How to Identify the Insider Threat

Exploiting a 30-Day Window of Opportunity

By , January 17, 2012.
How to Identify the Insider Threat
Read Transcript

Security managers need the heads up from non-IT executives before they dismiss employees, some of whom might seek payback for their sacking by pilfering data or sabotaging systems, Carnegie Mellon University's Dawn Cappelli and Mike Hanley say.

"If no one tells them that they're going to fire this disgruntled admin, then they don't know that they should be watching this person is doing," Cappelli says in an interview with Information Security Media Group. "If no one tells them that they are going to be laying off a lot of people, they don't know they need to be watching for potential data exfiltration or sabotage. It's important that there is awareness across the organization."

Researchers from the CERT program at CMU's Software Engineer Institute have analyzed more than 700 cases to develop behavior models of the insider who could threaten an organization's IT. They have identified four major categories of insider threats: IT sabotage, theft of intellectual property, fraud and espionage.

When insiders steal intellectual property, they usually act within a 30-day window, says Hanley, who coauthored the recently published CERT paper entitled "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination."

"If I know most insiders steal information using e-mail to exfiltrate the information, I can start narrowing down, and say, 'Well, let's look and we can instrument our logging server that captures that e-mail information or how we can restrict messages that are outbound from our Exchange servers to either detect, prevent or respond to those attacks more efficiently,'" Hanley says.

In the interview, the CMU researchers discussed:

  • Common characteristics of insiders who threaten an organization's IT.
  • Organizational efforts to identify and catch disgruntled employees before they can do damage.
  • Roles of different leaders within an enterprise to mitigate the insider threat.

Cappelli is technical manager of the Insider Threat Center and the enterprise threat and vulnerability management team at the Software Engineering Institute's CERT program. Previously, Cappelli served as director of engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute. Earlier in her career, Cappelli worked as a software engineer for Westinghouse Electric Corp., developing nuclear power plant systems.

Hanley is a member of the technical staff in the CERT program, and has been testing and deploying new software, managing incidents and supporting systems across the globe. He holds a master of science in information security policy and management from Carnegie Mellon and a bachelor of arts in economics from Michigan State University.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FCC Adopts 'Net Neutrality' Rule

The FCC's new "net neutrality rule," which prevents ISPs from slowing down content streaming along...

Latest Tweets and Mentions

ARTICLE FCC Adopts 'Net Neutrality' Rule

The FCC's new "net neutrality rule," which prevents ISPs from slowing down content streaming along...

The ISMG Network