The FBI nabbed 51-year-old Harold T. Martin III, who worked for Booz Allen Hamilton, after an FBI search of his home and car uncovered an abundance of highly classified documents, which Martin was not authorised to have.
The Times quoted an August complaint that had Martin saying “he knew what he had done was wrong and that he should not have done it because he knew it was unauthorised.”
“Insider threat is the most realistic and largest threat to corporate data. No intrusion detection or perimeter security measure can account for this,” Mark Wilson, director of product development for STEALTHbits Technologies, said in comments emailed to SCMagazine.com. “An internal bad actor with motivation and the correct credentials can and will infiltrate an organisation's Crown Jewels - sensitive data. Why? Because it has monetary value.”
Wilson said the insider has two goals – get credentials and data.
“The challenge is how to minimise the attack surface, alert to a breach, and preferably, stop the activity before it can occur,” he said. “This can only be achieved by understanding what the insider threat is and their motivation, by applying suitable measures to alert to and stop the nefarious activity in the first place.”
Authorities have yet to uncover a motive for Martin's alleged misdeeds, the Times said. “We're struggling to figure him out,” the report quoted an anonymous official as saying.
Also unknown is whether Martin is responsible the NSA codes leaked by a group going by the name of the Shadow Brokers. In August, the group posted a message on Github, since removed, stating it would auction off a variety of “cyber weapons” obtained by hacking another shadowy organisation called Equation Group, which Kaspersky Lab has linked to a variety of malware types, including Stuxnet and Flame, which are associated with attacks supposedly launched by the United States.
The Shadow Brokers recently lamented the low level of interest in bidding for stolen NSA hacking tools online.
Divining attacks, quickly mitigating incidents, determining motivation and figuring out attribution is difficult.
“More often than not, the insider attack is only realised long after the event as borne out by the fact this breach occurred two years ago,” Julien Bellanger, co-founder and CEO of Prevoty, said in comments emailed to SC. “No level of security clearance can account for privilege and motivation. Therefore the only way to address this is to consider least level of access best practices for privileged credentials and minimising permissive and accessible access to data.”