Effective cross-department collaboration usually requires a common standard language for communication. Until recently, the insider threat community has suffered from a lack of standardization when expressing potential insider threat risk indicators. The CERT Division's research into insider threat detection, prevention, and mitigation methods steered the design process for a newly proposed ontology for communicating insider threat indicators. Such an ontology allows organizations to share threat detection intelligence. In this post, I briefly describe our recently released report, An Insider Threat Indicator Ontology.

This new report describes the domain of insider attacks, the challenges constructing the ontology, and the method used to develop the ontology through natural language processing. The ontology was developed using incident summaries from CERT's Insider Incident Corpus.

Moving forward, an effective ontology allows organizations to share threat detection intelligence and encourages cross-agency cooperation. Learning what is and isn't a potential insider threat risk indicator enables organizations to fine tune their security mechanisms and establish better mitigation techniques.

Since organizations now collect more data pre- and post-cyber-breach than ever before, analyzing large data sets becomes challenging. Pattern mining relies on defined attribute characteristics, such as classes, concepts, relations, and inferences. To properly extract target events from large data sources (e.g. Microsoft Windows event logs), analysts need a well-defined ontology to support their analysis.

With an ontology as a reference point, researchers and analysts can empirically link potential risk indicators--actions and behaviors that precede an attack--with outside agencies' research and intelligence. This ontology provides a standard for communicating the specific events in the timeline of an attack. These events, in turn, describe potential indicators that can be used to mitigate similar incidents in the future.