Insider Threat Research: Our Work
Insiders can be current or former employees and contractors who have or had authorized access to their organization's system and networks who are familiar with internal policies, procedures, and technology and can exploit that knowledge to facilitate attacks and even collude with external attackers. Research conducted by CERT since 2001 has focused on gathering data about actual malicious insider acts, including espionage, IT sabotage, fraud, theft of confidential or proprietary information, and potential threats to our nation's critical infrastructures.
CERT's ongoing insider threat research provides comprehensive analysis of the insider threat problem. Specific examples of our work are described below.
Case Analysis and Best Practices
Our research started in partnership with the U.S. Department of Defense (DoD) Personnel Security Research Center (PERSEREC), examining cyber insider threats in the military services and defense agencies. In 2002 The Insider Threat Study, which provided the first comprehensive analysis of the insider threat problem, was initiated jointly by the U.S. Secret Service (USSS) National Threat Assessment Center and CERT. The Insider Threat Study team, comprised of USSS behavioral psychologists and CERT information security experts, collected approximately 150 actual insider threat cases that occurred in US critical infrastructure sectors between 1996 and 2002, and examined them from both a technical and a behavioral perspective. A series of reports has been published as a result of this work.
In 2007, Carnegie Mellon University's CyLab funded us to update our case library with more recent cases. We have now collected over 100 additional cases, bringing the total count of cases
in our insider threat database to more than 250. We recently began analyzing all of the cases; preliminary findings were presented at the
RSA Conference in April 2008.
Carnegie Mellon University's Cylab also funded development of a guide to best practices for prevention and detection of insider threat. An updated version, which will include findings from all 250 cases, is slated for publication in 2008.
Modeling and Simulation
CERT also uses methods to convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. CERT's MERIT (Management and Education of Risks of Insider Threat) project, funded by Carnegie Mellon's CyLab, employs system dynamics modeling and simulation to convey the complexity of the problem.
The MERIT team, composed of CERT's technical experts, and psychologists, uses system dynamics to
- model and analyze the dynamic nature of the insider threat problem
- simulate and graph behavior over time
- produce educational materials based upon the models developed
The team focused initial modeling efforts on insider IT sabotage. CyLab has funded the team to
produce two new models: one for insider theft of confidential
information and one for insider fraud.
The MERIT project led to two additional areas of work
- DOD PERSEREC funded the MERIT team to use system dynamics modeling to compare IT sabotage and espionage
- CyLab funded development of an innovative training mechanism for insider threat: a virtual interactive simulation of the MERIT model: MERIT-Interactive
The CERT Insider Threat Team worked jointly with a team at Carnegie Mellon University’s Entertainment Technology Center (ETC) to develop a stand-alone tool that can be used for widespread training for managers on insider threat risk mitigation. We used state of the art multi-media technologies to develop a training simulator, which we call MERIT-Interactive, that immerses users in a realistic business setting from which they make decisions regarding how to prevent, detect, and respond to insider actions and see the impacts of their decisions in terms of key performance metrics. Refer to the Executive Overview for a more detailed description of this project.
Insider Threats in the Software/System Development Life Cycle (SDLC)
Current and former employees and contractors have exploited vulnerabilities in the software/system development life cycle (SDLC) to commit fraud, theft of sensitive information, and IT sabotage. A recent presentation, Insider Threats in the SDLC, presented at the SEPG 2007 conference, presented numerous cases involving malicious code inserted into production applications, violations of automated critical business processes, sabotage of source code and/or backups, crimes facilitated by ineffective role-based-access controls, unauthorized modification of production data by system developers, and much more. You can also learn more by listening to the podcast, Insider Threat and the Software Development Life Cycle.
E-Crime Watch Survey
The Insider Threat Team has also teamed with the U.S. Secret Service and CSO magazine to conduct, analyze, and publish findings from an annual E-Crime Watch survey. In 2004, 2005, and 2006, research was conducted to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends.