SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

This is the first part of a two-part series that explores open source, free, or low-cost solutions to help you get the technical portion of your insider threat program started. As defined by opensource.com, open source software is "software with source code that anyone can inspect, modify, and enhance." Free tools are available at no cost, but the source code is "closed," meaning that it cannot be examined or modified.

Much attention has been paid to understanding the impacts of an insider threat incident. In examining recorded cases, trends begin to emerge over time just as with any other data set. However, despite these malicious insiders using technical means to cause harm, there is still a human component that should be considered. Who, collectively, are these malicious insiders that caused harm? What do we know about them? This blog post is the first of a four-part series about understanding insider threats.

On May 18, 2016, the DOD published Change 2 to DoD 5220.22-M, "National Industrial Security Operating Manual (NISPOM)," which requires contractors to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. The intent of this blog post is to describe the summary of changes required by Change 2 and the impact it will have on contracting organizations.

Collusion among malicious insiders can produce a larger attack surface in terms of access to organizational assets. In theory, multiple actors could perform reconnaissance from within the "need-to-know" aspect of their job responsibilities to commit fraud or theft of intellectual property. Consequently, these malicious actors could then evade detection, presenting a real threat to an organization. In this blog post, I explore the concept of collusion among malicious insiders.

Effective cross-department collaboration usually requires a common standard language for communication. Until recently, the insider threat community has suffered from a lack of standardization when expressing potential insider threat risk indicators. The CERT Division's research into insider threat detection, prevention, and mitigation methods steered the design process for a newly proposed ontology for communicating insider threat indicators. Such an ontology allows organizations to share threat detection intelligence. In this post, I briefly describe our recently released report, An Insider Threat Indicator Ontology.

Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without knowing what types of outcomes disgruntled insiders might accomplish, monitoring can become strenuous and overbearing.

Hi, I'm Richard Bavis, Insider Threat Graduate Intern at the CERT Insider Threat Center. In this blog post, I will discuss the top three outcomes of an attack conducted by a disgruntled insider to provide you with better insight into situations that could lead to an attack. By looking at these situations and outcomes, you and your organization will be able to better handle the possible threats of a disgruntled employee.

The intent of this blog series was to describe a framework that you could use as you build an insider threat program (InTP) in your organization. We hope you found it a useful resource and recommend that you refer back to it as you progress through the Initiation, Planning, Operations, Reporting, and Maintenance phases of building your InTP.

Hi, this is Randy Trzeciak, Technical Manager of the CERT Insider Threat Center in the CERT Division of the Software Engineering Institute. It is my privilege to write this final installment of the InTP blog series.