Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.