Skip to content

Keeping Insiders Out

INTELLECTUAL PROPERTY theft accounts for only a tiny proportion of cybercrimes against businesses, but it represents the most costly type of cybercrime, according to a report from the Bureau of Justice Statistics. The tab is estimated at $250 billion annually. And those thefts are committed most frequently by insiders.

Insider threats pose a unique challenge to companies because they come from individuals with access and privilege within the organization’s network. Although intrusion detection systems must pinpoint anyone accessing the network without permission, insider threat detection must root out someone who has permission but uses it inappropriately.

Insider threat detection also requires a commitment from company leadership, says Michael Grimaila of the Air Force Institute of Technology. “It’s a low probability, high impact type of activity you’re looking for. So, only in certain limiting environments will you have leadership support willing to really look closely for this,” says Grimaila. He says in the private sector, it’s often financial services companies that emphasize insider threats.

Grimaila is one of several researchers attempting to help companies use tools they may already have for insider threat detection. One such approach is the use of network logging. Logging involves any type of network device (such as workstations, servers, firewalls) that can generate a list of events, essentially an audit trail.

Grimaila and others are currently attempting to study how effective it would be to use programs that pull together certain events from various logs to ascertain early signs of possible insider activity. For example, when a user tries to open a folder that isn’t his or her own, that might be a mistake, or it might be the sign of something more. Combining various logs would allow the system to detect more events and better understand when several anomalous actions add up to questionable insider activity.

One of the reasons this approach appeals to Grimaila is that logs are widely available at organizations, although he says many security professionals don’t currently use logs to their full potential.

There are possible drawbacks to using logs to detect insider theft, however. One is the amount of storage space needed for log and event storage. Grimaila says one solution is doing event correlation at the device level and sending notable events as “synthetic events” back to be stored on the server instead of the full logs.

Also looking at ways to spot early red flags of suspicious insider activity are researchers from the MITRE Corporation and Georgetown University. They are scheduled to publish their findings in the November/December 2009 issue of IEEE Security & Privacy magazine. The new findings draw on earlier work the researchers completed in developing a prototype called ELICIT, which was unveiled a few years ago as a tool to help analysts investigate insider threats.

“In order to help differentiate what could be suspicious behavior from benign, we used what I think of as a home field advantage,” says Gregory D. Stephens of MITRE, one of the researchers.

He explains the home field advantage this way: “Companies and organizations in general know something about their people who work for them…. This is all contextual information, which, as we found, is an essential thing to help differentiate what looks suspicious from the benign behavior.”

Stephens says he also collected context about users and the information they come into contact with and developed detectors that look for ways individuals stand out.

For their latest work, the group of researchers, which now includes a behavioral psychologist, gave two groups of participants the identical goal of collecting information from within MITRE’s intranet. However, one group had the benign intent of wanting to perform a good job so that they might get a raise and promotion, while the malicious group’s rewards were contingent on collecting inside information that would “provide a competitive advantage in a major federal acquisition.”

Both groups were supposed to have fallen on hard financial times. Researchers found that malicious users have statistically more logons and logoffs than benign participants, which the study asserts may have been an attempt to cover up “bad behavior.”

Another finding showed a significant correlation between malicious users and the use of cached search engine results, which can help avoid detection. Lastly, malicious users are more likely to save large amounts of data to the hard drive, employing a “grab and go” approach that is also signified by bursts of downloads.

The researchers also asked participants which intranet security measures they found effective. Among the most effective measures were pop ups and reminders, which warn malicious users that there is monitoring software on the computer.

The work is funded by the Institute for Information Infrastructure Protection (I3P). I3P’s aim is to improve cyber infrastructure, and the group has released tips on preventing the insider threat. Although I3P advises securing the network infrastructure, it also recommends making employees the first line of defense.

Mark Maybury, executive director of MITRE’s IT division, echoes that. “We tend to look for technical solutions, and oftentimes it’s very important to recognize the human factor…. The only person who can judge if somebody’s breached trust is in fact another human.”

The other experts agree with that view and stress that there is no one perfect tool that will detect all intruders; there must always be a human component to the programs.