Stopping Insiders before They Attack: Understanding Motivations and Drivers

Insider attacks are able to evade traditional security controls because the perpetrators of the attack often have legitimate access to protected systems and data. Massive logging of user online activity data (e.g. file access or transfer, use of data storage devices, email records) is collected and analyzed to detect insider attacks (e.g. data theft, fraud, policy violation, etc.). Such techniques are fraught with drawbacks and limitations: 1) the proverbial “needle in a haystack problem,” where very little useful information is found in massive data sets, especially where the incidence of malicious insider activities is very small compared to that of legitimate actors; 2) employee privacy issues may exist about the company monitoring employee behavior; and 3) these techniques are largely wanting in their accuracy, leading to notably high false positive rates. Perhaps the most salient limitation of these techniques is that the analyses are post-hoc, and by the time the activity is detected, the insider has already engaged in data theft or exfiltration, the impact of which may not be reversible. This paper discusses the concept of using probes for detection of threats, wherein user intentions to engage in insider attacks can be gauged by sending carefully designed probes that rouse malicious users into acting. In this research, we seek a broad understanding of the scope and relevance of such probes. There are various motivations for users to steal data, including financial gain, patriotic fervor, and disgruntlement with work. In the present experiment, we created simulated conditions to reflect common insider motivations by providing subjects with imagined scenarios, then asking them to take the perspective of insiders in those scenarios, and explicate their actions through a series of structured questions that mimic our probes. The results show the effect of different scenarios in motivating the users, and the effectiveness of different probes in eliciting their actions

Over-claiming as a Predictor of Insider Threat Activities in Individuals

Insiders can engage in malicious activities against organizations such as data theft and sabotage. Prior research on insider threat behavior indicates that once motivated to commit malicious activity, insiders seek opportunity where they can act without being detected. In this research we set up an experiment where we leverage this opportunistic behavior and present participants with messages signaling opportunity for data theft. In the experiment, students were engaged in routine tasks with a bonus based on their performance. While working on their assigned tasks, they were presented with opportunities (probes) to steal data that would increase their payout. Their pre and post probe behavior was observed to test if they engaged in behavior that was deemed suspicious when they received the probe. The goal of the project is to test whether the overclaiming personality trait is a predictor of malicious insider behavior and this was measured through the Over Claiming questionnaire developed by Paulhaus (Paulhaus et al. 2003) The results indicated that over claiming proved to be a strong predictor of malicious insider behavior

Using Active Probes to Detect Insiders Before They Steal Data

This paper discusses the use of active probes to detect insider threats ahead of their manifestation as opposed to the current detection techniques that have generally indicated the presence of a threat post hoc. Users become motivated to engage in insider theft due to a variety of reasons such as greed, disgruntlement, anger, patriotism, and social justice. Once motivated they seek opportunities for data theft, are careful to avoid detection, and often rationalize their behavior which allows them to blur the line between moral and immoral action. Our experimental protocol involves presenting probes to users, which serve as cues that signal the opportunity to steal data (signaled by active probes). We test the effectiveness of the probes by measuring user search and exfiltration behavior before and after the introduction of the probe.. The effects of two different probes on student exfiltration behavior were tested in a laboratory setting. Both probes resulted in an increase in curiosity and theft-related behaviors