Chronological Examination of Insider
Threat Sabotage:
Preliminary Observations
William R. Claycomb+,
Carly L. Huth, Lori Flynn,
David M. McIntire, and Todd B. Lewellen
CERT Insider Threat Center
Carnegie Mellon University
Pittsburgh, Pennsylvania, USA
{claycomb, clhuth,
lflynn, dmmcintire, tblewellen}@cert.org
Abstract
The threat of malicious insiders to organizations is persistent and increasing.
We examine 15 real cases of insider
threat sabotage of IT systems to identify several key points in the attack
time-line, such as when the
insider clearly became disgruntled, began attack preparations, and carried out
the attack. We also
determine when the attack stopped, when it was detected, and when action was
taken on the insider. We
found that 7 of the insiders we studied clearly became disgruntled more than 28 days prior to
attack, but 9 did not carry out malicious acts until less than a day prior to
attack. Of the 15
attacks, 8 ended within a day, 12 were detected within a week, and in 10 cases
action was taken on the insider
within a month. This exercise is a proof-of-concept for future work on larger
data sets, and in this paper
we detail our study methods and results, discuss challenges we faced, and
identify potential new research
directions.
Keywords: insider threat, sabotage, security
+: Corresponding author: 4500 Fifth Avenue, Pittsburgh,
PA 15213-2612 USA, Tel: +1-412-268-5800
Journal of Wireless Mobile Networks,
Ubiquitous Computing, and Dependable Applications (JoWUA),
Vol. 3, No. 4, pp. 4-20,
December 2012 [pdf]