Wilson said the insider has two goals – get credentials and data.
“The challenge is how to minimize the attack surface, alert to a breach, and preferably, stop the activity before it can occur,” he said. “This can only be achieved by understanding what the insider threat is and their motivation, by applying suitable measures to alert to and stop the nefarious activity in the first place.”
Authorities have yet to uncover a motive for Martin's alleged misdeeds, the Times said. “We're struggling to figure him out,” the report quoted an anonymous official as saying.
Also unknown is whether Martin is responsible the NSA codes leaked by a group going by the name of the Shadow Brokers. In August, the group posted a message on Github, since removed, stating it would auction off a variety of “cyber weapons” obtained by hacking another shadowy organization called Equation Group, which Kaspersky Lab has linked to a variety of malware types, including Stuxnet and Flame, which are associated with attacks supposedly launched by the United States.
Shadow Broker recently lamented the low level of interest in bidding for stolen NSA hacking tools online.
Divining attacks, quickly mitigating incidents, determining motivation and figuring out attribution is difficult.
“More often than not, the insider attack is only realized long after the event as borne out by the fact this breach occurred two years ago,” Julien Bellanger, co-founder and CEO of Prevoty, said in comments emailed to SCMagazine.com. “No level of security clearance can account for privilege and motivation. Therefore the only way to address this is to consider least level of access best practices for privileged credentials and minimizing permissive and accessible access to data.”