Could Mohammad al-Shamrani have been detected before his recent attack on Naval Air Station Pensacola? Insider risk expert Val LeTellier thinks so.
The attacker, a Saudi Air Force officer, killed three U.S. Navy sailors and injured eight others before being shot dead by police in the December 5 attack.
In a detailed December 17 post on ClearanceJobs.com, LeTellier notes that al-Shamrani “exhibited readily observable anomalous behavior” on at least six different occasions during the weeks and months preceding the shooting.
The failure to detect al-Shamrani, despite the early indications and warning signs, was due in LeTellier’s view to four factors:
1) Insider threat early warning programs often lack the attention, expertise, funding, incentive programs, information-sharing processes and programmatic approaches necessary to be successful.
2) Organizational cultures often undercut the effectiveness of early warning programs through denial, privacy concerns, lack of accountability and a cognitive bias toward technical cybersecurity.
3) Faulty assumptions such as ‘it won’t happen here,’ ‘red flags are reported and responded to’ and ‘people will do the right thing’ undermine the process.
4) There is ‘social shirking,’ meaning no one wants to be a tattletale, many avoid conflict and some pass the buck through inaction.
But early detection of even the most serious insider threats is entirely possible, says LeTellier. This is due to “the simple fact that insider attacks are generally not impulsive in nature. Regardless of motivation, the insider plans for months or even years before action. And no matter how hard the attacker tries to cover their tracks, they leave evidence during the slow progression from idea to action. The evidence is observable changes in attitude and behavior, which are discernible and detectable when you know what to look for.”
He goes on to describe the insider’s “kill chain,” the path an individual takes as he or she devolves into an insider threat. The six stages of LeTellier’s kill chain start with “temperament” and end with “attack.” The details are well worth a read.
LeTellier’s antidote to the insider threat detection failures of the past few decades involves a combination of whole-person and whole-threat approaches. By ‘whole-person’ he means “contextual and psychosocial, using personality, environment and precipitating events to identify insider risk.”
His ‘whole-threat’ element “addresses the common root causes that result in different attack forms (data theft, fraud, sabotage, violence). It leverages common sense and objectivity to understand the trusted insider personalities relevant to the organization, the precipitating events that can turn those personalities to malicious action and the corresponding tripwires that require action.”
This is the exact formula Haystax relied on five years ago when designing our Insider Threat Mitigation Suite for government and private-sector organizations. The Haystax analytics platform is based on a probabilistic model of behaviors and external stressors indicating or counter-indicating trustworthiness. That’s the whole-person piece.
Data can be applied to the model as evidence, and includes indicators of every kind of threat posed by insiders, regardless of whether their intent is malicious, or due to inadvertent behavior or a willfully negligent attitude. That’s the whole-threat piece.
Our analytics work in very much the same way that LeTellier describes the detection process: “[R]elatively slight changes in attitude and behavior are predictive, showing how an insider will react to greater stress. In essence, minor events will showcase a natural reaction, allowing one to predict reactions to major events. By knowing that specific personalities are negatively affected by specific events, one can identify ‘tripwires’ for more significant problems.”
LeTellier, who served in various intelligence and security roles in the U.S. government, provides a detailed breakdown of five distinct insider attack types and outlines a 14-step best-practices framework for insider threat mitigation. (The former are not dissimilar to the profiles listed in the Verizon Insider Threat Report that we profiled in April of this year.)
In conclusion, LeTellier notes that insider threat mitigation programs have to leverage “every bit of information available” in order to be effective. It is the whole-person and whole-threat approach that alone “considers the totality of factors and precipitating events that result in [an] attack.”
# # #
Note: In an industry survey conducted earlier this year, Haystax discovered numerous shortfalls in how organizations are approaching insider threat mitigation. Find out what we learned by clicking here.