Shostack + Friends Blog

 

Threat Modeling, Insiders and Incentives

Inspired by the recent story of Tesla's insider, I'd like to discuss insider threat as it fits into threat modeling. 3 individuals working from laptops on a couch

There's been a lot of talk over the last week about "updating threat models" in light of the Tesla insider story. (For example.) I'm getting this question a fair bit, and so wanted to talk about insiders in particular, and how to use the news in threat modeling more generally. This also is a great opportunity to think about incentives.

So first: the story is that a Russian gang approached a Tesla employee and offered $1 million to plant malware. So: should you update your threat models?

The first question to ask is "do your threat models already include insiders?" They should. Many people don't like to talk about insiders. They don't want to think that Bob is going to turn against them, and that's natural. But "insiders" can be framed as a focus on an the attacker who's used a phishing link to steal credentials, or an attachment to run code inside your soft, gooey interior. If Bob can go wild inside your systems, Yuri can use Bob's account in the same ways.

It's easy for me to say that "they should," and there's also a reality that many defenses against insiders take substantial engineering effort, and if your organization hasn't committed to that, then there can be a real discouraging effect from repeatedly discovering and disregarding these threats.

So when the issue is on the front page of the newspaper can be a fine time to revisit what's in your threat models. News stories can motivate management to say 'we don't want to be the next version of that,' and so if you've lacked the drive to address insiders, maybe Tesla can help you get there.

Speaking of getting there: the offer of a million dollars doesn't mean anyone will get paid a million dollars, and even if you do get the money, you're going to be blackmailed out of that, and a lot more. But MICES starts with money for a reason: there's always people in financial distress, and long term distress makes thinking clearly difficult.

And thinking about that distress is key to helping your employees do the right thing in such situations. Idan Shoham has an interesting post "Paying insiders to expose the bad guys." He touches on paying more as the bad guys are indicted, arrested, etc, which is sensible. Not everyone wants to engage in dealing with criminals or helping to bring in more specific evidence. Even filing a police report is an important step, and it can be stressful. It's also a strong deterrent to lies: filing a false report is a crime. A small bonus can help people get over that hump. (Incidentally, you're thinking about insider threats when you think your folks might abuse your bonus system. It's easier to think about when the reason Bob's screwing you is obvious.)

Especially in 2020, when everyone is stressed all the time, aligning incentives is a good strategy to include in your answers to "What are we going to do about it?"

Photo by Austin Distel.