Hello, I'm Tracy Cassidy, a CERT cybersecurity researcher. This post is about the research the CERT Division is doing on unintentional insider threat (UIT) with a particular emphasis on phishing and malware incidents.

For the past year, the CERT Insider Threat Center, sponsored by the Department of Homeland Security, has been publishing reports on UIT. These reports include the initial and follow-on reports: Unintentional Insider Threats: A Foundational Study and Unintentional Insider Threats: Social Engineering.

Following the success of these reports, the Insider Threat Center continued its work on UIT, focusing on the newly designated PHISHING/SOCIAL threat vector and its subvectors, Malware and Credentials. These threat vectors/subvectors represent the use of phishing and/or social engineering as a means to implement malware or gain access to credentials. The intent of this work has been to identify the frequency of incident types that occur in different economic sectors within the United States.

This research included the collection and analysis of publicly reported phishing cases followed by an analysis of industry sectors impacted by these types of incidents. The research provides potential recommendations for mitigating UITs stemming from phishing and other social engineering exploits. This research also compares security offices' current practice of UIT monitoring in the manufacturing and healthcare industries, including the tracking of near misses of adverse events.

Our research is based on the sample of incident cases collected from publicly available sources, which is often limited because organizations are reluctant to report incidents related to UIT. Due to this limitation, we currently are unable to show a statistically significant difference between the types of incidents across industry sectors.

In our previous work, we defined the UIT-HACK threat vector as

An outsider's electronic entry acquired through social engineering (e.g., phishing email incident, planted or unauthorized USB drive) and carried out via software, such as malware and spyware.

Through further research, we determined that many incidents initiated through phishing and other social engineering are not carried out by using software, but by acquiring and misusing the victim's credentials to secured systems. Because the common elements of the two types of attacks are phishing and other social engineering, we created a new, larger category of threat vector, PHISHING/SOCIAL that subsumes UIT-HACK, renamed it as the subvector Malware, and added the new subvector of Credentials:

Malware (formerly UIT-HACK)--An outsider's electronic entry acquired through social engineering (e.g., phishing email incident, planted or unauthorized USB drive) and carried out via software, such as malware and spyware.

Credentials--An outsider's electronic entry acquired through social engineering (e.g., phishing email incident) and carried out through compromised credentials, including passwords and other identifying information.

The identification of the new threat subvector, Credentials, and the refinement of UIT-HACK allows researchers and those in operations to quickly differentiate the two types of incidents and take the most appropriate mitigation actions.

If you are interested in this work, and in our findings, I recommend you check out the report Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector.

We recommend further research on UIT social engineering with a particular focus on

• the best ways for the whole community to record incidents
• what management practices meet human factors standards to foster effective work environments that minimize stress
• what training can best educate insiders about social engineering and teach them to recognize phishing cues
• how to identify deceptive practices used by adversaries and recognize suspicious patterns
• ways to develop mitigations that apply to specific attack phases of social engineering events

Can you provide additional cases of UIT PHISHING/SOCIAL? Can you suggest additional mitigation strategies? What future research into UIT would be most useful to you or your organization? Please send your thoughts to us.