This entry is part of a series of "deep dives" into insider threat. The previous entry focused on IT sabotage.

Hi, this is Chris King. From our research, we realized that malicious insiders do not all fit into a single category. We found that there are individuals who steal or commit fraud for financial gain, others who steal intellectual property because of a sense of entitlement or to obtain a position with a competitor, and some who want to exact revenge against an organization because they are angry. We noticed a pattern in the ways insiders acted and were able to separate them into three main categories of crime: IT sabotage, theft of intellectual property (IP), and fraud. This update focuses on theft of IP.

We define theft of IP as cases in which an insider uses IT to steal intellectual property from an organization. This category includes cases of industrial espionage in which insiders steal company information to take to their next job, or they take trade secrets to a competitor. In 10 years of research, we have collected almost 90 incidents where an insider was found guilty of theft of IP. Of those cases, the insiders were almost entirely male (94%) and usually held technical positions such as scientist/engineer (44%) or programmer (10%). The following are some samples of theft of IP cases:

• A technical service representative at a medical equipment company sought a job with a competing organization. The insider complied with her recruiter's request to send her current employer's customer lists, lab results, and manufacturing processes through email, postal mail, and commercial carriers in exchange for the new position.
• The founder of a company that held a patent for a specific technology began to work for a software development company that used that technology. Over the course of 3 years, the insider accessed confidential business documents that were directly related to the patent infringement litigation that his company was preparing to initiate. He downloaded the documents to his laptop and then quit his job at the software development company. His company then filed a patent infringement lawsuit against the software development company.
• A chemist at a paint manufacturer went on a business trip to work with one of the paint manufacturer's foreign subsidiaries. During the trip, the insider negotiated employment with one of the paint manufacturer's competitors and then resigned from his job. When representatives from the paint manufacturer analyzed the insider's laptop, they discovered 44GB of trade secret information. The insider was arrested when he attempted to leave the country. At the time of his arrest, he had a USB drive that contained the trade secret information.

In an analysis of theft of IP incidents, we discovered there are primarily two types of individuals who steal IP - the "entitled independent" and the "ambitious leader." The entitled independent is an insider who mainly acts alone to steal IP from an organization to take to a new job or side business. These insiders believe that they own the information they worked on during their employment, and they believe that they are entitled to the IP they created. The ambitious leader is an insider who recruits other insiders to help steal information for a larger purpose. The theft of IP in these cases is either to start a new business, to work with a competing organization, or to sell the information to a competing organization. For more information on how we developed these two models, see A Preliminary Model of Insider Theft of Intellectual Property.

Although only 12% of the cases in the CERT® insider threat database can be defined as theft of IP, this is one of the most damaging types of insider attacks. Of our cases, the average potential damages for this type of incident were $29M-$42M, with some of the trade secrets valued at $1B in R&D costs. In these cases, 52% of insiders stole trade secret information, 30% stole sensitive internal documents (billing, customer lists, etc), and 20% targeted source code.

Even though these high-value assets are protected, it is the trusted insiders who are working on these products that often steal them. The insiders' authorized access to the system or designs they work on complicates efforts to protect an organization's IP.

We have developed some countermeasures for this type of crime. For more technical detail, see An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases. For more general information, see the Common Sense Guide to Prevention and Detection of Insider Threats. A few technical preventative measures are presented here:

• Many theft of IP cases in our database involved the use of removable media. Organizations should consider having some metric of employee use of removable media. Understanding who requires removable media and for what purposes can help an organization determine what may constitute normal and healthy business use.
• Of the cases in which an organization's network was used to perpetrate the theft, most involved email and remote access over VPN. Given that several cases included sending email to a direct competitor, organizations should consider either tracking or blocking email to and from competitors. Our cases did not explicitly show insiders using sophisticated concealment methods, such as proxies. However, we did find that insiders periodically leverage their personal, web-based email as an exfiltration method.
• According to our theft of IP models, most insiders steal IP within 30 days of leaving an organization. Organizations should consider a more targeted monitoring strategy for users who have already given notice that they will be leaving. Further, organizations should consider inspecting available log traffic for any indicators of suspicious access, large file transfers, suspicious email traffic, after-hours access, or use of removable media. Central logging appliances and event correlation engines may help craft automated queries that reduce an analyst's workload for routinely inspecting this data.
• Organizations should consider reviewing access termination policies associated with employee exit procedures. Several cases in our database provided evidence that insiders remotely accessed systems by using previously authorized accounts that were not terminated upon the employee's exit. Precautions against this kind of incident would seem to be common sense, but this trend continues to manifest in newly cataloged cases.
• As part of an employee's exit interview, organizations should consider reminding the employee of the contents of the intellectual property agreements that they signed, and even consider asking them to sign a statement saying that they have not taken any intellectual property with them.

Also consider using the security guidance published by NIST.