Developing an insider threat program takes time. Typically the insider threat manager and security team first reviews their organization’s systems and processes holistically. They look across all possible threat vectors to identify weaknesses — creating or refining security protocols as needed, and tightening processes where necessary. And while having the right plans in place to combat insider threat issues is a good first step for an insider threat program to take, at a point fairly early in the process, it’s important to put down the pen and paper and actually test whether or not the plan you’ve drawn up will work.
Design your first test to validate the key assumptions you’ve made by gathering the right players in the same room and conducting a tabletop exercise. Don’t take anything for granted; you might be surprised how your current processes perform in practice vs. how they were envisioned to. For example, you may assume your process for removing former employees from the network occurs automatically on their last day on the job, but you might find in practice that due to system or human error former employees have the ability to linger on the network for days or weeks after their departure.
Take the following steps to conduct your initial tabletop exercise:
- Design one or two well-thought-out scenarios. Include a few limited variations if time permits.
Pro Tip: Balance creativity with data when designing your scenarios. Take a look at the data you have available internally and externally on what the greatest threats are to your organization. Include scenarios that represent the greatest threat, but use creativity to add some spice to the scenario. For example, if a disgruntled employee leaking sensitive data is your biggest concern, inject some humor by pulling up an embarrassing picture of the CEO to represent “sensitive data”. It’s important you get the most out of the simulation by making it stimulating.
- Document your process. Gather all the data you can before the exercise. A process map should be at the center of the exercise.
Pro Tip: Ideally you should capture data on how long your current processes take so you can simulate accurate timelines for response.
- Set aside adequate time.
Pro Tip: A daylong tabletop exercise is enough for most organizations. If you can’t lose that much productivity from your workforce, spread the simulation out over two or three days in shorter chunks. Investing the time to stress test your model could help you catch an error in your insider threat program design that could expose you to millions of dollars in risk down the road if left undetected.
- Be inclusive: gather all the key stakeholders in the same room.
Pro Tip: Don’t be afraid to extend the invite to your front line employees. While not the decision makers, these individuals often hold the key first-hand knowledge of how your processes actually perform in action. Your eccentric mailroom lackey you hide when important guests come around may be the only one at your organization who knows what a suspicious package really looks like.
- Perform comprehensive knowledge capture.
Pro Tip: Use big sheets of paper and sticky notes to build living artifacts you can refer back to in the future. If you have the resources available, audio record the exercise. There are many effective methods to capture the knowledge shared at the exercise, but whatever you do be sure you capture all the lessons learned because the insights you glean from each test will help you in future stress tests.
Continuous Stress Testing
Much like running through a fire drill, testing the potential vulnerabilities and fault tolerance of your organization’s insider threat program should not be thought of as a one-and-done run-through of the plan. Instead your entire insider threat program — all security components, policies and procedures — should be stress tested on an on-going, continuous basis. Each stress test should get better and better because you’ll have more data to update your process maps as well as anecdotes from the front lines as you begin operating. Stress testing should also take into account marketplace changes — from the changing nature of threats and evolving compliance requirements and new technologies — to organizational changes, including personnel on-boarding and termination policies.
Testing should be an inherent part of the design, planning, development, creation and review process of every insider threat program. An organization must conduct stress testing as an iterative process – not a box to check in the final steps of developing an insider threat program. Each phase should be tested as the program is being developed, and the insider threat model as a whole should be stress-tested for its holistic effectiveness and its ability to be implemented.
When developing and stress testing insider threat programs and their components, it’s a smarter, more agile approach to conceive and test using shorter time frames. In this rapidly changing market, it is difficult to plan several years out. There are too many variables that are evolving that can affect insider threat vulnerabilities. Instead, insider threat teams should look 12 to 18 months out, at most, at how insider threat programs may respond to changes in the organization and the industry.
Stress testing requires IT security teams to be proactive in their efforts to understand their market and their organization’s particular role in it. They should be aware of the situations that are likely to give rise to increased insider threat possibilities, and the potential technological, procedural, and simple human errors that contribute to insiders maliciously accessing your organization’s critical information.
Simulated Environment Testing (Dress Rehearsal)
The recurring test you should perform on your developing and established insider threat program is a simulated environment exercise. A few methods you might want to follow:
- Repeat the tabletop exercise as designed previously.
A tabletop exercise has advantages. It is controlled, cheap, and easy to conduct. However, it is limited in how much stress it can actually apply to your system design.
- Conduct war game or live testing.
This method involves using your actual systems and processes. While conducted like a tabletop exercise, the difference with a live test is that you actually conduct steps in the process exactly as you would if the scenario was actually happening. When the process tells you to send an email, send an email. If it tells you to look at a particular piece of data in a particular format, mock up the data as close to a real world example as possible.
Pro tips for war games and live tests:
- Conduct the game over time in order to simulate real world response times.
- Station stakeholders in the actual location they will or do operate from (if possible).
- Throw in twists that put the team under pressure. For example, you might start a scenario off as a routine alert seen every day then abruptly change it to be an imminent threat. This will allow you to identify weak points by pushing the system to a point of breaking.
- Outsource penetration testing.
External experts bring considerable value to the table. They will be able to review your insider threat program with fresh eyes, and potentially see the flaws in the plan, vulnerabilities or weaknesses, just as a bad actor would. Penetration testing experts have seen first-hand what tactics have successfully infiltrated organizations and why they worked. They can put that knowledge and specialized expertise to work to strengthen your organization’s insider threat program.
Pro Tip: It’s worth considering offering bonuses to your penetration testers in order to incentivize them to bring their A-game for identifying any vulnerability within your organization’s insider threat program.
- Conduct unannounced live testing.
How will your analytical team perform when they don’t know the scenario is simulated? Conduct this test in the same manner you would a live test, but only announce it to leadership.
Pro Tip: Proceed with caution employing this method. Be sure to notify any action takers or recipients of information from your program that a false referral is on the way. Be sure to bring in your legal team to make sure you don’t cross any boundaries.
For each of these stress test methods, it is recommended to carry the simulation from “cradle to grave”. This involves beginning with a normal, pre-attack environment, and assessing the efficacy of the insider threat plan through detection, containment, resolution and prosecution.
Avoid These Common Mistakes
Now that you know how to conduct stress tests, avoid these common pitfalls:
- Avoid relying on outdated scenarios. It’s important to conceive new scenarios, don’t just use historical examples of insider threat tactics.
- Test as often as your resources will allow. Not testing frequently enough is a common mistake you want to avoid to identify where processes need to be refined to take into account changes in your organization and the market.
- Make sure your controlled environment for testing is sealed and air tight. Best practices dictate tests should always be done in a contained environment to learn from mistakes and mitigate risks that are inherent with live testing.
Why is stress testing so important? The short answer is organizations need stress testing to challenge assumptions. It’s the only way for insider threat teams to test the validity of their assumptions and identify where they need to make adjustments. The stakes are high. Don’t be an organization that has an insider threat program based on un-tested assumptions — the impacts to your business are too high to gamble. Take a holistic, iterative approach to stress testing your insider threat program and your organization will be better positioned to mitigate threats in the long run.