Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Hi, this is Bill Claycomb and Alex Nicoll with installment 3 of a 10-part series on cloud-related insider threats. In this post, we discuss a second type of cloud-related insider threat: those that exploit weaknesses introduced by use of the cloud.

Last week we discussed the rogue administrator, one type of cloud-related insider threat. A second type of cloud-related insider threat, often overlooked by security researchers, is the insider who exploits vulnerabilities exposed by the use of cloud services to gain unauthorized access to organization systems and/or data. This type of attack may be malicious or accidental, and is sometimes enabled by differences in security policies or access control models between cloud-based and local systems.

Hi, this is Bill Claycomb and Alex Nicoll with installment 2 of a 10-part series on cloud-related insider threats. In this post, we present three types of cloud-related insiders and discuss one in detail--the "rogue administrator." This insider typically steals the cloud provider's sensitive information, but can also sabotage its IT infrastructure. The insider described by this threat may be motivated financially or by revenge.

Hi, this is Bill Claycomb, lead research scientist for the CERT Insider Threat Center and Alex Nicoll, technical team lead for Insider Threat Technical Solutions and Standards. Over the next few months, we will discuss, in a series of blog posts, problems related to insiders in the cloud, defending against them, and researching approaches that could help solve some of these problems.

For years the CERT Insider Threat Center has been studying organizations' current and former employees, contractors, and trusted business partners who steal intellectual property (IP) from their organizations. We have published reports that detail the problem: who does it, why, when, how, etc. We have also published reports on mitigation strategies based on our analysis of the problem. (Links to the reports are at the bottom of this post). These strategies focus on the detection of suspicious online actions, as well as logging strategies that provide electronic evidence to assist in the response process when insider theft is detected. A recent testimony by the FBI suggests that organizations need to pay attention to this significant problem.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley's InformIT website at

The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists. The reality today is more nuanced; especially as organized crime groups have moved their activities online. The CERT Insider Threat Center recently released a publication titled Spotlight On: Malicious Insiders and Organized Crime Activity. This article focuses on a cross-section of CERT's insider threat data, incidents consisting of 2 or more individuals involved in a crime. What we found is that insiders involved in organized crime caused more damage (approximately $3M per crime) and bypassed protections by involving multiple individuals in the crime.

The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an overview of the control and the rationale behind its development. For more details describing the development of the control and the statistical analysis used and applied in this signature please refer to the technical report: