Controls and Indicators
The same commercial tools, techniques, and procedures to combat insider threats have been used for the past decade. One reason for that is that malicious activity by insiders looks like their authorized day-to-day online activity. As a result, many insider threat detection tools produce so many false positives that the tools are unusable.
After studying the patterns in the different types of insider crimes, we created the CERT insider threat lab to test technical solutions and create new ones. We research how to use controls and indicators based on our wealth of socio-technical information on insider crimes, to prevent, detect, and respond to insider attacks.
Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time
In organizations with access to the internet, the potential for data leakage is ever present. The insider threat control described in this technical note can monitor web request traffic for text-based data exfiltration attempts and block them in real time. Using this control can help an organization protect text-based intellectual property, including source code repositories.
As part of the plagiarism detection control, the Insider Threat team offers two control systems code samples:
- WebDLPIndexer, a Java agent, assists with the implementation of the team's data loss prevention (DLP) control
- WebDLP Client forwards outgoing web requests to the WebDLPIndexer agent for comparison against an index of intellectual property
Download WebDLPIndexer and WebDLPClient.
Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
This report describes how organizations can detect and prevent data exfiltration over encrypted web sessions on their networks.
Using a SIEM Signature to Detect Potential Precursors to IT Sabotage
This blog post describes the development and proposed application of a Security Information and Event Management (SIEM) signature to detect possible malicious insider activity leading to IT sabotage. (See also the Insider Threat Control Demonstration: IT Sabotage - Outsider Collusion.)
Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
The Insider Threat Center's behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization's intellectual property stole at least some of it within 30 days of their termination.