MITRE’s Inside-R Protect goes deep into the behavior side of insider threats

Insider threat and risk management programs are the Achilles heel of every corporate and information security program, as many a CISO can attest to. The MITRE Inside-R Protect program is the organization’s latest initiative to assist both public and private sector efforts in addressing the insider threat. The Inside-R program’s bar for success is high. The focus of Inside-R is on evolving analytic capabilities focused on the behavior of the insider. To that end, MITRE invites the participation of government and private organizations to provide their historical insider incident data to the organization’s corpora of information from which findings are derived.

MITRE Insider-R Protect focuses on behavior, not technology

While at a nascent stage, the focus on human behavior across a wide swath of historical cases has long been sought and needed by corporate counterespionage programs.

I spoke with Dr. Deanna Caputo, MITRE’s chief scientist for behavioral sciences and cybersecurity, who emphasizes how the focus of the Insider-R is on the individual’s behavior and is non-technical. Indeed, the invitation to industry and government to provide their raw investigative records no doubt will cause some to raise an eyebrow or two. To this end, she comments on how the program’s laboratory creation was funded by the financial sector and is an isolated, air-gapped environment. Furthermore, such is the respect to the sensitivity of the data provided from participating partners, there isn’t a backup of the labs data. If the building burns, it is a start-over scenario.

Caputo notes that participation of entities of all sizes is desired, be it an entity with five cases or one with 5,000 cases which were investigated, regardless of sector.

The bar must be raised for insider threat risk

“First, there is a lack of data-driven, behavior-based, and rigorous scientific evidence to understand these escalating risks. Second, there is an over-reliance on frameworks and security controls focused on addressing external cyber threats. And third, insights are being made from a small pool of case studies that lack sufficient detail. We feel that these challenges must be addressed immediately as a component of our mission to solve problems for a safer world. We needed to raise the bar,” says Caputo.

Who may participate in Inside-R?

At this time, only companies and government entities associated with countries comprising the membership of the Five Eyes (FVEY) may participate: United States, United Kingdom, Australia, Canada, and New Zealand. The FVEY countries intelligence cooperation is broad and is not limited to signals intelligence (SIGINT). It also includes human intelligence (HUMINT), geospatial intelligence (GEOINT), and electronics intelligence (ELINT).

In addition, any qualified private entity wishing to participate and obtain a capabilities brief will be required to undergo a “screening process” conducted by MITRE.

Coupling the MITRE-R Protect program with the MITRE Engenuity’s Center for Informed Defense and their tactics, techniques, and procedures (TTP) used by insiders makes eminent sense. However, Jon Baker, director of research and development at the Center for Informed Defense, admonishes not to “focus on the TTPs of the last major insider threat case to hit the news.”

Clearly trust in MITRE’s ability to protect one’s data is paramount and each CISO should contact MITRE to determine their own level of comfort prior to participation. Afterall, one will be sharing insider incident raw investigative notes and data to be amalgamated into MITRE-R Protect. Insider threat risk management companies will want to engage with MITRE. To date, DTEX Systems has embraced the evolution of the program’s capability, while others have appeared to have adopted a wait-and-see position.

Broad participation needed to analyze insider risk

The reality is, for MITRE to be successful and to provide meaningful information back to participants, broad participation will be required. The more entities that participate, the richer the information and the more refined the analytic results. 

As an individual who has been on both sides of the covert information acquisition process, I attest to the value of understanding the behavior of the individual to be of paramount importance. Many fall back on the acronym MICE – money, ideology, compromise, and ego — as the four areas in which to invest in counterespionage/insider threat programs. MICE over-simplifies the engagement and exacerbates the theory that employees are not trustworthy.

That said, following the TTPs of the latest incident is indeed the equivalent of watching your neighbor’s cows bolt down the road and you’re thankful your cows are safely in the barn. Where value exists is exactly where this new initiative’s sweet spot resides: within the raw data, the investigative notes, the court records, and the interviews of all concerned.

CISOs whose insider threat programs do not have a behavioral component are shorting themselves. As they may be assured the unscrupulous competitor, the criminal entity, and the nation-state are studying the behavior of individuals in their targeting matrix looking for windows of opportunity.