Chronological Examination of Insider Threat Sabotage:
Preliminary Observations

William R. Claycomb⁺, Carly L. Huth, Lori Flynn, David M. McIntire, and Todd B. Lewellen

 

CERT Insider Threat Center

Carnegie Mellon University

Pittsburgh, Pennsylvania, USA

{claycomb, clhuth, lflynn, dmmcintire, tblewellen}@cert.org

 

Abstract

The threat of malicious insiders to organizations is persistent and increasing. We examine 15 real cases of insider threat sabotage of IT systems to identify several key points in the attack time-line, such as when the insider clearly became disgruntled, began attack preparations, and carried out the attack. We also determine when the attack stopped, when it was detected, and when action was taken on the insider. We found that 7 of the insiders we studied clearly became disgruntled more than 28 days prior to attack, but 9 did not carry out malicious acts until less than a day prior to attack. Of the 15 attacks, 8 ended within a day, 12 were detected within a week, and in 10 cases action was taken on the insider within a month. This exercise is a proof-of-concept for future work on larger data sets, and in this paper we detail our study methods and results, discuss challenges we faced, and identify potential new research directions.
 

Keywords: insider threat, sabotage, security

 

+: Corresponding author: 4500 Fifth Avenue, Pittsburgh, PA 15213-2612 USA, Tel: +1-412-268-5800

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 3, No. 4, pp. 4-20, December 2012 [pdf]