Black Hat 2024: Why Knowing Your Users is the Ultimate Defense

Proactive insider risk management is the name of the game, and DTEX Systems’ Blurred Lines event at Black Hat made such clear. Those in attendance no doubt have Black Hat 2024 in their rear-view mirror with a pronounced sense of the need to stay ahead of the miscreants targeting our entities.

The standing room only audience consisted of front-line security and technology personnel, both leadership and practitioners. Attendees were treated to a lively, informative and largely interactive discussion on the “Convergence of Internal and External Threats,” as DTEX Systems CEO Marshall Heilman hosted the discussion with Chris Corde, head of security products at Google Cloud, Jeff Reed, chief product officer, Vectra and Steve Stone, head of Zero Labs at Rubrik.

Monitor behavior, present tangible data, deliver outcomes

Heilman began the conversation with a striking statistic from the 2024 Insider Risk Investigations Report: 77% of malicious insiders attempt to conceal their activities to evade detection. He then posed a crucial question to the panel – how critical is it to monitor user behavior and account activity in identifying and mitigating malicious actions?

Corde emphasized the importance of predictive visibility and having an unfiltered lens into user behavior. Reed underscored that visibility is fundamental, remarking that “users do different things all the time,” a theme familiar to DTEX blog readers. Stone found it “crazy” that visibility remains a talking point in 2024, highlighting how far we still have to go in addressing this challenge.

Stone further elaborated, pointing out that the seeding of individuals into workforces is nothing new. To combat this, it’s essential to understand both the person and the persona, with HR playing a critical role. The panel referenced recent cases of North Korean IT workers infiltrating companies via “laptop farming,” where criminal intermediaries supply stolen or borrowed identities to these ostensibly legitimate employees.

“The threat landscape needs is broader now,” Corde observed. Stone added that while identity management has largely addressed mainstream threats, what remains are the outliers – nation-state actors. Corde concluded the discussion on behavior with a call to vendors: “present understandable data, deliver outcomes.”

Defining “insider”

The next question drilled into the core of insider risk management: What is an insider? Heilman asked the panel, “What defines an insider?” and highlighted the need for behavioral analysis in identifying recruited insiders. He shared a previous case he was involved with, where an individual’s behavior was largely uneventful—until it wasn’t. The ability to detect deviations from normal patterns was and remains key to identifying threats. This principle is evident in notorious espionage cases like those of Ana Belen Montes, Aldrich Ames, and Robert Hanssen, who all managed to stay under the radar for years by sticking to their “swim lanes.”

Emphasis is warranted on Stone’s admonition that we “must know the base line of users.” This sentiment is becoming mainstream within the U.S. Department of Defense who explained at the DoDIIS Worldwide Conference in December 2023 that they were creating “day in the life of user base lines” to more easily and effectively note risky behavior or situations. Stone continued how one must observe privileges and know what the actual privileges of users are, noting how China’s strategic infiltration of companies and universities poses a significant threat. This access may give them the ability to push corrupt code out the door, deleted backups, or purloin valuable assets. He remarked, leaning on his prior government service, that not everything must move quickly and that “make a bottle neck” is a great defensive measure. Tighten up the rules as they do in the national security community where there are two and four person rules in effect. Such requires multiple individuals to be engaged before an action is taken. Yes, it is manual – a bottle neck indeed – but it’s an effective deterrent and prevention to malicious behavior.

Key takeaways

It is often said a stout defense is a strong offense, and this is certainly true when it comes to insider risk management. The timeliness of the Blurred Lines panel can’t be overstated. The takeaway is clear: insider risk management relies on knowing the person, their behavior, and being able to signal/highlight when a risk may be in the offing. That is not to say that every anomaly is an issue, as Reed noted, as users do odd things all the time. What it does say is that when a behavior or signal of ensuring behavior percolates to the forefront, then the risk should be addressed.

This meshes nicely with the prevalent sentiment that cascaded throughout the conference in the ensuing days, where resource constraints, nation state activities, visibility into user behavior and the utilization of artificial intelligence were prevalent topics.

The ever-important human element

Cybersecurity tools are not a panacea when it comes to insider risk management, nor is artificial intelligence. The U.S. National Counterintelligence and Security Center’s May 2024 Enterprise Threat Bulletin, “Bystander Engagement” speaks to the critical need for employees to understand the need to engage when a risk is observed. Bystander engagement brings the human factor into the mix, and in the aforementioned cases of Belen, Hanssen, and Ames, there were behaviors observable and reportable, long before they were identified as being spies.

While AI and other technologies offer machine-speed solutions to mitigate risks and assist analysts, there is still much foundational work to be done. The first step is for organizations to adjust their outlook and integrate insider risk management into their overall security and business strategy.