Visible to the public Identifying indicators of insider threats: Insider IT sabotage

TitleIdentifying indicators of insider threats: Insider IT sabotage
Publication TypeConference Paper
Year of Publication2013
AuthorsClaycomb, W. R., Huth, C. L., Phillips, B., Flynn, L., McIntire, D.
Conference Name2013 47th International Carnahan Conference on Security Technology (ICCST)
Keywordsattack planning, chronological timelines, Databases, Educational institutions, Human Behavior, indicators, information technology, insider IT sabotage, insider threat, insider threat cases, insider threats indicators, Materials, Metrics, Organizations, policy-based governance, pubcrawl, resilience, Resiliency, sabotage, security, security of data, Sociotechnical, software engineering, software installation, Weapons
AbstractThis paper describes results of a study seeking to identify observable events related to insider sabotage. We collected information from actual insider threat cases, created chronological timelines of the incidents, identified key points in each timeline such as when attack planning began, measured the time between key events, and looked for specific observable events or patterns that insiders held in common that may indicate insider sabotage is imminent or likely. Such indicators could be used by security experts to potentially identify malicious activity at or before the time of attack. Our process included critical steps such as identifying the point of damage to the organization as well as any malicious events prior to zero hour that enabled the attack but did not immediately cause harm. We found that nearly 71% of the cases we studied had either no observable malicious action prior to attack, or had one that occurred less than one day prior to attack. Most of the events observed prior to attack were behavioral, not technical, especially those occurring earlier in the case timelines. Of the observed technical events prior to attack, nearly one third involved installation of software onto the victim organizations IT systems.
DOI10.1109/CCST.2013.6922038
Citation Keyclaycomb_identifying_2013