Conversations Around Insider and Organizational Threat Luke - - PDF document

<Your Name> 1

Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/

Conversations Around Insider and Organizational Threat

Luke Osterritter

losterritter@cmu.edu

11 June 2020 2 Osterritter

What is an “Insider Threat”?

• Malicious Insider

– a current or former employee, contractor, or business partner who meets the following criteria:

• has or had authorized access to an organization’s network,

system, or data

• has intentionally exceeded or intentionally used that access

in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information

• r information systems
• Can also be inadvertent (non-malicious)

Source: The CERT Insider Threat Center

<Your Name> 2

11 June 2020 3 Osterritter

Conversations around Insider Threat

• Why look at public conversation? Unlikely to find

any insider threats…

• …but, there my be actors trying to shape the

conversation to their own ends – corporations, nation states, etc.

• Understanding the conversation will lead to

informed research

• Research question: Can dynamic network

analysis be used to discover the nature of public conversations around insider threat and related

• rganizational threats?

11 June 2020 4 Osterritter

Hashtag Collection

Category Hashtags General #insiderthreat #insiderattack #cyberespionage #dataloss Corporate #industrialespionage #tradesecrets #embezzlement #embezzling Nation-state #militarysecrets #spy #spying #spies Table 1. Set of hashtags used for tweet collection by conversation category

<Your Name> 3

11 June 2020 5 Osterritter

Collection Method

• Use Python package twarc to retrieve tweets

from Twitter Search API based on hashtag query

• Tweets collected between March 27th and April

15th 2020 (data has some gaps)

• Import Twitter JSON data into ORA – ORA

handles creating derived networks and basic stats.

• Use ORA for reporting and visualization

11 June 2020 6 Osterritter

Data Description

• 5 nodesets: Agent, Hashtag, Location, Tweet,

URL

<Your Name> 4

11 June 2020 7 Osterritter

ALL CATEGORIES

Inside Threat Tweets

11 June 2020 8 Osterritter

<Your Name> 5

11 June 2020 9 Osterritter

Overall – Super Spreaders

11 June 2020 10 Osterritter

Overall – Super Friends

<Your Name> 6

11 June 2020 11 Osterritter

Overall Takeaways

• Difficult to find anything of note in the whole

collection

• “Spy” hashtag has a lot of out-of-scope discourse

– Movie and TV – Video games (Team Fortress 2) – Novels, books, stories, etc. – ES Futures vs SPY (refuse to look deeper into this)

11 June 2020 12 Osterritter

“GENERAL” GROUPING

Inside Threat Tweets

<Your Name> 7

11 June 2020 13 Osterritter 11 June 2020 14 Osterritter

Insider Threat - General – Super Spreaders

<Your Name> 8

11 June 2020 15 Osterritter

Insider Threat - General – Super Friends

11 June 2020 16 Osterritter

High degree centrality suspended user

<Your Name> 9

11 June 2020 17 Osterritter

Bot or not?

11 June 2020 18 Osterritter

“CORPORATE” GROUPING

Inside Threat Tweets

<Your Name> 10

11 June 2020 19 Osterritter 11 June 2020 20 Osterritter

Insider Threat - Corporate – Super Spreaders

<Your Name> 11

11 June 2020 21 Osterritter

Insider Threat - Corporate – Super Friends

11 June 2020 22 Osterritter

<Your Name> 12

11 June 2020 23 Osterritter 11 June 2020 24 Osterritter

“NATION-STATE” GROUPING

Inside Threat Tweets

<Your Name> 13

11 June 2020 25 Osterritter 11 June 2020 26 Osterritter

Insider Threat - Nation – Super Spreaders

<Your Name> 14

11 June 2020 27 Osterritter

Insider Threat - Nation – Super Friends

11 June 2020 28 Osterritter

Findings

• Much of the conversation around insider threat

are news aggregators and companies marketing services

• …but, there is more to do!

<Your Name> 15

11 June 2020 29 Osterritter

Next Steps

• Bot analysis
• NetMapper
• Network comparison (corporate vs nation-state

vs general)

• Get list of disabled users in data collected

Future Work

• Explore other hashtags (APT28, APT29, APT41,

etc.)

• Possibly cross-reference with other social media

(Facebook, YouTube) Maltego?

11 June 2020 30 Osterritter

Questions for future thought

• What other insights would be useful to show?

– Other analyses from ORA Twitter report? – Other network visualizations?

• What would we want to know about this

conversation?

– Possibly: Geographic or group attribution of conversation drivers – how to divine this? – What companies are present here?

• Best practices for analyzing a conversation?

– Overall methods to go from large set of Twitter data to meaningful insights

<Your Name> 16

11 June 2020 31 Osterritter

ORA Walkthrough

11 June 2020 32 Osterritter

ORA Walkthrough

<Your Name> 17

11 June 2020 33 Osterritter

ORA Walkthrough

* Can choose to anonymize tweeter names if needed for real data

11 June 2020 34 Osterritter

ORA Walkthrough

‘Derived Networks’ tab - you can choose non-default networks if desired. At this point, click ‘Finish’ to import your data

<Your Name> 18

11 June 2020 35 Osterritter

ORA Walkthrough

11 June 2020 36 Osterritter

ORA Walkthrough

Select ‘Hashtag x Hashtag – Co-

• ccurrence’

network, then choose ‘Visualize this Network’

<Your Name> 19

11 June 2020 37 Osterritter

ORA Walkthrough

11 June 2020 38 Osterritter

ORA Walkthrough

<Your Name> 20

11 June 2020 39 Osterritter

ORA Walkthrough

11 June 2020 40 Osterritter

ORA Walkthrough

* Leave defaults for initial exploration

<Your Name> 21

11 June 2020 41 Osterritter

ORA Walkthrough

11 June 2020 42 Osterritter

ORA Walkthrough

Report will save to local machine and open in default web browser Explore Data Statistic, Super Friends report, and Super Spreaders report