Home

Dartmouth Crest
The I3P is managed
by Dartmouth College


Contact Us
Home > Research Initiatives >

i3p

How to Protect Digital Assets from Malicious Insiders
by Mark Maybury
The MITRE Corporation

Malicious insiders, who have legitimate access to an organization's network, pose a serious threat to an organization. Malicious insider behavior, unlike that of external foes, cannot be detected using traditional intrusion detection methods and can have serious consequences. In this brief article, we outline some basic measures that can help early and effective detection and prevention of some insider threats.

markWhat is the Threat?
According to the 2007 Electronic Crimes Watch Survey, half of the computer security executives experienced an e-crime in the past year and 34 percent believed that insiders caused the most damage. One complex fraud case involving a financial institution reportedly resulted in the loss of $700 million.

What is an Insider?
An insider is anyone who has approved access, privilege, or knowledge of information systems, information services and missions. A malicious insider is one motivated to adversely impact an organization's mission by taking action that compromises information confidentiality, integrity, and/or availability. Analysis of the demographics and behaviors of malicious insiders conducted by I3P researchers at the MITRE Corporation reveals that they are driven by diverse motivations (e.g., financial enrichment, emotional thrill, desire for revenge, ideological beliefs). This analysis has also allowed us to create an outline of strategies and fundamental measures an organization can take to reduce the risk posed by malicious insiders and to decrease the time from defection to detection.

What can an organization do to prevent and/or mitigate the consequences of an internal breach?

  • Make employees the first line of defense. Educate your managers and co-workers, who are likely to be the first to recognize anomalous behavior, about security and encourage their constant awareness and vigilance. Deactivate accounts as soon as employees leave the company and don't be afraid to adjust account privileges when trust becomes an issue (e.g., probation for performance). Treat employees fairly, not only because it's the right thing to do but because satisfied workers are less likely to be disgruntled. Recognize that insiders are not just your employees but can be anyone who has insider knowledge and/or privileges, including your suppliers and subcontractors.
  • Be attentive. Pay attention to your employees' behavior. Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health or hostile behavior, should trigger concern. Be on the lookout for warning signs among employees such as the acquisition of unexpected wealth, unusual foreign travel, irregular work hours or unexpected absences.
  • Know your network. Establish a baseline for normal content, traffic and behavior on your network. What online activities are allowed/expected as a function of an employee's roles or responsibilities? One approach is to link specific roles and responsibilities (e.g., secretary, administrator, manager) to system activities such as printing, searching, transferring files, and so on.
  • Prioritize your assets. If you try to protect everything, you will protect nothing. Understand what information, services, or systems are mission critical or have high value and direct most of your security efforts there.
  • Divide responsibilities. Divide responsibilities among employees so that no single individual has ultimate authority over the network and can hold it hostage. At the same time, be sure to carefully monitor system administrators and other highly privileged users.
  • Grant least privilege. Employees tend to accumulate privileges over time because few are ever taken away even as a person's responsibilities shift. Periodically review and update user privileges so that employees have only enough privileges to perform their current jobs.
  • Introduce forensics to your network. Identify and monitor key elements of your network, such as firewalls or boundary points, critical servers and key databases. Keep logs of key events (e.g., connections, large data transfers, privilege escalation) and monitor and audit those logs on a regular basis.
  • Actively defend your network. Take proactive measures to deter attacks; don't wait until a breach occurs. Deploy a variety of sensors to better detect anomalies (e.g., badge readers for physical plant access, critical server sensors, inappropriate search detectors, detectors of inappropriate/illegal content or programs such as password cracker, internal connections, encrypted data streams). Deploy honeypots to attract malicious insiders to targets that would be off limits for policy abiding insiders.
  • Prepare for recovery. Create or review continuity of operations plans, deploy a sound backup plan and store critical backup files offsite.

What is the I3P?
The Institute for Information Infrastructure Protection (I3P) is a 27-member consortium of universities, federally-funded laboratories and research institutions that is managed by Dartmouth College. In addition to guiding and supporting research, the I3P is committed to finding solutions to infrastructure vulnerabilities, facilitating technology transfer and forging collaborative alliances with key stakeholders.

What is the I3P Insider Threat Project?
The I3P team has undertaken a multi-year, multi-institutional analysis of insider threat, one that encompasses not just technical challenges but also takes into account various ethical, legal and economic considerations. The team's work is not only yielding knowledge but also tools for detecting, monitoring and preventing insider attacks.

For More Information:
Any questions related to this document should be directed to Dr. Mark Maybury of the MITRE Corporation. He can be reached at maybury AT mitre DOT org.

For more information about the I3P Insider Threat project, please contact Scott Dynes, I3P Director for Research at scott.dynes@dartmouth.edu
or Shari Lawrence Pfleeger, Project Leader at pfleeger@RAND.ORG.

 

References
1. Anderson, Robert H.; Bozek, Thomas; Longstaff, Tom; Meitzler, Wayne; Skroch, Michael; and Van Wyk, Ken. August, 2000. Research on Mitigating the Insider Threat to Information Systems - #2. Workshop Proceedings. http://www.rand.org/publications/CF/CF163.
2. 2007 E-Crimes Watch Survey. www.cert.org/archive/pdf/ecrimesummary07.pdf
3. CERT Insider threat site. http://www.cert.org/insider_threat
4. Jones, Anita K. (chair). November 1-2, 2001. White Paper: Cyber-Security and the Insider Threat to Classified Information. Computer Science and Telecommunications Board, National Research Council. http://www7.nationalacademies.org/CSTB/whitepaper_insiderthreat.html
5. Matzner, Sara and Tom Hetherington. Summer 2004. Detecting Early Indications of a Malicious Insider", IA Newsletter, 7(2): 42-45.
6. Maloof, M. and Stephens, G. 2007. ELICIT: A System for Detecting Insiders who violate need-to-know. RAID 2007. LNCS 4637, 146-166. http://www.cs.georgetown.edu/~maloof/pubs/maloof-raid07.pdf.
7. Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T., Spitzner, L., Haile, J., Copeland, J. and Lewandowski, S. 2005. Analysis and Detection of Malicious Insiders. In 2005 International Conference on Intelligence Analysis, Sheraton Premiere, McLean, VA. http://www.mitre.org/work/tech_papers/tech_papers_05/05_0207/05_0207.pdf
8. Webster, William H. (chair). March 2002. A Review of FBI Security Programs Commission for Review of FBI Security Programs. U.S. Department of Justice. http://www.usdoj.gov/05publications/websterreport.pdf

Last Updated: 7/27/09