摘要 :
The Insider Threat Security Reference Architecture (ITSRA) provides an enterprise-wide solution to insider threat. The architecture consists of four security layers: Business, Information, Data, and Application. Organizations shou...
展开
The Insider Threat Security Reference Architecture (ITSRA) provides an enterprise-wide solution to insider threat. The architecture consists of four security layers: Business, Information, Data, and Application. Organizations should deploy and enforce controls at each layer to address insider attacks. None of the layers function in isolation or independently of other layers. Rather, the correlation of indicators and application of controls across all four layers form the crux of this approach. Empirical data consisting of more than 700 cases of insider crimes show that insider attacks proved successful in inflicting damage when an organization failed to implement adequate controls in any of three security principles: authorized access, acceptable use, and continuous monitoring. The ITSRA draws from existing best practices and standards as well as from analysis of these cases to provide actionable guidance for organizations to improve their posture against the insider threat.
收起
摘要 :
A research project at the CERT Program is identifying enterprise architectural patterns to protect against the insider threat to organizations. This report presents an example of such a pattern Increased Monitoring for Intellectua...
展开
A research project at the CERT Program is identifying enterprise architectural patterns to protect against the insider threat to organizations. This report presents an example of such a pattern Increased Monitoring for Intellectual Property (IP) Theft by Departing Insidersto help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP. Our case data shows that many insiders who stole IP did so within 30 days of their termination. Based on this insight, this pattern helps reduce that risk through increased monitoring of departing insiders during their last 30 days of employment. The increased monitoring suggested by the pattern is above and beyond what might be required for a baseline organizational detection of potentially malicious insider actions. Future work will include development of a library of enterprise architectural patterns for mitigating the insider threat based on the data we have collected. Our goal is for organizational resilience to insider threat to emerge from repeated application of patterns from the library.
收起
摘要 :
This report examines previous research on malicious insiders with particular emphasis on the social and psychological factors that may have influenced the attacker and their behaviours. This research also draws on corresponding st...
展开
This report examines previous research on malicious insiders with particular emphasis on the social and psychological factors that may have influenced the attacker and their behaviours. This research also draws on corresponding studies into fraud and espionage in non IT scenarios. A range of preventative measures is presented that approach the problem from personnel, policy and technical perspectives. Given the relative scarcity of research into non-technical aspects of malicious insider attacks, further recommendations are also made to study the malicious insiders, involving both government and academic stakeholders. Such research has the potential to provide further preventative measures.
收起
摘要 :
This article is the sixth in the series Spotlight On, published by the CERT Insider Threat Center at Carnegie Mellon University s Software Engineering Institute and funded by CyLab. Each article focuses on a specific area of conce...
展开
This article is the sixth in the series Spotlight On, published by the CERT Insider Threat Center at Carnegie Mellon University s Software Engineering Institute and funded by CyLab. Each article focuses on a specific area of concern and presents analysis based on hundreds of actual insider threat cases cataloged in the CERT insider threat database. This article focuses on cases in which the malicious insider was employed by a trusted business partner of the victim organization. We first define the concept of trusted business partner (TBP) and then describe case scenarios in which a TBP has become an insider threat. These case scenarios concentrate on presenting the who, what, why, and how of the illicit activity. Finally, we provide recommendations that may be useful in countering these threats.
收起
摘要 :
There exists a critical gap in current insider threat technology. To date, efforts on insider threat have not seriously taken into account the impact of deception by the insider. Needless to say, without a clear understanding of t...
展开
There exists a critical gap in current insider threat technology. To date, efforts on insider threat have not seriously taken into account the impact of deception by the insider. Needless to say, without a clear understanding of this impact and mechanisms for deception detection, technology for handling insider threat attacks (beyond simple attacks) can only be reactive in nature that will be often too slow and too late to prevent or even correct the damage done. In this project, we have identified a number of potential technology and research avenues that can provide an essential avenue for developing a dynamic and proactive response to insider threats. The two primary technologies of interest are user modeling and deception detection. First the application of user modeling technology in a novel manner provides unique capabilities in recognizing various classes of insider threats. User modeling in the past has typically been employed to assist the user, to capitalize on knowledge about his/her previous behavior and current roles to infer goals, motives, and intentions in order to anticipate (predict) and facilitate subsequent actions. We observed that such prediction can be used not only to anticipate a future course for the purpose of facilitating pursuit of that course, but also to detect deviations from that course. The second technology is the detection of deception, where different levels and types of deception and their indicators are modeled.
收起
摘要 :
We describe our ongoing development of an insider threat indicator ontology. Our ontology is intended to serve as a standardized expression method for potential indicators of malicious insider activity, as well as a formalization ...
展开
We describe our ongoing development of an insider threat indicator ontology. Our ontology is intended to serve as a standardized expression method for potential indicators of malicious insider activity, as well as a formalization of much of our team's research on insider threat detection, prevention, and mitigation. This ontology bridges the gap between natural language descriptions of malicious insiders, malicious insider activity, and machine-generated data that analysts and investigators use to detect behavioral and technical observables of insider activity. The ontology provides a mechanism for sharing and testing indicators of insider threat across multiple participants without compromising organization-sensitive data, thereby enhancing the data fusion and information sharing capabilities of the insider threat detection domain.
收起