About Insider Threat Research: A History of Our Work
Insiders can be current or former employees and contractors who have or had authorized access to their organization's system and networks; who are familiar with internal policies, procedures, and technology; and who can exploit that knowledge to facilitate attacks and even collude with external attackers. Since 2001, insider threat research conducted by the CERT Division has focused on gathering data about actual malicious insider acts, including espionage, IT sabotage, fraud, theft of confidential or proprietary information, and potential threats to our nation's critical infrastructures.
Our ongoing insider threat research provides comprehensive analysis of the insider threat problem. Specific examples of our work are described below.
Case Analysis and Best Practices
Our research started in partnership with the U.S. Department of Defense (DoD) Personnel Security Research Center (PERSEREC), examining cyber insider threats in the military services and defense agencies. In 2002 the Insider Threat Study, which provided the first comprehensive analysis of the insider threat problem, was initiated jointly by the U.S. Secret Service (USSS) National Threat Assessment Center and the CERT Division. The Insider Threat Study team, comprising USSS behavioral psychologists and CERT information security experts, collected approximately 150 actual insider threat cases that occurred in U.S. critical infrastructure sectors between 1996 and 2002, and examined them from both a technical and a behavioral perspective. A series of reports has been published as a result of this work.
Since 2002, we've collected more cases and added them to the CERT Insider Threat Database. In 2007, Carnegie Mellon University's CyLab funded us to update our case library. The database now contains more than 700 cases. In 2008, we started analyzing all the cases; preliminary findings were presented at the RSA Conference in April of that year.
Carnegie Mellon University's Cylab also funded development of a guide to best practices for prevention and detection of insider threat. An updated version was published in 2012.
Modeling and Simulation
The CERT Division also uses methods to convey the "big picture" of the insider threat problem—the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. Our MERIT (Management and Education of Risks of Insider Threat) project, funded by Carnegie Mellon's CyLab, employs system dynamics modeling and simulation to convey this complexity.
The MERIT team, composed of CERT technical experts and psychologists, uses system dynamics to
- model and analyze the dynamic nature of the insider threat problem
- simulate and graph behavior over time
- produce educational materials based on the models developed
The team focused initial modeling efforts on insider IT sabotage. CyLab has funded the team to produce two new models: one for insider theft of confidential information and one for insider fraud.
The MERIT project led to two additional areas of work:
- DOD PERSEREC funded the MERIT team to use system dynamics modeling to compare IT sabotage and espionage.
- CyLab funded development of an innovative training mechanism for insider threat: a virtual interactive simulation of the MERIT model, MERIT-Interactive.
Insider Threats in the Software/System Development Life Cycle (SDLC)
Current and former employees and contractors have exploited vulnerabilities in the software/system development life cycle (SDLC) to commit fraud, theft of sensitive information, and IT sabotage. Our presentation, Insider Threats in the SDLC, presented at the SEPG 2007 conference, discusses numerous cases involving malicious code inserted into production applications, violations of automated critical business processes, sabotage of source code and/or backups, crimes facilitated by ineffective role-based-access controls, unauthorized modification of production data by system developers, and much more. You can also learn more by listening to the podcast titled Insider Threat and the Software Development Life Cycle.
E-Crime Watch Survey
The Insider Threat Team also collaborates with the U.S. Secret Service and CSO Magazine to conduct, analyze, and publish findings from an annual Cybersecurity Watch Survey. Research has been conducted since 2004 to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends.