Coordinated Response
Services and tools for incident response management

US-CERT: Combating Insider Threat

A High-Level View to Help Inform Senior Management

The US-CERT Web Site offers a 5 page paper on “Combating Insider Threat”.

This well written document summarizes the nature of the threat and an approach to detect and deter malicious insider activity. The paper is valuable for 2 reasons:

  1. It is the right document from the right source to inform executive leadership and board members on the importance of addressing insider threats; and
  2. It provides a great set of referencesgood resources for informing an effective program to address insider threat.

First, Consider the Insider

The paper describes the characteristics of “an Insider at Risk of Becoming a Threat” – characteristics recognized by executive leadership. The characteristics of a troubled employee – for example, rebellious or passive / aggressive activity; low tolerance for criticism – may lead to difficulties in a number of ways including a cyber incident.

The paper then identifies “Behavioral Indicators of Malicious Threat Activity” – indicators including an employee interest in areas outside the scope of their responsibility or an employee accessing the network at odd hours or while on vacation or sick leave. Monitoring employee activity is an important part of identifying potential threats.

Then, Detect and Deter

The paper identifies technologies for detection and deterrence. Technologies include data-centric security: data/file encryption, data access control /monitoring, and data loss prevention; intrusion detection / prevention systems; and enterprise identity / access management. The paper helps make the case for the use of the technologies.

The paper also describes the social science behind deterrence strategies – strategies equally applicable to fraud, cybersecurity, and other bad behavior.

Finally, References and Resources

The paper cites 32 references, 29 with online links. I strongly recommend downloading the paper and perusing the links for those that might enhance your insider threat program.

It starts with a link to the Carnegie Mellon CERT Insider Threat  web site.

Coordinated Response

This paper focuses on how to Deter and Detect insider threats. We focus on the Coordinated Response to an insider incident. We can help make the case to executive leadership on building an effective insider threat program.

Let us help you with a response plan review that considers your information security risk assessment.