Cybersecurity measures are often focused on threats from outside an organization, rather than threats posed by untrustworthy individuals within an organization. However, insider threats are the source of many losses in many critical infrastructure industries. An insider threat can be defined as the potential damage to the interests of an organization by a person or persons regarded, inaccurately, as loyally working for or on behalf of the organization, or who inadvertently commits security breaches.
Capability Areas

To address the growing concern of insider threats, this project seeks more advanced R&D solutions to provide needed capabilities to address six areas:

1. Collect and Analyze (monitoring)
2. Detect (provide incentives and data)
3. Deter (prevention)
4. Protect (maintain operations and economics)
5. Predict (anticipate threats and attacks
6. React (reduce opportunity, capability, and motivation and morale for the insider)

The beneficiaries of this research range from the national security bodies operating the most sensitive or classified systems, to homeland security officials who need to share sensitive-but-unclassified/controlled unclassified information (CUI) and to healthcare, finance, and many other sectors where sensitive and valuable information is managed. In many systems, such as those operating critical infrastructures, the integrity, availability, and total system survivability are of the highest priority and can be compromised by insiders.

Current Insider Threat Efforts

Monitoring Database Management System (DBMS) Activity for Detecting Data Exfiltration by Insiders: A malicious insider who has the proper credentials to access organizational databases may, over time, send data outside the organization’s network through a variety of channels, such as email, file transfer, or web uploads. Existing security tools for detecting cyber attacks focus on protecting the boundary between the organization and the outside world. While such tools may be effective in protecting an organization from external attacks, they are less suitable if the data is being transmitted from inside the organization to the outside by an insider who has the proper credentials to access, retrieve, and transmit data. While data exists throughout the organization, the most harm is done by exfiltration of those massive amounts of data that reside in an organizational database management system (DBMS). By studying the patterns of interaction between users and a DBMS, it is possible to detect anomalous activity that is indicative of early signs of exfiltration. An anomaly and misuse detection system that operates at the data source (i.e., the DBMS) prevents data from leaving the source even before it escapes into an organizational network where it is very hard to track.

Previous Insider Threat Efforts

Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector: A study of malicious cyber activity in the banking and finance sector, building on previous work accomplished in this area. This study updates the initial study in the banking and finance sector (Insider Threat Study: Illicit Activity in the Banking and Finance Sector, August 2004) to provide analysis of more recent cases. It also extends the coverage to include a comparison of internal and external attackers from a technical security controls perspective. In addition, results from this analysis will support law enforcement in cybercrime investigations by enabling them to more easily differentiate methods used by internal and external attackers. The final report for this project may be found at: http://resources.sei.cmu.edu/asset_files/SpecialReport/2012_003_001_28137.pdf

Contact

Program Manager: Megan Mahle

Email: SandT-Cyber-Liaison@hq.dhs.gov