Pyramid of Adversary Profiling (POAP) Against Insider Threats

The Pyramid of Adversary Profiling (POAP) framework can be a powerful tool for understanding and mitigating the risk posed by insider threats.

The Pyramid of Adversary Profiling (POAP) framework can be a powerful tool for understanding and mitigating the risk posed by insider threats. Insider threats are particularly dangerous because the adversary is already inside the organization, has access to sensitive data, and often knows the organization's systems, processes, and weaknesses. These threats can come from employees, contractors, partners, or anyone with authorized access to the organization's network and resources.

POAP provides a more comprehensive, dynamic approach to identifying and preventing insider threats by profiling the adversary’s identity, motivations, tactics, targets, and timing. This profiling allows organizations to go beyond just detecting malicious behaviors to understanding why an insider might cause harm, making it easier to defend against these threats before they escalate.

Why POAP is Effective Against Insider Threats

Insider threats are more difficult to detect than external threats because the attacker already has legitimate access to the organization's resources. Their activities often appear normal or benign, making them hard to distinguish from authorized behavior. Using the Pyramid of Adversary Profiling (POAP) against insider threats allows organizations to look beyond the surface-level activities and understand the deeper motivations and patterns that might indicate malicious intent.

Unlike traditional threat models that focus primarily on tactics or technical signatures, POAP gives a holistic view of the insider adversary, allowing organizations to identify behaviors, patterns, and risks associated with insider threats before they manifest in malicious acts.

How POAP Works Against Insider Threats

POAP is based on five key layers: Who, Why, What, How, and When. Each layer helps to profile the insider adversary from a more dynamic, multi-dimensional perspective. Here's how POAP applies to insider threats:

1️⃣ Who: Adversary Identity

  • The Who layer focuses on identifying the insider adversary, which can be an employee, contractor, or other individuals who have been granted access to sensitive information.

  • Insider threats are typically divided into two categories:

    • Malicious Insiders: Individuals who intentionally exploit their access for personal gain, sabotage, or revenge.

    • Unintentional Insiders: Employees or contractors who accidentally leak information or cause harm through negligence.

  • Understanding the identity of the individual, including their role within the organization, can help determine whether they are a potential insider threat.

  • Example: A disgruntled employee with access to sensitive financial information or proprietary business data might pose a higher risk as a malicious insider.

  • Defensive Measure: By profiling the identity of the person (and their access level), security teams can prioritize monitoring and audits for those with privileged access or potential risk factors, such as employees with recent performance issues, access to valuable data, or sudden changes in behavior.

2️⃣ Why: Motivation & Intent

  • The Why layer seeks to understand the motivation and intent behind the insider threat. The motivations behind insider threats can vary significantly and are often driven by personal, financial, or professional reasons.

    • Malicious insiders may be driven by revenge, greed, or personal grievances.

    • Unintentional insiders may make mistakes due to carelessness, lack of awareness, or insufficient security training.

  • Common motivations include:

    • Financial Gain: A worker stealing intellectual property or sensitive business data to sell to competitors or cybercriminals.

    • Revenge or Retaliation: An employee who feels wronged by the organization may sabotage critical systems or leak confidential data.

    • Negligence: An employee who unwittingly exposes sensitive data by falling for phishing attacks or mishandling data.

  • Example: An employee who was recently passed over for a promotion may decide to steal proprietary business data as an act of revenge.

  • Defensive Measure: By understanding the motivations of insiders, organizations can better identify individuals who might be at risk of becoming threats. Regularly assessing employee satisfaction, conducting exit interviews, and monitoring for signs of disgruntlement can help detect potential malicious intent before it escalates.

3️⃣ What: Targeted Assets

  • The What layer identifies the assets that the insider threat may target. Insider threats often focus on the organization’s intellectual property, confidential data, trade secrets, or customer information.

  • In the case of a malicious insider, this may include proprietary software code, internal communications, financial records, or sensitive personal information. These assets hold significant value to the organization, and any compromise can result in data breaches, financial losses, or reputational damage.

  • Example: An insider with access to a company’s customer database might steal sensitive customer information to sell on the dark web or to competitors.

  • Defensive Measure: Protecting targeted assets involves applying access controls to sensitive data, ensuring that employees only have access to information they need for their roles. Implementing data classification and encryption protocols can also safeguard valuable assets.

4️⃣ How: Execution Methods

  • The How layer focuses on the methods the insider might use to execute their malicious actions. Insider threats can take various forms, such as:

    • Data Exfiltration: Malicious insiders may use USB drives, cloud storage, or email to transfer sensitive information outside the organization.

    • Sabotage: An insider may delete critical files, disrupt operations, or damage systems to cause harm to the organization.

    • Social Engineering: An insider may manipulate others in the organization to inadvertently aid in the exfiltration of sensitive data or compromise security protocols.

  • Example: A disgruntled employee may email sensitive files to their personal account or upload them to an external cloud storage service.

  • Defensive Measure: Monitoring for unusual file access patterns, large data transfers, or unauthorized device connections can help detect insider activities. Deploying Data Loss Prevention (DLP) tools and user behavior analytics (UBA) can also prevent data exfiltration by flagging abnormal behavior.

5️⃣ When: Attack Timing

  • The When layer identifies the timing of the insider threat. Insider attacks are often difficult to predict, but they may occur during specific periods of vulnerability, such as:

    • High-stress periods like organizational changes, layoffs, or financial reporting periods.

    • Post-resignation or termination periods when an insider may act out of retaliation.

    • Before or during an employee’s exit from the company, when they might try to steal data or sabotage systems before leaving.

  • Example: An employee who has just submitted their resignation might begin downloading company files or sending them to external accounts.

  • Defensive Measure: Monitoring for abnormal activities around high-risk periods, such as employee departures or periods of organizational change, can help detect potential insider threats. Restricting access to sensitive information during an employee’s notice period and conducting thorough exit interviews are also critical steps in mitigating risk.

Example: Using POAP to Defend Against Insider Threats

Scenario: Defense Against Insider Threat in a Financial Institution

A financial institution is concerned about the possibility of an insider threat and is using the Pyramid of Adversary Profiling (POAP) framework to profile potential risks.

Step 1: Who – Adversary Identity

  • A junior employee in the IT department with access to sensitive financial data, such as customer bank accounts and trading information, is identified as a potential threat due to their recent dissatisfaction with their role and performance review.

Step 2: Why – Motivation & Intent

  • The employee appears to be motivated by financial gain and personal grievances. They feel underpaid and overlooked for a promotion and may use their access to confidential data to sell it to competitors or third parties.

Step 3: What – Targeted Assets

  • The employee targets sensitive customer financial data, including account numbers, transaction histories, and trading positions, with the intent to sell this information to rival firms or cybercriminals.

Step 4: How – Execution Methods

  • The employee uses a USB drive to copy sensitive financial documents and attempts to upload them to a personal cloud storage service. This method is detected by Data Loss Prevention (DLP) software, which flags the unusual transfer of data.

Step 5: When – Attack Timing

  • The attack occurs during a period of personal stress for the employee, just before their planned resignation. The institution has already implemented controls to monitor and restrict access to critical systems and data during this time.

PreviousPyramid of Adversary Profiling (POAP) Against Cyber EspionageNextInsider Threat Leading to Data Breach

Last updated