Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage
The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an overview of the control and the rationale behind its development. For more details describing the development of the control and the statistical analysis used and applied in this signature please refer to the technical report: http://www.cert.org/archive/pdf/SIEM-Control.pdf
The Insider Threat Security Information and Event Management (SIEM) signature was developed to detect possible malicious insider activity leading to IT sabotage. The goal is to detect the identity of the attacker, what remote connection protocol he or she is using, and whether the activity is occurring outside of normal working hours, based upon empirical data of malicious insider activity. In the absence of a uniform, standardized event logging format, the signature is represented in two of the most visible public formats, Common Event Format (CEF), develop by ArcSight, and Common Event Expression (CEE), developed by MITRE. Because of the limitations of these formats, the SIEM described in the detailed report employs an operational version of the proposed signature in an ArcSight environment.
The CERT® Insider Threat Center database currently contains over 550 cases of actual malicious insider crimes. We focused on the 123 cases categorized as IT sabotage in the development of this control. Insider IT Sabotage is defined as an insider's use of information technology to direct specific harm at an organization or an individual. The cases in our database reveal that almost all insiders involved in acts of IT Sabotage displayed behavioral indicators prior to committing their crimes. Examples of such behavioral indicators include but are not limited to: conflicts with co-workers or supervisors, improper use of organization information assets, rule violations and/or security violations. These indicators may be used to determine which users warrant targeted monitoring via this signature. Once individuals are identified, you should be able to determine the appropriate user names, account names, host names, and/or host addresses to enter into the signature to make the alert volume more meaningful and manageable.
Prior to applying this signature, you should facilitate proper communication and coordination between relevant departments across the enterprise, especially information technology, information security, human resources, physical security, and legal. This cooperation is necessary to ensure that any measures taken to combat insider threat comply with all organizational, local, and national laws and regulations.
Technical signatures developed by the CERT Insider Threat Center are generally designed to be applied towards a particular user or group of users. These signatures are not intended to be applied to all users across the enterprise, as doing so will generate a large number of false positives.