Conspiratorial Behavior Detection

While the ways in which malicious insiders can damage your organization are myriad, many of them share an important characteristic: participants know that they are doing something that they shouldn’t, and are taking steps to avoid having others find out. The good news is that such efforts at secrecy themselves leave traces. Cataphora has pioneered a variety of techniques for picking up on this.

Often, guilty parties will try to communicate without their co-workers being able to understand. They may switch to un-recorded channels, such as phone calls or face-to-face meetings. In these cases, we can often find requests to change the venue via a channel that is recorded, such as an email that says “Let’s discuss this over lunch.” In some cases, the parties will switch to a foreign language they share that is not understood by the majority of the organization. Cataphora’s text analysis software can detect which language is spoken, and can even detect where within a document a shift occurs from, say, English to German.

In both the examples above, any given data point is likely to be harmless. Perfectly benign employees meet in person or switch to their first language all the time. What is important is the pattern. Individuals with a secret to keep typically change their behavior from what it previously was. They also act differently from their non-involved peers. By combining detection of switches in language and channel with analysis of workflows and organizational structure, our software makes these differences more apparent.

It is often also true that an employee who becomes aware of an investigation, or just has second thoughts, will attempt to delete incriminating communications. However, some portion of these deletions is usually detectable. Even when back-ups are not maintained, missing items show up as unresolved nodes in Discussions™ and as gaps in periodic sequences. Also, other participants in the conversation are unlikely to destroy the same items, leading to messages for which an actor is a participant but not an owner. As before, any one data point by itself shows nothing: we all delete emails, instant messages, and stand-alone documents frequently. What is important is the pattern. Cataphora has a number of ways of characterizing deleted versus retained portions of an actor’s data for comparison. Were certain periodically occurring events preferentially targeted? What about documents characterized by particular textblocks, or topics? The properties of the data that isn’t there can be quite telling.

Read about other Cataphora technologies: