search menu icon-carat-right cmu-wordmark

Insider Threat Incidents: Assets Targeted by Malicious Insiders

Sarah Miller
• Insider Threat Blog
Sarah Miller

As part of the CERT National Insider Threat Center's ongoing efforts to refine and improve our Incident Corpus, and to provide more data to the community, we have updated our taxonomy for targeted assets in insider threat incidents. We have identified a number of dimensions--asset owner, asset type, and classification--we can use to aggregate and analyze targets of insider threat incidents. In this blog post, I detail this new taxonomy and highlight some of our latest findings about the assets targeted by malicious insiders.

The diagram below shows the dimensions of the CERT Insider Threat Incident Corpus target taxonomy.

The diagram shows the taxonomy of assets targeted in insider threat incidents. There are three major categories: asset owner, asset type, and classification. Asset owner is broken down into victim organization, employee, customer, third party, and other. Asset type is broken down into information, technology, facilities, money, and other. Classification is broken down into FERPA, FTI, government-sensitive, IP, PCI, PHI, PII, non-public, and unknown or not applicable.

Asset Owner

The asset owner corresponds to the entity responsible for an asset's management or to the subject of the asset. For example, the employee would be the owner of their data saved on employer systems, such as human resources information or personal files saved on work devices. The customer would be the owner of customer payment information. The asset owner categories are informed by the CERT Resilience Management Model (CERT-RMM) Asset Definition and Management (ADM) domain.

Perhaps unsurprisingly, the most common asset owner across insider threat case types--fraud, theft of IP, sabotage, and multiple--is the victim organization. Consumer assets are targeted nearly half as often. We observed far fewer targeted assets owned by employees, third parties, or others. The graph below shows the assets in the CERT Insider Threat Incident Corpus, broken down by owner and case type.

The chart is titled Assets Targeted in Insider Threat Incidents by Owner and Case Type. Asset owner organization has more than 500 assets in fraud incidents, more than 200 in theft of IP cases, just less than 200 in sabotage cases, and about 30 in multiple case types. Asset owner consumer has just less than 400 assets in fraud cases and less than 30 assets in all other case types. Asset owners employee, third party, and other all have less then 30 assets across all case types.

Fraud incidents, which make up the majority of incidents in the corpus, were associated with the greatest number of targeted assets, owned primarily by organizations and secondarily by consumers.

Asset Type

The asset type is the medium in which the asset exists.

Unlike the CERT-RMM ADM domain, our taxonomy includes money as an asset type. The CERT Insider Threat Incident Corpus includes many fraud incidents, so identifying money as a unique asset helps to highlight the actual intent of these incidents. Also, our asset taxonomy does not include people, which is an asset type in the CERT-RMM. In scenarios where an insider used social engineering on a coworker, we would identify the target asset as the asset that the insider wanted to access through the coworker, not the coworker.

As seen in the graph below, information is the most commonly targeted asset type across all types of incidents. Money is targeted exclusively in fraud incidents. Information is the most commonly targeted asset across all incident types. We have identified few instances where a victim organization's facilities were targeted.

The chart is titled Assets Targeted in Insider Threat Incidents by Asset Type and Case Type. For the asset type information, nearly 450 assets were targetred in fraud cases, more than 200 in theft of IP cases, about 100 in sabotage cases. For the money asset type, 500 assets were targeted. For the technology asset type, nearly 150 assets were targeted in sabotage cases, and less than 30 were targeted in each of the other case types. The facilities and other asset types show hardly any assets targeted across case types.

Classification

The classifications used in our asset taxonomy refer to specific kinds of sensitive data, but not national security information designated as "classified" by the federal government. This dimension refers to any protections or designations that would be afforded to the asset. Our insider threat asset classifications include the following categories:

