Designing Insider Threat Programs
Insider threat is the threat to organization's critical assets posed by trusted individuals - including employees, contractors, and business partners - authorized to use the organization's information technology systems. Insider threat programs within an organization help to manage the risks due to these threats through specific prevention, detection, and response practices and technologies. The National Industrial Security Program Operating Manual (NISPOM), which provides baseline standards for the protection of classified information, is considering proposed changes that would require contractors that engage with federal agencies, which process or access classified information, to establish insider threat programs.
The proposed changes to the NISPOM were preceded by Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Signed by President Obama in September 2011, Executive Order 13587 requires federal agencies that operate or access classified computer networks to implement insider threat detection and prevention programs.
Since the passage of Executive Order 13587, the following key resources have been developed:
- The National Insider Threat Task Force developed minimum standards for implementing insider threat programs. These standards include a set of questions to help organizations conduct insider threat self-assessments.
- The Intelligence and National Security Alliance conducted research to determine the capabilities of existing insider threat programs
- The Intelligence Community Analyst-Private Sector Partnership Program developed a roadmap for insider threat programs.
CERT's insider threat program training and certificate programs are based on the above resources as well as CERT's own Insider Threat Workshop, common sense guidelines for mitigating insider threats, and in-depth experience and insights from helping organizations establish computer security incident response teams. As described in this blog post, researchers from the Insider Threat Center at the Carnegie Mellon University Software Engineering Institute are also developing an approach based on organizational patterns to help agencies and contractors systematically improve the capability of insider threat programs to protect against and mitigate attacks.
A Pattern-based Approach to Insider Threat
This post is the latest installment in an ongoing series describing our research to create and validate an insider threat mitigation pattern language to help organizations prevent, detect, and respond to insider threats. As described in a previous post, our research is based upon our database of more than 700 insider threat cases and interviews with the United States Secret Service, victims' organizations, and convicted felons. From that database, we identified 26 patterns that capture reusable solutions to recurring problems associated with insider threat. Insider threat mitigation patterns are organizational patterns that involve the full scope of enterprise architecture concerns, including people, processes, technology, and facilities. This broad scope is necessary because insiders often have authorized access--both online and physical--to organizational systems. Our approach acknowledges inter-relationships between organizational structures, such as policy, training, and employee and policy agreements, and draws upon those inter-relationships to describe the patterns themselves.
The following is a high-level outline of a pattern for disabling access after an insider leaves an organization for other employment, an older version of which was published at the 2013 PLOP Workshop:
Title: Eliminate Methods of Access after Departure
Intent: To avoid insider theft of information or sabotage of information technology after departure
Context: An insider is departing an organization for employment elsewhere and you have a comprehensive record of access paths the insider has for accessing the organization's systems
Problem: Insiders who depart an organization under problematic circumstances may become angry to the point of wanting to steal information from the organization or compromise the integrity of the organization's information or information systems. Active access paths into the organization's systems after departure provide the opportunity to do that.
Solution: Disable accounts that you know about upon departure, and prepare to monitor suspicious remote access after departure for signs of unauthorized access attempts
Related Patterns: Monitor Activity after Departure
For organizations and agencies establishing insider threat programs, our approach specifies
- what processes are important and stresses the need for consistent enforcement
- what policies are important
- how those processes and policies are implemented both by humans and technology
- what technology is needed to support all of that
There will undoubtedly be great variation in insider threat programs, depending on the risks faced by individual organizations. We therefore use capability development scenarios to designate paths through the mitigation pattern language with the goal of mitigating a specific insider threat behavior. The mitigation pattern outlined above will be used in a capability development scenario described below. Such capability development scenarios serve to guide insider threat program designers as they try to ensure their programs are resilient against insider threats to their critical assets.
An Example Capability Development Scenario
In a forthcoming report on this topic, we will outline several capability development scenarios (CDSs). One scenario involves mitigating theft of intellectual property when an employee resigns or is fired from the organization:
Through our analysis of our insider threat database, we observed that 70 percent of insiders who stole intellectual property from an employer did so within 60 days of their termination from an organization. This CDS urges that both parties must agree at employee hiring regarding the ownership of intellectual property as well as the consequences if the agreement is breached. Upon termination, whether voluntary or forced, the organization should disable insider's accesses. During the exit interview, the organization must review existing agreements regarding IP.
The CDS advocates that an employer monitor insider actions 60 days prior to termination and for 60 days after termination. Suspicious behaviors including uncharacteristically large downloads of intellectual property should be handled either by the human resources or legal departments or a combination of both.
As specified by the associated path through the mitigation pattern language, this CDS advocates that organizations
- Screen Employees
- Agree on IP Ownership
- Periodically Raise Security Awareness
- Log Employee Actions
- Increase Monitoring Due to an Employee's Pending Departure
- Reconfirm Employee Agreements on Departure
- Eliminate Methods of Access after Departure
- Monitor Activity after Departure
In summary, mitigating theft of IP at departure involves ensuring that the organization increases their monitoring of any insider with access to critical assets for specific suspicious behaviors when the insider resigns or is terminated. In addition, the insider must agree to and be reminded that they can't take organization-owned IP with them.
Future Work in Insider Threat
Continuing our efforts to help federal agencies and contractors develop insider threat programs, per executive order 13587, we are now seeking active government partners to apply and refine our approach. We also are continuing our research into fundamental patterns of insider threat mitigation to make sure that they remain well grounded and validated scientifically.
Looking ahead, we plan next to investigate insider social networks and the role they play in contributing to insider threat. In particular, we plan to examine how those social networks change over time to determine whether we can distinguish the social networks of malicious and non-malicious insiders. As part of this research, we are collaborating with Dr. Kathleen Carley, a professor at Carnegie Mellon University's Institute for Software Research in the School of Computer Science.
We welcome your feedback on our work in the comments section below.
To read the about insider threat mitigation patterns published at PLoP, please visit https://www.hillside.net/plop/2013/papers/Group4/plop13_preprint_47.pdf.
To read the PLoP Conference paper, Building a Multidimensional Pattern Language for Insider Threats, please visit: https://www.hillside.net/plop/2012/papers/Group%202%20-%20Rattlesnake/Building%20a%20Multidimensional%20Pattern%20Language%20for%20Insider%20Threats.pdf.
To read the SEI technical report, Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders, please visit
For more information about the CERT Insider Threat Center, please visit