Robert Hanssen. Edward Snowden. Ana Montes.
These names should have equal weight when people recall some of our country’s worst insider threat incidents, but for many only two of the three mean something.
For those who don’t recall, Ana Montes was a spy. She joined the U.S. Defense Intelligence Agency (DIA) in September 1985 and was eventually promoted to senior analyst, only to be arrested in her office on September 21, 2001 on suspicion of spying for the Cuban government after a years-long internal mole-hunt, and eventually convicted.
A firm believer that the U.S. had for decades been treating Cubans unfairly, Montes remains unrepentant about her espionage as she continues serving out her 25-year prison sentence.
Montes was smart and knew the limitations of the systems she was using. She knew if she searched too far outside her duties as an analyst, colleagues and supervisors would question her about it. She knew the DIA would randomly search bags, so she memorized information needed to pass along to her handler. She knew how dangerous a paper or electronic trail could be so she communicated by radio using a code, and would write notes on water-soluble paper that could easily be destroyed. In other words, Montes was actively concealing her behavior to blend in with the baseline, so much so that she was appointed to lead her own mole hunt.
So how was Montes caught? It all started in late February 1996 when she left work early after receiving an upsetting phone call. Sounds small, right? In isolation it was, but this phone call came directly after the Cuban Air Force shot down two planes operated by the Miami-based anti-Castro organization Brothers to the Rescue in international airspace near the Cuban coast.
Her colleague reported the behavior (see image below, from the DoD’s post-investigation report), along with incidents surrounding it that were concerning — such as her support for the Center for Defense Information (CDI), which advocated improved U.S. relations with Cuba and which subsequently held the U.S. government partly responsible for the shootdown. However, the colleague’s report didn’t go anywhere.
Could someone catch Montes today? The systems monitoring her were conveying a false sense of security with thresholds she could easily avoid. To catch people like Montes, we have to rethink the systems of thresholds and rules.
We have to ask ourselves, how can the right kinds of information be captured and incorporated into a system that’s looking only at user activity monitoring data? The answer is that we must turn to humans to provide context.
Below is a list of events taken from the DoD report that could have been paired with conventional computer and network monitoring systems data:
- Montes’ nickname at the office translated to “The Outsider,” and she had few social relationships.
- She found reasons to travel to Cuba for work.
- She requested the results of her clearance, to send back to her Cuban handlers.
- She was compassionate, empathetic and sympathetic to Cuba, but very quiet about it.
- Prior to her post-graduate education she was politically inactive, became politically active at Johns Hopkins and then went quiet after graduating.
- She was involved with academic groups, including CDI, that supported Cuba.
With the Haystax for Insider Threat solution, we would have captured all the normal indicators that alert DIA analysts, but we additionally could have given top analysts and investigators (with the appropriate permissions) the ability to capture more qualitative events like those listed above and feed them back as structured data into the probabilistic model that underlies our analytics platform.
A broader picture of Montes’ behavioral riskiness would have enabled DIA security analysts to receive alerts in context, surfacing incidents that otherwise wouldn’t seem concerning (such as suspicious-activity reports from colleagues) and generating automated alerts showing significant changes in Montes’ risk score.
This would have been the only way the DIA could have caught Montes sooner.
# # #
Hannah Hein is a Federal Project Manager at Haystax.
Note: Find out how Haystax uses probabilistic modeling and a broad array of non-network data sources to discover well-concealed insider threats. Download our free white paper here.