Finding The Hidden InfoSec Story

Wolf in Sheep’s Clothing

A woodcut of "The wolf in sheep's clothing"

For a hacker, sometimes the easiest way “in” to an organisation is to actually go “in.” Some businesses, such as call centres or those who use many contract workers, or those with complex and extended supply chains, or those who use high numbers of “seasonal staff” are especially vulnerable to insider threats because it is simply the easiest way for a hacker to access your data/premises/people.

Even more annoying and worrying is the idea that, as security professionals, you are doing your job so well that moving inside is the best option for an attacker, after all in the fable the wolf only tries the very risky move of wearing the sheep’s fleece INSIDE the flock, because the shepherds have been so damn vigilant.

Irritating that when you do your job well enough to stop external attacks, the attackers are prompted, in effect by your efficiency, to up their game. Indeed, it might be the simplest option anyway! Why bother hitting ever-stronger firewalls or flogging your guts out trying to crack passwords when you can simply fake a CV, apply for the job and be GIVEN enough access to the organisation to grab what you need? (With less effort and whilst enjoying a pension plan, subsidised coffee and a monthly salary.)

There are of course different types of insider threat. From the organised and patiently deliberate “fake employee” whose sole purpose is to be hired, collect the data/gain access, and then disappear; to the employee who has turned rogue for whatever reason and has decided to cause disruption or steal something. Then there are those with a perceived moral purpose in exposing company details or operations in some way. They don a psychological disguise and act the part of a “normal” employee whilst plotting against the flock they mingle with, and that corporate “fleece” can be very convincing if an attacker is in possession of three things: confidence, presence of mind and focus.

To be successful, it is important for any “wolf” to show confidence in what they are about. Successful insiders need to look and act the part, and there is no place for insecurity or doubt when looking to breach an organisation from the inside. The wolf in the fable became the sheep, believed he was the sheep, and it was only when the danger of discovery had passed and he was long away from detection did he return to his real wolf identity and “devour the lamb.”

This is unfortunate for those of us looking to detect insider threats as a professional, motivated practitioner may not look out of place, or be remotely hesitant, and therefore suspicious, in what they are doing. They will brazen out challenges and look like they are in exactly the right place at the right time. They really WILL blend in.

In the same vein, brazening out a challenge requires the presence of mind also mentioned. Good insider threats have the ability to think on their feet and will be ready with a smooth explanation or excuse in situations where the game is almost up, and they are in danger of being detected. In situations when a colleague questions behaviour or suspects a problem., the words will tumble as softly as a sheepskin rug with associated convincing fluff and warmth. All the charm and charisma of the psychopath informs the performance of the best insider threats, although if you know what to look for this smoothness of response is in itself a flag of deceit.

The final trait is Focus. Whatever breed of insider you are, your mind is on your nefarious objectives rather than the legitimate job you are tasked with. So threats working on the inside have the focus of someone “on a mission” but it is not the mission those around them would expect, so their appetite for conversation outside of what interests them is limited. General small talk, deviation to broader topics such as social events or long-term projects, and additional tasks or activities won’t be on their mind. They may play along with the broader life of the organisation, but they will lack the genuine interest of the legitimate employee and will get back to their real area of focus as soon as possible.

To those of us tasked with keeping people secure these characteristics should be alarming. They are difficult to detect and easy to misdiagnose. Behavioural clues to identifying insider threats are subtle, and without careful training knowledge of them can lead to an unhealthy paranoia about literally EVERYONE we work with.   The reassurance is that very few insider threats are as good as they need to be to escape detection. But this is countered by the problem that most organisations fail to observe the “baseline’ behaviour of their people and so have not a clue what is “normal” for them.   They don’t calibrate behaviour, don’t know what to look for or care enough to be observant until it is too late, to identify the changes that could indicate a breach.

Sherlock Holmes said “you see Watson, but you do not observe” and never is this more true than when failing to notice the behaviour of a wolf in the midst of your “flock.”

The “wolf in sheep’s clothing” is one of the better known Aesop’s fables for a good reason. It is a threat that we can all identify with because everyone is able to understand how that breach happened, and that in its simplicity lies it’s brilliant.. It is also popular because it is so frightening, we can see how we ourselves would not suspect, would not necessarily question someone on the inside. We have all seen media reports of the quiet colleague who turned out to be a murderer, a spy, a competitor. We all know it can happen, and can easily imagine how it would play out in our own organisations.   More than that, we probably have at least one colleague who, in all seriousness we suspect of something. Can’t put your finger on exactly what, but they are the person that when you say “you know who we mean” ALL of your colleagues nod in agreement and with a shared sense of suffering and subterfuge.

The fearsome truth is that if they stand out then they are probably not the threat at all, and are likely just the colleague that stands out because they are different in some way. However, they are dangerous because they provide the distraction needed for the real “wolves” to sneak in, undetected, smooth and rocking the “corporate fleece.”

Author: Jenny Radcliffe

Share This Post On