By Tyler Lalicker, Principal Detection Engineer, Data Science
Today’s case is another Ambitious Leader type, previously covered here. As a quick refresher, the Ambitious Leader is a motivated individual who has high levels of access to sensitive resources. They use that access to recruit individuals to form a group that leverages their access to benefit themselves. This case includes multiple instances of theft, including cleaning out the office furniture!
Threat Profile: Ambitious Leader
Impact Area: Data theft
Description: Insider with high level of access who recruits others to pursue their own interests at the expense of the organization.
Today’s case study involves four attorneys, including a husband (the Ambitious Leader) and his wife, who together comprised the core staff of a branch of a law office in Delaware. The parent law firm recruited the Ambitious Leader with an agreement that if he opened a branch office for them, they’d find his wife a role as well. She ended up being hired to work in the same office. As is common in cases involving Ambitious Leaders, the victim organization relied heavily on the individual.
During their employment, the Ambitious Leader expanded the business and grew the staff for this particular office. About three months before his exit, he began to collude with several other employees of the branch to collect materials that were critical to continue operations for the firm. The group led by the Ambitious Leader copied the business critical data to outside of the organization, covering their tracks along the way by deleting any related communication data. At the end of the year, the bulk of the group then suddenly quit, only giving three days’ notice. Several days later, they then announced that they were joining a competing firm. When the management of the victim company came to the branch office they saw that it had been completely vacated, including the furniture. The team had moved everything into a rented storage unit and sent the bill for the move to the victim organization’s finance department. In the end, the victim organization had to shut down the entire branch and close the office.
There are several observations that can be made from public interviews with the Ambitious Leader. In one interview, he spoke in grandiose terms about his role as an attorney. As a bankruptcy lawyer he was responsible for picking apart failing companies to sell pieces off to the highest bidders. He describes himself as a hero, comparing his actions to that of a first responder saving companies in a bad situation. While this could just be intended as personal branding for business purposes, it could also be indicative of a toxic personality disorder or social skills issues. The victim organization later claimed that the Ambitious Leader was responsible for a hostile work environment at the law office, further supporting this possibility.
Behavioral risk indicators: Personality or social skills issues
The team of lawyers all quit simultaneously during the winter holidays, with the exception of one of them staying slightly longer, and all of them gave only a three-day resignation notice. They did this during a period where most people in the parent organization were on vacation, so that little could be done to mitigate damage or continue operations.
Behavioral risk indicators: Group resignation event
The parent organization was incredibly reliant on the Ambitious Leader right from the start. They had reached out to him directly and made a generous employment offer: If he opened a branch office, they’d do him a favor and find his wife a role at the firm as well. She ended up being hired in the same office.
Technical indicators: Organizational over-reliance
The conspirators in this case all had full access to locally-important data such as case files, correspondence, and details on relationships with important customers. In addition to local office materials, they also had access to corporate resources including corporate-branded template documents.
Technical indicators: Sensitive corporate data access; sensitive customer data access
The Ambitious Leader used the firm’s email to instruct an intern to collect sensitive documents and place them into an external cloud storage account for later external access. He also managed to recruit their team of attorneys to exit with him. The Ambitious Leader added many people on LinkedIn from the organization they were moving to before his exit, providing a visible potential indicator of his intent to jump ship.
Technical Indicators: Increased activity on job/employment sites; potential for user activity monitoring (UAM) tool to identify communications data anomalies
Multiple attorneys added their personal emails to case communications so they would retain access to important information after their departure. One of the conspirators stayed several days after the rest of the team transitioned to the new organization, collecting and moving more sensitive data via email.
Technical Indicators: Unsanctioned email forwarding
In total, 288 pounds of paper files were shredded. The four departing lawyers “double-deleted” emails to obfuscate their communications. A paralegal colluding with the insiders also changed the electronic filing service password just before their exit.
Technical Indicators: Document destruction; email double-deletion
Collection and staging
The group copied files, including correspondence and records on clients to retain them in their new jobs. The conspirators used a variety of cloud storage services to collect the information they were planning on taking with them to their new organization.
Technical Indicators: Spike in cloud storage use; sensitive data copying
All office furniture was moved to an offsite storage and a bill was sent for the work to the victim organization.
The conspirators used USB drives to download sensitive data, emailed documents to personal emails and uploaded data to iCloud. The paralegal emailed records from their work email to their personal email six days before leaving. Another conspirator sent pleadings, correspondence, and internal firm records to a personal Gmail account. The team was able to successfully steal important data for retaining their client list at the new organization while impairing the ability for the victim organization to retain the clients. As a consequence, the victim law firm was forced to close down the branch as they were left unable to serve customers given the loss of information and staff. In addition, they were unable to collect over $1M in fees and expenses due to the group’s actions.
Before they exited the organization, the team at the branch office racked up bills for everything from destroying files to paying a moving company to remove the corporate furniture. They even got the victim organization to pay thousands of dollars for advertising the Ambitious Leader to clients. Finally, multiple conspirators gave money to each other using the account that was set up for charitable giving.
Technical Indicators: Spike in removable media writes; spike in outbound email traffic; spike in emails to personal email address; spike in outbound data to cloud storage
This case highlights many consistent practices that differentiate the Ambitious Leader from the Entitled Independent, a case study we will cover. The Ambitious Leader shows a history of concerning workplace behavior combined with personal or social skills issues. Their performance is seen positively in the organization so they are given lots of autonomy. The Ambitious Leader in this case had even represented his branch as being poised for significant growth in the coming quarters at his final board meeting, even though he was secretly planning his exit at the time. They do not act alone and recruit a team to commit the malicious activities. He recruited his wife, other attorneys, and a paralegal to take action as part of the plot. The team made a concerted effort to evade detection and obfuscate their actions, double-deleting communications and destroying documents all the while lying to the victim organization about their intent to jump ship. Ambitious Leaders represent a large risk to an organization due to their potential negative impacts, so paying attention to these specific indicators for the Ambitious Leader threat profile can help better insider risk teams detect them and mitigate risks.