Insider Threat

Cybersecurity measures are often focused on threats from outside an organization, rather than threats posed by untrustworthy individuals within an organization. However, insider threats are the source of many losses in many critical infrastructure industries. An insider threat can be defined as the potential damage to the interests of an organization by a person or persons regarded, inaccurately, as loyally working for or on behalf of the organization, or who inadvertently commits security breaches.

To address the growing concern of insider threats, this project seeks more advanced R&D solutions to provide needed capabilities to address six areas:

Collect and Analyze (monitoring)
Detect (provide incentives and data)
Deter (prevention)
Protect (maintain operations and economics)
Predict (anticipate threats and attacks
React (reduce opportunity, capability, and motivation and morale for the insider)

The beneficiaries of this research range from the national security bodies operating the most sensitive or classified systems, to homeland security officials who need to share sensitive-but-unclassified/controlled unclassified information (CUI) and to healthcare, finance, and many other sectors where sensitive and valuable information is managed. In many systems, such as those operating critical infrastructures, the integrity, availability, and total system survivability are of the highest priority and can be compromised by insiders.

Current Insider Threat Efforts

Monitoring Database Management System (DBMS) Activity for Detecting Data Exfiltration by Insiders: A malicious insider who has the proper credentials to access organizational databases may, over time, send data outside the organization’s network through a variety of channels, such as email, file transfer, or web uploads. Existing security tools for detecting cyber attacks focus on protecting the boundary between the organization and the outside world. While such tools may be effective in protecting an organization from external attacks, they are less suitable if the data is being transmitted from inside the organization to the outside by an insider who has the proper credentials to access, retrieve, and transmit data. While data exists throughout the organization, the most harm is done by exfiltration of those massive amounts of data that reside in an organizational database management system (DBMS). By studying the patterns of interaction between users and a DBMS, it is possible to detect anomalous activity that is indicative of early signs of exfiltration. An anomaly and misuse detection system that operates at the data source (i.e., the DBMS) prevents data from leaving the source even before it escapes into an organizational network where it is very hard to track.

Investigative Process Support: DHS S&T is conducting a review of closed insider threat cases by researching the indicators and investigative processes to extrapolate trends and analysis to further support future insider threat investigations.

Insider Threat Research Corpus: DHS S&T is developing a corpus of generated synthetic data based on insider threat scenarios to enable a broader group of researchers to more easily test their tools. Generating data is time consuming, so having free access to generated test data will encourage insider threat research by removing some of the burden associated with testing.

Lightweight Media Forensics for Insider Threat Detection: This effort is developing novel methods and capabilities to detect insider threat through disk level storage behavior (e.g., file types, sensitive data, strings, etc.) and how an individual's behavior diverges from prior behavior and/or that of their organizational peers. Current approaches rely on rules and signatures and look for patterns matching previous insider attacks. Analyzing disk level storage behavior with a lightweight media forensics agent will provide a more in-depth look at user behavior for insider threat indicators and proactively identify potential insider threats.

Previous Insider Threat Efforts

Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector: In coordination with the United States Secret Service and Carnegie Mellon University Software Engineering Institute, S&T completed a study of malicious cyber activity in the banking and finance sector, building on previous work accomplished in this area. This study updates the initial study in the banking and finance sector (Insider Threat Study: Illicit Activity in the Banking and Finance Sector, August 2004) to provide analysis of more recent cases. It also extends the coverage to include a comparison of internal and external attackers from a technical security controls perspective. In addition, results from this analysis will support law enforcement in cybercrime investigations by enabling them to more easily differentiate methods used by internal and external attackers. The final report for this project may be found at: http://resources.sei.cmu.edu/asset_files/SpecialReport/2012_003_001_28137.pdf (PDF, 76 pages, 690 KB)