By Douglas C. Schmidt
As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in quantifying expert judgment, insider threat, detecting and preventing data exfiltration, and developing a common vocabulary for malware analysts. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.
Quantifying Uncertainty in Expert Judgment: Initial Results
By Dennis R. Goldensen and Robert W. Stoddard
The work described in this report, part of a larger SEI research effort on Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), aims to develop and validate methods for calibrating expert judgment. Reliable expert judgment is crucial across the program acquisition lifecycle for cost estimation, and perhaps most critically for tasks related to risk analysis and program management. This research is based on three field studies that compare and validate training techniques aimed at improving the participants’ skills to enable more realistic judgments commensurate with their knowledge.
Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
By Andrew P. Moore, David McIntire, Dave Mundie, and David Zubrow
This paper describes an analysis that justifies applying the pattern “Increased Review for Intellectual Property (IP) Theft by Departing Insiders.” The pattern helps organizations plan, prepare, and implement a strategy to mitigate the risk of insider theft of IP. The analysis shows that organizations can reduce their risk of insider theft of IP through increased review of departing insiders’ actions during a relatively small window of time prior to their departure. Preliminary research results show that approximately 70 percent of insider IP thieves can be caught by following the pattern’s recommendation of reviewing insiders’ actions for theft events during only the last two months of their employment. These results provide practical guidance for practitioners wishing to fine tune the application of the pattern for their organizations. Increased Review for IP Theft by Departing Insiders is part of the CERT Insider Threat Center’s evolving library of enterprise architectural patterns for mitigating the insider threat, based on the Center’s collected data. The Center’s larger goal is to foster greater organizational resilience to insider threat, using repeated application of patterns from the library.
Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
By George Silowash, Todd Lewellen, Joshua W. Burns, and Daniel L. Costa
Web-based services, such as email, are useful for communicating with others either within or outside of an organization; however, they are a common threat vector through which data exfiltration can occur. Despite this risk, many organizations permit the use of web-based services on their systems. Implementing a method to detect and prevent data exfiltration through these channels is essential to protect an organization’s sensitive documents.
This report presents methods that can be used to detect and prevent data exfiltration using a Linux-based proxy server in a Microsoft Windows environment. Tools such as Squid Proxy, Clam Antivirus, and C-ICAP are explored as means by which information technology (IT) professionals can centrally log and monitor web-based services on Microsoft Windows hosts within an organization. Also introduced is a Tagger tool developed by the CERT Insider Threat Center that enables information security personnel to quickly insert tags into documents. These tags can then be used to create signatures for use on the proxy server to prevent documents from leaving the organization. In addition, the use of audit logs is also explored as an aid in determining whether sensitive data may have been uploaded to an internet service by a malicious insider.
The MAL: A Malware Analysis Lexicon
By Dave Mundie and David McIntire
The lack of a controlled vocabulary for malware analysis is a symptom of the field’s immaturity and an impediment to its growth. Malware analysis is a splintered discipline, with many small teams that for cultural reasons do not, or cannot, readily communicate among themselves; this condition encourages the growth of many local dialects. This report presents the results of the Malware Analysis Lexicon (MAL) initiative, a small project to develop the discipline’s first common vocabulary.
For the latest SEI technical reports and papers, please visit