Defense against Insider Threat: a Framework for Gathering Goal-based Requirements

Insider threat is becoming comparable to outsider threat in frequency of security events. This is a worrying situation, since insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. Despite their importance, insider threats are still not properly addressed by organizations. We contribute to reverse this situation by introducing a framework composed of a method for identification and assessment of insider threat risks and of two supporting deliverables for awareness of insider threat. The deliverables are: (i) attack strategies structured in four decomposition trees, and (ii) a matrix which correlates defense strategies, attack strategies and control principles. The method output consists of goal-based requirements for the defense against insiders

Insider Threat

A concerned serviceman observes his counterpart acting erratically – plotting to cripple or contaminate the entire water system of a U.S. Army base. Suspicious behaviors observed over the course of a year point to a potential insider threat. Insider threats are so dangerous because they are a betrayal of trust. Foundational to the U.S. military is the trust between service members. Erratic behavior doesn’t automatically indicate a possible insider threat, nor should service members spend their days suspicious of their colleagues. In a time when technology has empowered soldiers to be more effective and efficient, these threats are increasingly hazardous. How can we create a culture of awareness and support to catch problems early and disrupt a possible insider threat before it ever exists?https://digitalcommons.usmalibrary.org/aci_books/1025/thumbnail.jp

Modeling Expert Judgments of Insider Threat Using Ontology Structure: Effects of Individual Indicator Threat Value and Class Membership

We describe research on a comprehensive ontology of sociotechnical and organizational factors for insider threat (SOFIT) and results of an expert knowledge elicitation study. The study examined how alternative insider threat assessment models may reflect associations among constructs beyond the relationships defined in the hierarchical class structure. Results clearly indicate that individual indicators contribute differentially to expert judgments of insider threat risk. Further, models based on ontology class structure more accurately predict expert judgments. There is some (although weak) empirical evidence that other associations among constructs—such as the roles that indicators play in an insider threat exploit—may also contribute to expert judgments of insider threat risk. These findings contribute to ongoing research aimed at development of more effective insider threat decision support tools

Assessing the Usefulness of Visualization Tools to Investigate Hidden Patterns with Insider Attack Cases

The insider threat is a major concern for organizations. Open markets, technological advances, and the evolving definition of employee have exacerbated the insider threat. Insider threat research efforts are focusing on both prevention and detection techniques. However, recent security violation trends highlight the damage insider attacks cause organizations and illuminate why organizations and researchers must develop new approaches to this challenge. Although fruitful research is being conducted and new technologies are being applied to the insider threat problem, companies remain susceptible to the costly damage generated by insider threat actions. This research explored how visualization tools may be useful in highlighting patterns or relationships in insider attack case data and sought to determine if visualization software can assist in generating hypotheses for future insider threat research. The research analyzes cases of insider attack crimes committed during the period of 1998 to 2004 with an information visualization tool, IN-SPIRE. The results provide some evidence that visualization tools are useful in both finding patterns and generating hypotheses. By identifying new knowledge from insider threat cases, current insider threat models may be refined and other potential solutions may be discovered

The Insider Threat

The Insider threat is defined similarly by experts in the information technology world for businesses, but addressing the threat has not been of great focus for most organizations. Technology and the Internet have grown exponentially over the past decade leading to changes in how business is conducted. Some basic business practices remain the same; protect the organization and its customers from breach of privacy. How data is gathered, stored, and retrieved has changed. Protecting the perimeter is still important, but these changes in technology now open the doors to a new threat; one that is known but not commonly protected against; the insider. Whether intentionally, or accidentally, the insider threat needs to be incorporated into the currently used security architectures and best practices. How should an organization include the insider threat to the current architecture is the question. Changes need to be made by organizations to the current security architecture. Currently, using technology is not enough, but is still necessary. In order to make it better, considering the employee as a whole and the daily activities necessary to complete a job, as well as working with other business units as a whole needs to be included in the architecture. Behavioral traits can be considered but there are issues in privacy that also need to be considered. Monitoring can be done, but that should not be the only thing considered. Employees lack knowledge as to why actions can have a negative effect on an organization and the way to address this is education. Educating end users is necessary and should be performed regularly to keep not just the technologically inclined up to date. Without education, the current technology used will continue to keep out the intruders, but will not be effective enough to protect against intentional and accidental misuse of the organization and its networks

A unified classification model to insider threats to information security

Prior work on insider threat classification has adopted a range of definitions, constructs, and terminology, making it challenging to compare studies. We address this issue by introducing a unified insider threat classification model built through a comprehensive and systematic review of prior work. An insider threat can be challenging to predict, as insiders may utilise motivation, creativity, and ingenuity. Understanding the different types of threats to information security (and cybersecurity) is crucial as it helps organisations develop the right preventive strategies. This paper presents a thematic analysis of the literature on the types of insider threats to cybersecurity to provide cohesive definitions and consistent terminology of insider threats. We demonstrate that the insider threat exists on a continuum of accidental, negligent, mischievous, and malicious behaviour. The proposed insider threat classification can help organisations to identify, implement, and contribute towards improving their cybersecurity strategies

Insider Threat Detection in PRODIGAL

This paper reports on insider threat detection research, during which a prototype system (PRODIGAL) was developed and operated as a testbed for exploring a range of detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection \ of insider threat leads are presented to document this work and benefit others working in the insider threat domain. \ \ We also discuss a core set of experiments evaluating the prototype’s ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios \ are present or when they occur. \ \ We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in detectors designed for specific activity patterns. \ \ Finally, the paper describes the architecture of the prototype system, the environment in which we conducted these experiments and that is in the process of being transitioned to operational users