search menu icon-carat-right cmu-wordmark

New SIEM Signature Developed to Address Insider Threats


According to the 2011 CyberSecurity Watch Survey, approximately 21 percent of cyber crimes against organizations are committed by insiders. Of the 607 organizations participating in the survey, 46 percent stated that the damage caused by insiders was more significant than the damage caused by outsiders. Over the past 11 years, researchers at the CERT Insider Threat Center have documented incidents related to malicious insider activity. Their sources include media reports, the courts, the United States Secret Service, victim organizations, and interviews with convicted felons.

From these cases, CERT researchers have identified four models of insider threat behavior: (1) information technology (IT) sabotage, (2) fraud, (3) national security/espionage, and (4) theft of intellectual property (IP). Using those patterns, our researchers have developed network monitoring controls that combine technological tools with behavioral indicators to warn network traffic analysts of potential malicious behavior. While these controls do not necessarily identify ongoing cyber crimes, they may identify behaviors of at-risk insiders that an organization should consider for further investigation. This blog posting, the second in a series highlighting controls developed by the CERT Insider Threat Center, explores controls developed to prevent, identify, or detect IT sabotage.

Existing technical tools can be better configured to prevent instances of IT sabotage. Many organizations deploy Data loss prevention (DLP) tools and digital rights management (DRM) tools to try to stop theft of IP, or security information event management (SIEM) tools to mitigate IT sabotage. These tools are able to detect and examine network traffic, but determining the difference between anomalous and normal behavior remains hard.

Behavioral Indicators Prior to IT Sabotage

The CERT Program's research has shown that employees who commit IT sabotage typically exhibit certain behavioral indicators prior to the crime. These usually begin with an employee's unmet expectations of the organization, precipitated by a negative workplace event, such as being passed over for a promotion, failure to receive a raise or bonus, or demotion. Next, the employee becomes disgruntled and seeks revenge against the organization for a perceived injustice.

Some behavioral indicators that may be observable in IT sabotage cases are performance problems, conflicts with coworkers or supervisors, outbursts in the workplace, and tardiness. The situation escalates to a point where the disgruntled employee sets up an attack using technical means. If such insiders have been denied access to the organization's network, they often find ways to regain access (such as exploiting an unknown access path) to deploy their malicious code and then leave the organization or are terminated. The impact to the organization tends to become visible only after the insider's departure.

Using the Security Information and Event Management (SIEM) Signature

The following SIEM signature can be used to determine the identity of individuals engaging in behaviors that an organization should consider investigating further, what remote connection protocol they are using, and whether this activity is occurring outside normal working hours. The signature is based on the following key fields: username, VPN account name, hostname of the attacker, and whether the attacker is using SSH, Telnet, or RDP.

The characteristics of insider attacks include remote access to the organization's information systems, outside normal working hours. Given these characteristics, we developed following signature:

Detect <username> and/or <VPN account name> and/or <hostname> using <ssh> and/or <telnet> and/or <RDP> from <5:00 PM> to <9:00 AM>

Note: This signature should only be applied to individuals who warrant increased scrutiny. This signature should not be applied to all privileged users because it will generate inordinate false positives.

Two standards were used to create the SEIM signature: the Common Event Format (CEF) and the Common Event Expression (CEE):

  • The Common Event Format (CEF) is an event interoperability standard developed by ArcSight. The purpose of this standard is to improve the interoperability of infrastructure devices by instituting a common log output format for different technology vendors. It assures that an event and its semantics contain all necessary information. Using this standard and the key indicators identified during the database analysis, we developed two CEF-based SIEM signatures, for Microsoft and Snort products, to identify suspected attackers.

  • The Common Event Expression (CEE) architecture defines an open and practical event log standard developed by MITRE. Like CEF, the purpose of CEE is to improve the audit process and users' ability to effectively interpret and analyze event log and audit data. It standardizes the event-log relationship by normalizing the way events are recorded, shared, and interpreted. Using the CEE format, we developed a signature based on the key indicators of insider IT sabotage. The signature identifies a suspected attacker who is using a remote connection to log onto the organization's internal system outside normal working hours, and it also logs the time the event was recorded.

Recognizing these behaviors has allowed us to create rules for when to apply a SIEM signature to detect insiders at risk of committing IT sabotage. By applying a SIEM signature, network traffic analysts can detect changes in configuration and changes in timing of network connections and specifically look at people who log in to the network outside of normal working hours. Using nontechnical indicators with the signature also helps to minimize the number of false positives. By combining behavioral and technical aspects, the SIEM signature can be used to help organizations act proactively, not reactively, to protect themselves.

Future Research

We are not advocating that organizations "advertise" the controls in an attempt to dissuade disgruntled employees from harming the organization. Instead, we want to persuade organizations to improve the communication between human resources, managers, and co-workers to identify potential disgruntled employees and apply additional IT Controls (including the SEIM signature) to identify potential suspicious changes to critical files.

Our future work includes enhancing the CERT insider threat database by collecting incidents, verifying that the behavioral model is still current and applicable, and customizing the model to create more controls. We will continue to use our insider threat lab to test tools, develop controls, and make better recommendations for existing or new configurations of tools to prevent, detect, or respond to malicious attacks on a network.

Additional Resources

To read the technical report Insider Threat Control: Using a SIEM Signature to Detect Potential Precursors to IT Sabotage, please visit

To read the technical report Using Centralized Logging to Detect Data Exfiltration Near Insider Termination, please visit

To read more about the CERT Program's Insider Threat research, please visit

To read about the new book The CERT Guide to Insider Threats by Dawn Cappelli, Andrew Moore, and Randy Trzeciak, please visit

To read the CERT blog post Insider Threat Control: Using an SIEM signature to detect potential precursors to IT sabotage, please visit