Insider Threat Research

Organizational Security Resilience Management Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Historical Documents

The CERT Insider Threat Center

Mission
To enable effective insider threat programs

by performing research, modeling, analysis, and outreach to define socio-technical best practices

so that organizations are better able to deter, detect, and respond to evolving insider threats.

A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

The CERT Insider Threat Center conducts empirical research and analysis to develop and transition socio-technical solutions to combat insider cyber threats. We have been doing research on this problem since 2001 in partnership with the Department of Defense, the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.

The foundation of our work is our database of more than 700 insider threat cases. We use system dynamics modeling to characterize the nature of the insider threat problem, explore dynamic indicators of insider threat risk, and identify and experiment with administrative and technical controls for insider threat mitigation. The CERT insider threat lab provides a foundation to identify, tune, and package technical controls as an extension of our modeling efforts. We have developed an assessment framework based on the fraud, theft of intellectual property, and IT sabotage case data that we have used to help organizations identify their technical and nontechnical vulnerabilities to insider threats as well as executable countermeasures.

The CERT Insider Threat Center is uniquely positioned as a trusted broker to assist the community in the short term and through our ongoing research.

Our work consists of the following:

Case analysis and best practices

Modeling and simulation

Espionage research

Mitigation controls, patterns, and pattern languages

Identifying and detecting early-warning indicators

Developing and conducting assessments and workshops

Insider threat blog

Insider threats in the software development lifecycle

Annual eCrime Watch Survey

Download an information sheet about the CERT Insider Threat Center.

Learn more about our work.

Controls

The CERT insider threat lab creates controls and indicators, derived from our wealth of socio-technical information on insider crimes, to prevent, detect, and respond to insider attacks.

Learn more about our insider threat technical controls, including reports and video demonstrations.

Case Analysis and Best Practices

In 2002, the Insider Threat Study team, composed of U.S. Secret Service (USSS) behavioral psychologists and CERT information security experts, collected approximately 150 insider threat cases that occurred in US critical infrastructure sectors between 1996 and 2002, and examined them from both a technical and a behavioral perspective. A series of four reports has been published as a result of this work: cases in the banking and finance sector, the IT sector, the government sector, and all critical infrastructure sectors.

Learn more about our case studies and best practices work.

Common Sense Guide to Mitigating Insider Threats, a guide to best practices for the prevention and detection of insider threat.

Modeling and Simulation

The CERT Program's insider threat modeling, referred to as MERIT (Management and Education of the Risk of Insider Threat), uses empirical data collected by CERT staff members to convey the "big picture" of the insider threat problem. The MERIT project, funded by Carnegie Mellon's CyLab, employs system dynamics modeling and simulation to convey the complexity of the problem. Learn more about modeling and simulation.

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (pdf)
Technical Report, May 2008
Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage (pdf)
The MERIT Project

The CERT Program also conducts espionage research, those efforts began with the DoD Personnel Security Research Center (PERSEREC). PERSEREC funded a study to investigate similarities and differences between insider IT sabotage and espionage cases to assess the feasibility of the development of a single analytical framework based on system dynamics modeling.

CyberSecurity Watch Survey

The Insider Threat team has also teamed with the U.S. Secret Service and CSO magazine to conduct, analyze, and publish findings from an annual CyberSecurity Watch Survey from research that was conducted to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends.

2011 Press Release (pdf) | Data (pdf)
2010 Summary (pdf)
2007 Summary (pdf)
2006 Summary (pdf)
2005 Detailed Findings (pdf) | Summary of Findings (pdf) | Press Release (pdf)
2004 Summary (pdf)

Insider Threat Blog

The latest post from the Insider Threat team:

Controlling the Malicious Use of USB Media

more...

What's New

Resources

Best Practices

Common Sense Guide to Mitigating Insider Threats, 4th Edition

Insider Threat Services

Insider Threat Workshop (pdf)
Registration Details
Customized Insider Threat Executive Workshop (pdf)
Insider Threat Vulnerability Assessment (pdf)

Controls

all controls...

Reports

Insider Fraud

Theft of Intellectual Property

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders
Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination (pdf)
A Preliminary Model of Insider Theft of Intellectual Property (pdf)
An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases (pdf)
Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model (pdf)
First International Workshop on Managing Insider Security Threats (MIST 2009) on 15-19 June 2009

Insider IT Sabotage

Chronological Examination of Insider Threat Sabotage: Preliminary Observations (pdf)
presented at the International Workshop on Managing Insider Security Threats (MIST 2012)
The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (pdf)
Technical Report, May 2008
Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis (pdf)

Cloud Computing

Insider Threats to Cloud Computing: Directions for New Research Challenges
presented at IEEE COMPSAC 2012
Tutorial: Cloud Computing Security
presented at IEEE COMPSAC 2012

Other

Insider Threat Security Reference Architecture
Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data (pdf)
Combating the Insider Cyber Threat (pdf)
Published in IEEE Security & Privacy

Articles

Presentations

Intriguing Insider Threat Cases � Make Sure this Doesn�t Happen to You!
RSA Conference 2013
The CERT Top 10 List for Winning the Battle Against Insider Threats (pdf)
RSA Conference 2012
Insider Threats: Actual Attacks by Current and Former Software Engineers (pdf)
SEPG Europe 2011
Combat IT Sabotage: Technical Solutions From The CERT Insider Threat Lab (pdf)
RSA Conference February 15, 2011
The Key to Successful Monitoring for Detection of Insider Attacks (pdf)
RSA Conference March 4, 2010

all presentations...

Books

The CERT Guide to Insider Threats

Podcasts and Videos

Contact Us

We welcome your feedback. Contact us at the following email address if you have questions or comments, if you are interested in collaborating with us, or if you would like more information:

Last updated June 5, 2012