  • Family Educational Rights and Privacy Act (FERPA): refers to the type of data, such as student education records, protected by the FERPA federal law
  • Federal Tax Information (FTI): a regulated class of information, with specific guidance provided by Internal Revenue Service (IRS) Publication 1075. This classification would be seen in federal, state, or local government organizations.
  • Government-sensitive data: any data that is not classified but is otherwise sensitive and managed by a government entity. This may also include law enforcement sensitive information.
  • Intellectual property (IP): can refer to a number of different kinds of assets, but is that which could be protected via patent, copyright, trademark, etc.
  • Payment card information (PCI): any account information or other personally identifiable information (PII) associated with a payment transaction, or the storage of such data. Organizations would need to follow the Payment Card Industry Data Security Standard (PCI DSS) if they were a processor of such data.
  • Protected health information (PHI): information subject to the protections of the Health Information Portability and Accountability Act (HIPAA), if the organization was a covered entity
  • Personally identifiable information (PII): information about a person (or persons) that, when used alone or in combination, can be used to identify a specific person. Common examples of PII include identifiers like name, birthdate, and Social Security Number (SSN). PII, for our purposes, refers to identifiers not better described as PCI or PHI.
  • Non-public: generally, data involved in insider threat incidents where other classifications do not apply

The graph below shows targeted information assets only, broken down by classification and known incident type. The most commonly identified classification was non-public. Rarely was FERPA information impacted, reflecting the small number of incidents in our corpus affecting the education sector.

The chart is titled Information Assets Targeted in Insider Threat Incidents by Classification and Case Type. For non-public assets, there were 436 assets targeted: 160 fraud, 150 theft of IP, less than 100 sabotage, and the remainder multiple case types. For PII assets, there were 179 assets targeted: 150 fraud and a few of the other case types. For IP assets, there were 93 assets targeted, mostly theft of IP. For PHI assets, there were 41 assets, mostly fraud. PCI assets had 40 assets, nearly all fraud. For FTI assets, 29 assets, fraud. FERPA, 9 assets, fraud. Government-sensitive, 5 assets, fraud. Unknown assets, 3 assets, theft of IP.Specific Assets

The fourth, less rigid, dimension of our taxonomy is the specific asset or assets targeted by the insider. Out of 1,643 total targets across 1,262 insider incidents, we have identified 105 specific assets. Here are some examples.

  • Company funds, part of the "money" asset type. Company funds were exclusively targeted in fraud incidents and accounted for 11.9% of all targeted assets.
  • Proprietary information was the most common target of theft-of-IP incidents, but it was also targeted across all case types. Proprietary information accounted for 3.7% of all targeted assets.
  • Product information, which the taxonomy would classify as intellectual property, was also a common target in thefts of IP. It was also targeted across case types and accounted for 3.7% of all targeted assets.
  • Computer systems were the primary target of IT sabotage incidents, but they were targeted across all case types. Computer systems accounted for 2.5% of all targeted assets.

As seen in the graph below, insiders targeted between 1 and 10 assets per incident.

The chart is titled Number of Assets Targeted in Insider Threat Incidents by Case Type. Of the 1,262 total insiders, nearly 900 targeted only one asset, mostly fraud cases. More than 200 insiders targeted two assets, mostly fraud cases. About 65 insiders targeted three assets, and very few for more than three assets.Over three-quarters (76.2%) of insiders targeted only one asset. Less than one-fifth (17.8%) of insiders targeted two assets. Approximately 1 in 20 (5.2%) insiders targeted three assets or more. Only one insider, in a theft-of-IP incident, targeted as many as 10 assets.

The most commonly targeted assets in fraud incidents were company funds (193 targets, 24.6% of fraud incidents), PII (141 targets, 18.0%), and issued checks (137 targets, 17.5%). Given the nature of fraud incidents, there may have been only one kind of asset targeted, but these assets may have involved multiple records or instances.

The most commonly targeted assets in theft-of-IP incidents were proprietary information (42 targets, 23.7%), product information (39 targets, 22.0%), business plans (26 targets, 14.7%), and source code (20 targets, 11.3%).

The most commonly targeted assets in sabotage incidents were computer systems (27 targets, 15.9%), servers (20 targets, 11.8%), passwords (18 targets, 10.6%), files (15 targets, 8.8%), and data (15 targets, 8.8%).

Protect Your Assets

Organizations can leverage the CERT-RMM and similar frameworks to help categorize and classify their data, which can inform insider risk management activities. Check out the CERT Division's OCTAVE FORTE and OCTAVE Allegro methods for managing information security risks. Learn more about how you can leverage the OCTAVE FORTE process for scoping your insider threat program and assessing insider risk in our presentation from the 2019 RSA Conference.

For questions about the CERT Insider Threat Incident Corpus, contact us at insider-threat-feedback@cert.org.

About the Author