Insider Threat Controls
The CERT Insider Threat Center continues to see the same commercial tools, techniques, and procedures to combat insider threat that we've seen for the past decade. Why? One answer is that malicious activity by insiders looks very much like their authorized day-to-day online activity. As a result, many insider threat detection tools produce so many false positives that the tools are unusable.
After studying the patterns in the different types of insider crimes, we created the CERT insider threat lab to test existing technical solutions and begin to create new ones. To learn more, explore the CERT research on how to use controls and indicators, derived from our wealth of socio-technical information on insider crimes, to prevent, detect, and respond to insider attacks.
Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
This technical note describes how organizations can detect and prevent data exfiltration over encrypted web sessions on their networks. By using an SSL proxy and various novel methods for inspecting files that are sent through the web sessions, small-to-medium-sized organizations can make it more difficult for an insider to utilize HTTP/S as a data exfiltration channel.
Using a SIEM Signature to Detect Potential Precursors to IT Sabotage (pdf)
This paper describes the development and proposed application of a Security Information and Event Management (SIEM) signature to detect possible malicious insider activity leading to IT sabotage. In the absence of a uniform, standardized event logging format, this paper presents the signature in two of the most visible public formats, Common Event Framework (CEF) and Common Event Expression (CEE). Because of the limitations of these formats, the SIEM described in this paper employs an operational version of the proposed signature in an ArcSight environment.
Insider Threat Control Demonstration: IT Sabotage - Outsider Collusion
Using Centralized Logging to Detect Data Exfiltration Near Insider Termination (pdf)
Since 2001, the CERTŪ Insider Threat Center has built an extensive library and comprehensive database containing more than 600 cases of crimes committed against organizations by insiders. A significant class of insider crimes, insider theft of intellectual property, involves highly
damaging attacks against organizations that result in significant tangible losses in the form of stolen business plans, customer lists, and other proprietary information. The Insider Threat Center's behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization's intellectual property stole at least some of it within 30 days of their termination. This technical note presents an example of an insider threat pattern based on this insight. It then presents an example implementation of this pattern on an enterprise-class system using the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.
We welcome your feedback. Contact us at the following email address if
you have questions or comments, if you are interested in collaborating
with us, or if you would like more information: