warning them they’re doing something potentially dangerous but still giving them the opportunity to continue, certain risky behaviors (e.g., removing files to external drives) decreased significantly in just a year. Given timely guidance, Reidy said, people will make the right decisions.

fbi behavior

But companies and organizations still need to protect their data. That means indentifying the most-sensitive data and the systems it’s on and setting permissions accordingly, Reidy said. It also means knowing your enemies or competitors and, just as important, which of your employees they’d be most likely to target.

Whether you’re in government or private industry, Reidy warned, it’s a “hostile marketplace” where someone will always be out to compromise your people and your data. “In 5 to 10 years, people who take insider threats seriously will be around,” he said. “Those who don’t, wont.”

5 Responses to “Ex-FBI security officer: You can’t predict threats like Snowden, but you can deter them”

  1. Greg Basham

    Great presentation by the FBI but it gets an F for me for missing the issue with Snowden. If half of what is alleged to be his internet posting footprint are true as some suggest, this tells me that the process being used to identify recruits for the role he played is flawed. It’s not about someone failing to do the proper job at all. It merits checking pre-hire.

    Certainly Booz Allen didn’t fail in their processes as their audits have more than adequately shown. I suspect that the checks in place were all done just as they were supposed to be done but for this role more might be needed. Too often I see employers worrying about cost of pre-hire processes yet ignore the high cost of a bad hire that starts shortly after the bad hire starts their job.

    For a post like the Snowdens hold there needs to be a more comprehensive check that includes their internet footprint similar to what would be done and is done for high profile positions. The alleged Snowden posts on forums would certainly tell me that there is a judgment problem with this person based solely on the content.

    Not sure if they use any psychometric tests as part of the process but I’d not rule these out as a piece of the process.

    Having advocated for a broader set of checks I want to also make clear that everything needs to be within the law and I am not all of a sudden suggesting employers blunder into social media checking in the absence of a clear set of rules and policies including the handling of the results by a senior person. Nothing is dumber than information in the hands of lower level people who misuse information and create law suits that prospective employees typically and rightfully win.

    I believe that any type of check must pass a relevancy test. When I read of laid off bus drivers from a down economy not getting hired as a driver as he fails a credit test, it disgusts me.

    However in posts that handle sensitive information you need people with sound judgment and internet posts show that.

    • Just recruit people with no consciences

      The best test is a morality/conscience kind of test. In the recruitment exercise you assault the morals/conscience of that person with things that would be otherwise despicable to average Americans. Things that may be done, have been done or are being done that inspire the whistleblower in normal people. Particularly things that border on freedom. With the relevant equipmens and psychologists, you can pick people with no morals or consciences where it is called not to make use of them.

      You have your recruit!!

      • freedom_rocks

        Thanks for responding to the above post. While we are all entitled to our views, the post above shows the statist MSM hive mindset. You are absolutely right in your assertion to hire people with no conscience or ability to think off the reservation. With all the movies, TV shows, MSM news, and propaganda some Americans buy into the domestic and international policies. We live in a police state, are not free, and the amerika empire continues to grow.

        Also a lot of what snowden shared was nothing new as many other whistleblowers broke news about the same things in the past 10+ years. It’s sad to see the double standard treatment of how some Americans (I never mean all Americans, more are waking up) view snowden vrs. manning who is another hero and should be released from prison. The war crimes he exposed are so shameful and not representative of what this country stood for in the beginning. Plus if you really asked every day people in your neighborhood if they would commit those acts themselves or stand for those acts I’m pretty sure they would say no, and are good standup people wanting to live in peace with other human beings.