OSINT for Insider Threats
By Rebecca Lindley
Here’s the first of a series of articles where we look at why OSINT should be used to tackle many of the challenges that businesses face. In this article we’ll focus on using OSINT for insider threat investigations.
‘Insider threat’ describes a broad range of business risks that involve an ‘insider’ – an employee, contractor or other similar party – who has access to an organisation’s assets, systems and process, and who undermines the business by misusing those assets.
Examples of malicious insider activity can include:
- Data breaches
- Theft and sale of company data
- State-sponsored commercial espionage
All of these activities have the potential to significantly impact the reputation and financial wellbeing of a company. Naturally, the variety of methods and perpetrators involved means that there’s no one-size-fits-all solution to the investigation of insider threats.
For example, cyber threats alone present a huge challenge: in a 2020 survey, such incidents were found to have increased by 47% over the previous two years. Numerous solutions already exist for this type of threat, but they only form a small part of the picture.
Fewer solutions exist however for combatting other kinds of insider activity – such as the theft of company data – that could be addressed by leveraging Open Source Intelligence (OSINT). We’ll discuss some examples of where freely available online information can be hugely beneficial below.
Where does OSINT fit in?
Although insider threat comes in different forms it generally requires a level of conspiracy – the insider must have a connection with somebody external to the business. This individual will typically be able to exploit the information the insider has access to. Connections like this can often be identified using open source intelligence – both before and after an incident occurs.
A thorough risk-based approach to screening is very important for suppliers, contractors and partners – as well as employees. It’s far better to prevent a problem altogether than to have to investigate one. OSINT can be hugely valuable in the screening process because it’s freely available. Failing to make effective use of it and therefore missing something important could open you up to criticism. Has the individual being screened been involved in activity that could damage your reputation? Do they have undeclared interests in other organisations ? Do they have close social relationships with competitors? OSINT should help you to answer these questions and in doing so avoid potential threats.
When you have a suspect
If you suspect a particular employee of hostile activity, open source information can link them to co-conspirators. Perhaps the subject of an internal investigation is on the board of a company that could profit from insider information? Or perhaps a close friend or family member works for a supplier? OSINT can be invaluable in helping you to understand these connections and provide evidence of wrongdoing.
Where there is no obvious ‘insider’ your task can be more difficult. You may need to look at connections between larger groups of individuals or companies. Manual work on this scale is time-consuming and ineffective – it can be difficult to identify the connections you’re looking for amongst large volumes of data. But your investigative outcomes can be improved significantly by automating repetitive investigative processes and analysing the information to reveal key connections using software like Videris.
Open source intelligence is an essential part of investigating insider threats because it’s a highly effective way of identifying connections between people and organisations. Better still, you can use OSINT to minimise the risks of an incident occurring, for example through the effective vetting of employees. When insider incidents do occur, open source information can provide critical intelligence that supports a complex investigation. In some circumstances it can even form critical evidence in a formal legal process.
If you’d like us to show you how to take advantage of OSINT for insider threats or other business challenges get in touch here.