By Randy Trzeciak,
Senior Member of the Technical Staff
The CERT Program
According to the 2011 CyberSecurity Watch Survey, approximately 21 percent of cyber crimes against organizations are committed by insiders. Of the 607 organizations participating in the survey, 46 percent stated that the damage caused by insiders was more significant than the damage caused by outsiders. Over the past 11 years, CERT Insider Threat researchers have collected incidents related to malicious activity by insiders obtained from a number of sources, including media reports, the courts, the United States Secret Service, victim organizations, and interviews with convicted felons. From these cases, four patterns of insider threat behavior have been identified: (1) information technology (IT) sabotage, (2) fraud, (3) national security/espionage, and (4) theft of intellectual property (IP). From those patterns, our researchers developed controls that combine technological tools with behavioral indicators to identify employees at risk for committing cyber crimes. These tools and indicators provide those who monitor networks a better warning of potential anomalous behavior. This blog posting—the first in a series highlighting controls developed by the CERT Insider Threat Center—explores controls developed to prevent, identify, or detect IP theft.
Motives and Behaviors
By analyzing more than 700 insider threat cases, CERT researchers have identified a series of patterns and behaviors based on the motive of the perpetrator and the impact to an organization. For example, of the documented insider threat cases that we analyzed, 84 incidents are categorized as theft of IP in which employees take information with them as they leave to go to work for a competing organization, use the information to get a job with a competitor, or start their own competing company. In approximately one third of the theft of IP cases in the CERT database, the insider took the information and gave it to a foreign organization or government.
An interesting finding emerged when the researcher analyzed these cases: the majority of the insiders (approximately 70 percent) who steal IP do so within 30 days of announcing their resignation. This window gives an organization an opportunity to detect potential malicious activity. Many organizations do not have the resources to alert and investigate everytime a document is sent off of the network, so this window may allow for focused attention during higher risk periods, thereby reducing the high volume of false positives that may be returned via continual data leakage identification. That finding is used when developing the theft-of-IP technical control outlined in this blog. Based on these observations, we constructed a model of employees who steal information. The model takes into account technological variables, social variables, and the relationships between them.
By studying the patterns in various cases, we observed how the crimes tend to evolve over time, and the trends we noticed provided the foundation for our model. After our researchers established the model, they narrowed their focus to portions of it where controls may be applied to prevent or detect information leaving the organization’s network. For example, they configured a tool alert on suspicious activity possibly indicating that a departing employee may be stealing intellectual property. An organization can then use an open source, log-aggregation tool to write rules to alert when potential suspicious activity is observed. For example, analysts can write a query in a log-aggregation tool, such as SPLUNK, to flag employees who meet these criteria:
- Their system accounts were disabled or are scheduled to be disabled in the next 30 days.
- They are sending email through the organization’s network.
- Those emails include attachments.
Analysts can further refine the SPLUNK tool to focus on employees in that group who have resigned within the last 30 days and are sending emails with attachments from personal email accounts. (Much of the activity will probably be authorized, but the approach allows organizations investigating suspicious activity to gain a better idea of what activity warrants additional investigation.)
Our aim with this research is not to create new tools, but rather to allow organizations to configure their existing arsenal so it is more effective at preventing or detecting malicious insider activity. The controls developed by our researchers should be used in addition to existing tools that many organizations already own, including
- Data loss prevention (DLP) tools. These tools allow organizations to prioritize critical assets, and observe when employees are accessing data and when that data is being sent through the network.
- Digital rights management (DRM) tools. These tools allow organizations to require that critical data be validated or authenticated against data on its network. For example, if information was taken off a network, it could not be used on another network, and no one would be able to open it up and view it.
- Security information and event management (SIEM) tools. These tools allow organizations to detect anomalies on networks and networked systems. One example of such an anomaly would be an employee’s login outside of normal working hours using a remote connection.
In the October 2011 SEI technical note titled Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination, CERT researchers Michael Hanley and Joji Montelibano described the controls developed to prevent IP theft. They reported that the primary vehicles for data exfiltration over the network are corporate email systems or web-based personal email services. They therefore concluded that organizations should consider doing the following when trying to prevent, detect, or deter IP theft:
- Monitor for misuse of web-based personal email services. This mode of exfiltration will be addressed in detail in future research.
- Monitor for email to the organization’s competitors or the insider’s personal account. Corporate email accounts running on an enterprise-class service contain robust auditing and logging functionality available for use in an investigation or, in this case, a query to detect suspicious behavior.
Taking these factors into account, an organization can proceed on an implementation strategy for these conditions on a logging engine. Hanley and Montelibano defined the following implementation outline:
If the mail is from the departing insider
and the message was sent in the last 30 days
and the recipient is not in the organization’s domain
and the total bytes summed by day are more than a specified threshold
then send an alert to the security operator
With the time element serving as the root of a query, any of the following could be used to verify the query:
- an active directory
- a lightweight directory access protocol (LDAP) directory service
- partial human resources records
- badge access status
After the query has narrowed the field to all mail sent within a certain timeframe (the 30-day window), the query will next identify mail traffic that has left the local domain namespace of the organization. This constraint flags email messages to recipients in a namespace that the organization has no control over. The next constraint examines the email byte count to identify exfiltrated data. Hanley and Montelibano set a reasonable per-day byte threshold of between 20 and 50 kilobytes to identify whether several attachments or large volumes of text pasted into the bodies of email messages have left an organization’s network on a given day.
Our future research is focusing on verifying that control models are still applicable and on developing new controls to address other modes of insider crime. The next blog post in this series will examine research that developed controls to prevent, detect, or mitigate IT sabotage by insiders.
To read the SEI technical note, Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination, please visit www.cert.org/archive/pdf/11tn024.pdf.
To read the CERT Insider Threat blog, please visit www.cert.org/blogs/insider_threat/.