How to Identify the Insider Threat

Non-IT and IT Managers Must Collaborate to Prevent Damage
Identifying the insider who could pose a threat to your organization's IT assets must be a team effort among non-technology, IT and information security managers, Carnegie Mellon University's Dawn Cappelli and Mike Hanley say.

Information security managers need the heads up from non-IT executives before they dismiss employees, some of whom might seek payback for their sacking by pilfering data or sabotaging systems, Cappelli says in an interview with Information Security Media Group.

"If no one tells them that there going to fire this disgruntled admin, then they don't know that they should be watching this person is doing," she says. "If no one tells them that they are going to be laying off a lot of people, they don't know they need to be watching for potential data exfiltration or sabotage. It's important that there is awareness across the organization."

Researchers from the Computer Emergency Readiness Team program at CMU's Software Engineer Institute have analyzed more than 700 cases to develop behavior models of the insider who could threaten an organization's IT. They have identified four major categories of insider threats: IT sabotage, theft of intellectual property, fraud and espionage.

When insiders steal intellectual property, they usually act within a 30-day window, says Hanley, who coauthored the recently published CERT paper entitled "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination."

"If I know most insiders steal information using e-mail to exfiltrate the information, I can start narrowing down, and say, 'Well, let's look and we can instrument our logging server that captures that e-mail information or how we can restrict messages that are outbound from our Exchange servers to either detect, prevent or respond to those attacks more efficiently,'" Hanley says.

In the interview, the CMU researchers discussed:

  • Common characteristics of insiders who threaten an organization's IT.
  • Organizational efforts to identify and catch disgruntled employees before they can do damage.
  • Roles of different leaders within an enterprise to mitigate the insider threat.

Cappelli is technical manager of the Insider Threat Center and the enterprise threat and vulnerability management team at the Software Engineering Institute's CERT program. Before joining CERT in 2001, Cappelli served as director of engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute. Before joining the Software Engineering Institute in 1988, Cappelli worked as a software engineer for Westinghouse Electric Corp., developing nuclear power plant systems.

Hanley is a member of the technical staff in the CERT program, and has been testing and deploying new software, managing incidents and supporting systems across the globe. He holds a master of science in information security policy and management from Carnegie Mellon and a bachelor of arts in economics from Michigan State University.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.