Identifying indicators of insider threats: Insider IT sabotage

This paper describes results of a study seeking to identify observable events related to insider sabotage. We collected information from actual insider threat cases, created chronological timelines of the incidents, identified key points in each timeline such as when attack planning began, measured the time between key events, and looked for specific observable events or patterns that insiders held in common that may indicate insider sabotage is imminent or likely. Such indicators could be used by security experts to potentially identify malicious activity at or before the time of attack. Our process included critical steps such as identifying the point of damage to the organization as well as any malicious events prior to zero hour that enabled the attack but did not immediately cause harm. We found that nearly 71% of the cases we studied had either no observable malicious action prior to attack, or had one that occurred less than one day prior to attack. Most of the events observed prior to attack were behavioral, not technical, especially those occurring earlier in the case timelines. Of the observed technical events prior to attack, nearly one third involved installation of software onto the victim organizations IT systems.

[1]  Lyndsey Franklin,et al.  Predictive Modeling for Insider Threat Mitigation , 2009 .

[2]  Bernie Carter ‘If you see something, say something’ , 2015, Journal of child health care : for professionals working with children in the hospital and community.

[3]  Dawn M. Cappelli,et al.  Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis , 2006 .

[4]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[5]  Dawn M. Cappelli,et al.  Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage , 2008 .

[6]  William R. Claycomb,et al.  Chronological Examination of Insider Threat Sabotage: Preliminary Observations , 2012, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[7]  Christian W. Probst,et al.  Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[8]  Frank L. Greitzer,et al.  Modeling Human Behavior to Anticipate Insider Attacks , 2011 .

[9]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[10]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[11]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .