Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses
1.1. Context and Scope
1.2. Our Contribution
- As a novel contribution to the literature, we identified the relevance of insider threat to the cyber kill chain and its propagation through different phases.
- We evaluated the current state of the art (threat landscape) in terms of understanding the nature of insider threat, assessing associated risks, highlighting the effectiveness of techniques in detecting and mitigating risks, and propose enhancements for mitigating the impact of such threats.
- We highlighted open problems and future directions for addressing insider threats in different forms targeting several subsystems of the organization.
1.3. Paper Organization
2. Understanding the Nature of Insider Threats
2.1. Types of Insiders
2.2. Goals for Insider Attacks
3. Attack Vectors and Techniques
3.1. Privilege Escalation Techniques
3.2. Exfiltration Attacks
3.3. Phishing Emails and APTs
4. Cyber Kill Chain
4.4. Exploitation and Installation
4.5. Command and Control (C2)
4.6. Intrusion and Takeover Complete
5. Defense Strategies
5.1. Definitions of Security Policies Regarding Insider Threats
5.2. Pre-Employment and Monitoring Suspicious or Disruptive Behavior
5.3. Prevention of Data Exfiltration Methods
5.4. Strict Access Controls and Monitoring Policies for Privileged Users
5.5. Separation of Duties
5.6. Segregation of Duties
5.7. Indicators of Compromise (IOC)
- Record of physical access to the office areas including restricted and sensitive areas,
- Record of access to hosts and servers,
- Database activities,
- Vulnerability data,
- Individual user activities,
- Configuration data,
- Security device logs,
- Application activity logs,
- Active directory.
5.8. Human Behavioral and Psychological Approaches
5.9. Organizational Risks and Ethical/Privacy Considerations
5.10. Detecting Insider Threats by Monitoring Disruptive Behavior
5.10.1. Detection by Monitoring Disruptive Behavior
5.10.2. Detection by Automated Tools
5.10.3. Detection by Human Signals
6. Open Problems and Future Directions
6.1. Open Problems Related to the Insider Threat
6.2. Future Directions for Addressing the Insider Threat Categories
6.2.1. Collaborative Insider Threat
6.2.2. Insider Threat on Personal Devices
6.2.3. Trusted Insiders Exploiting Personally Identifiable Information (PII)
6.2.4. Malicious Insiders in the Cloud Environment
6.2.5. Corporate Insider Threat
6.2.6. Insider Threat in Organizational IT Systems
6.2.7. Combat Insider Threat in Enterprise Business
6.2.8. Insider Threat via Social Engineering
Conflicts of Interest
- Omar, M. Insider Threats: Detecting and Controlling. In New Threats and Countermeasures in Digital Crime and Cyber Terrorism; IGI Global: Hershey, PA, USA, 2015; p. 162. [Google Scholar]
- Barrios, R.M. A multi-leveled approach to intrusion detection and the insider threat. J. Inf. Secur. 2013, 4, 54–65. [Google Scholar] [CrossRef][Green Version]
- Cost of Insider Threats Global Report, Observer IT. 2020. Available online: https://www.observeit.com/cost-of-insider-threats (accessed on 25 June 2020).
- European Union Agency for Network and Information Security (ENISA). ENISA Threat Landscape Report. 15 Top Cyber-Threats and Trends, Heraklion. 2016. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2016 (accessed on 27 April 2020).
- European Union Agency for Network and Information Security (ENISA). ENISA Threat Landscape Report. 15 Top Cyber-Threats and Trends, Heraklion. 2018. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018 (accessed on 16 June 2020).
- CPNI Insider Data Collection Study. Centre for the Protection of National Infrastructure: London, UK, 2013. Available online: https://www.cpni.gov.uk/system/files/documents/63/29/insider-data-collection-study-report-of-main-findings.pdf (accessed on 25 April 2020).
- Warkentin, M.; Willison, R. Behavioral and policy issues in information systems security: The insider threat. Eur. J. Inf. Syst. 2009, 18, 101–112. [Google Scholar] [CrossRef]
- Yang, S.C.; Wang, Y.L. Insider threat analysis of case based system dynamics. Adv. Comput. Int. J. ACIJ 2011, 2, 1–17. [Google Scholar] [CrossRef]
- Trzeciak, R.F. SEI Cyber Minute: Insider Threats. 2017. Available online: http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=496626 (accessed on 15 June 2020).
- Insider Threats Survey. April 2011. Available online: https://media.kasperskycontenthub.com/wp-content/uploads/sites/31/2011/07/07061213/insider_threats_survey.pdf (accessed on 7 June 2002).
- Liu, L.; de Vel, O.; Han, Q.; Zhang, J.; Xiang, Y. Detecting and preventing cyber insider threats: A survey. IEEE Commun. Surv. Tutor. 2018, 20, 1397–1417. [Google Scholar] [CrossRef]
- Homoliak, I.; Toffalini, F.; Guarnizo, J.; Elovici, Y.; Ochoa, M. Insight into insiders and it: A survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. 2019, 52. [Google Scholar] [CrossRef][Green Version]
- Gheyas, I.A.; Ali, E.A. Detection and prediction of insider threats to cyber security: A systematic literature review and meta-analysis. Big Data Anal. 2016, 1, 1–29. [Google Scholar] [CrossRef][Green Version]
- Cappelli, D.M.; Moore, A.P.; Trzeciak, R.F. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley. Available online: http://ptgmedia.pearsoncmg.com/images/9780321812575/samplepages/9780321812575.pdf (accessed on 27 May 2020).
- Insider Threat, Imperva. Available online: https://www.imperva.com/learn/application-security/insider-threats (accessed on 7 May 2020).
- Compromised Insider, The Problems It Causes Organisations? Cyberseer. Available online: https://www.cyberseer.net/solutions-and-services/common-threats/compromise-insider (accessed on 18 June 2020).
- Ponemon, L. Cost of Data Breach Study: Global Analysis. Poneomon Institute Sponsored by Symantec. 2013. Available online: https://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf (accessed on 3 June 2020).
- Intelligence and National Security Alliance (INSA). Categories of Insider Threats. 2019. Available online: https://www.insaonline.org/wp-content/uploads/2019/10/INSA_WP_Categories_of_Insider_Threats-1.pdf (accessed on 13 June 2020).
- Moore, A.P.; Cappelli, D.M.; Caron, T.C.; Shaw, E.; Spooner, D.; Trzeciak, R.F. A preliminary Model of Insider Theft of Intellectual Property (No. MU/SEI-2011-TN-013). Carnegie Mellon University’s Software Engineering Institute: Pittsburgh, PA, USA, 2011. Available online: https://resources.sei.cmu.edu/asset_files/TechnicalNote/2011_004_001_15362.pdf (accessed on 5 June 2020).
- Greitzer, F.L.; Strozer, J.; Cohen, S.; Bergey, J.; Cowley, J.; Moore, A.; Mundie, D. Unintentional insider threat: Contributing factors, observables, and mitigation strategies. In Proceedings of the 47th Hawaii International Conference on System Sciences, Waikoloa, HI, USA, 6–9 January 2014; pp. 2025–2034. [Google Scholar]
- White, S.J. Assessing Cyber Threats and Solutions for Municipalities. In Cyber-Physical Security; Springer: New York, NY, USA, 2017; pp. 49–65. [Google Scholar]
- Nurse, J.R.; Buckley, O.; Legg, P.A.; Goldsmith, M.; Creese, S.; Wright, G.R.; Whitty, M. Understanding insider threat: A framework for characterising attacks. In Proceedings of the 2014 IEEE International Symposium on Security and Privacy Workshops (SPW), San Jose, CA, USA, 17–18 May 2014; pp. 214–228. [Google Scholar]
- Cassidy, T. Workplace Violence and Insider Threat. 2018. Available online: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=525011 (accessed on 1 June 2020).
- Umawing, J. Workplace Violence: The Forgotten Insider Threat. 2018. Available online: https://blog.malwarebytes.com/101/2018/10/workplace-violence-the-forgotten-insider-threat (accessed on 30 May 2020).
- Haggard, S.; Lindsay, J.R. North Korea and the Sony Hack: Exporting Instability Through Cyberspace; AsiaPacific Issues 117; East-West Center: Honoloulu, HI, USA, 2015; pp. 1–8. [Google Scholar]
- Gupta, S.; Kumar, P. Taxonomy of cloud security. Int. J. Comput. Sci. Eng. Appl. 2013, 3, 47–52. [Google Scholar] [CrossRef][Green Version]
- Jaafar, F.; Nicolescu, G.; Richard, C. A systematic approach for privilege escalation prevention. In Proceedings of the IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), Vienna, Austria, 1–3 August 2016; IEEE: New York, NY, USA, 2016; pp. 101–108. [Google Scholar]
- Tsoutsos, N.G.; Maniatakos, M. Fabrication attacks: Zero-overhead malicious modifications enabling modern microprocessor privilege escalation. IEEE Trans. Emerg. Top. Comput. 2014, 2, 81–93. [Google Scholar] [CrossRef]
- Janssen, C. Data Exfiltration. Techopedia. 2015. Available online: http://www.techopedia.com/definition/14682/data-exfiltration (accessed on 28 April 2020).
- Giani, A.; Berk, V.H.; Cybenko, G.V. Data exfiltration and covert channels. Proc. SPIE 2006, 6201. [Google Scholar] [CrossRef]
- Clark, J.; Leblanc, S.; Knight, S. Risks associated with USB hardware Trojan devices used by insiders. In Proceedings of the IEEE International Conference on Systems Conference (SysCon), Montreal, QC, Canada, 4–7 April 2011; pp. 201–208. [Google Scholar]
- Cleghorn, L. Network Defense Methodology: A Comparison of Defense in Depth and Defense in Breadth. J. Inf. Secur. 2013, 4, 144–149. [Google Scholar] [CrossRef][Green Version]
- Pernet, C. AIRBUS, APT Kill Chain—Part 3: Reconnaissance. 2014. Available online: https://airbus-cyber-security.com/apt-kill-chain-part-3-reconnaissance (accessed on 30 April 2020).
- Gates, S. Threat Intelligence Predictions Report, NSFOCUS 2017. Available online: http://blog.nsfocusglobal.com/wp-content/uploads/2017/02/TI-2017_Predictions_Report__v4.pdf (accessed on 2 May 2020).
- Harrysson, M.; Metayer, E.; Sarrazin, H. How social intelligence can guide decisions. McKinsey Q. 2012, 4, 81–89. [Google Scholar]
- Shullich, R. Risk Assessment of Social Media. The SANS Institute USA. 2012. Available online: https://www.sans.org/reading-room/whitepapers/riskmanagement/paper/33940 (accessed on 7 May 2020).
- Giura, P.; Wang, W. A context-based detection framework for advanced persistent threats. In Proceedings of the 2012 International Conference on Cyber Security (CyberSecurity), Washington, DC, USA, 14–16 December 2012; pp. 69–74. [Google Scholar]
- Potts, M. Internal Network Visibility for APTs and Insider Threats. Lancope, Inc.: Alpharetta, GA, USA, 2016. Available online: https://www.insightssuccess.com/lancope-preeminent-network-visibility-and-security-intelligence/ (accessed on 15 May 2020).
- Hutchins, E.M.; Cloppert, M.J.; Amin, R.M. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Proceedings of the 6th International Conference on Information Warfare and Security, Washington, DC, USA, 16–18 March 2011; pp. 80–81. [Google Scholar]
- Ray, L.; Felch, H. Detecting advanced persistent threats in oracle databases: Methods and techniques. In Strategic Information Systems and Technologies in Modern Organizations; IGI Global: Hershey, PA, USA, 2017; pp. 71–89. [Google Scholar]
- Scott, J.; Spaniel, D. In 2017, The Insider Threat Epidemic Begins. Institute for Critical Infrastructure Technology, February 2017. Available online: https://icitech.org/wp-content/uploads/2017/02/ICIT-Brief-In-2017-The-Insider-Threat-Epidemic-Begins.pdf (accessed on 14 June 2020).
- Kuo, J. Data Reconnaissance and Injection. Ph.D. Thesis, California State Polytechnic University, Pomona, CA, USA, 2017. [Google Scholar]
- Olavsrud, T. 11 Steps Attackers Took to Crack Target. 2014. Available online: https://www.cio.com/article/2600345/11-steps-attackers-took-to-crack-target.html (accessed on 18 May 2020).
- A Kill Chain Analysis of the 2013 Target Data Breach. Committee on Commerce, Science and Transportation. 2014. Available online: https://www.omegasecure.com/wp-content/uploads/2016/03/Target_Kill_Chain_Analysis_FINAL-1.pdf (accessed on 21 May 2020).
- CERT. Common Sense Guide to Mitigating Insider Threats, 4th Edition, United States, Carnegie Mellon Software Engineering Institute. 2012. Available online: https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf (accessed on 22 May 2020).
- Shaw, E.D.; Stock, H.V. Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall; White Paper; Symantec: Mountain View, CA, USA, 2011. [Google Scholar]
- Greitzer, F.L.; Hohimer, R.E. Modeling human behavior to anticipate insider attacks. J. Strateg. Secur. 2011, 4, 25–26. [Google Scholar] [CrossRef]
- Hunker, J.; Probst, C.W. Insiders and insider threats-an overview of definitions and mitigation techniques. J. Wirel. Mob. Netw. Ubiquitous Comput. Depend. Appl. 2011, 2, 4–27. [Google Scholar]
- Oracle Database Vault. 2015. Available online: https://www.oracle.com/technetwork/database/security/database-vault-ds-12c-1898877.pdf (accessed on 22 May 2020).
- Iyer, R.; Dabrowski, P.; Nakka, N.; Kalbarczyck, Z. Pre-configurable tamper-resistant hardware support against insider threats: The tested ILLIAC approach. In Insider Attack and Cyber Security; Springer: New York, NY, USA, 2008; pp. 133–152. [Google Scholar]
- Kumar, G.P.; Morarjee, K. Ranking prediction for cloud services from the past usages. Int. J. Sci. Eng. 2014, 2, 22–25. [Google Scholar]
- Mihai, I.-C.; Pruna, S.; Barbu, I.-D. Cyber kill chain analysis. Int. J. Inf. Secur. Cybercrime 2014, 3, 37–42. [Google Scholar] [CrossRef]
- Greitzer, F.L.; Strozer, J.R.; Cohen, S.; Moore, A.P.; Mundie, D.; Cowley, J. Analysis of unintentional insider threats deriving from social engineering exploits. In Proceedings of the IEEE Security and Privacy Workshops, San Jose, CA, USA, 17–18 May 2014; pp. 236–250. [Google Scholar] [CrossRef][Green Version]
- Chen, Y.; Nyemba, S.; Malin, B. Detecting anomalous insiders in collaborative information systems. IEEE Tran. Dependable Secur. Comput. 2012, 9, 332–344. [Google Scholar] [CrossRef]
- Gordon, L.A.; Loeb, M.P.; Zhou, L. Investing in cybersecurity: Insights from the gordon-loeb model. J. Inf. Secur. 2016, 7, 49–59. [Google Scholar] [CrossRef][Green Version]
- Microsoft Are Your Insiders Really Who You Think They Are? NetIQ Corporation. 2007. Available online: https://www.netiq.com/docrep/documents/h4mylk7uec/netiq_pb_group_policy_admin.pdf (accessed on 25 May 2020).
- CERT. Insider Threat Control: Using a SIEM Signature to Detect Potential Precursors to IT Sabotage. Carnegie Mellon University, Software Engineering Institute: Pittsburgh, PA, USA. Available online: https://insights.sei.cmu.edu/insider-threat/2012/01/insider-threat-control-using-a-siem-signature-to-detect-potential-precursors-to-it-sabotage.html (accessed on 13 June 2020).
- Walker-Roberts, S.; Hammoudeh, M.; Dehghantanha, A. A systematic review of the availability and efficacy of countermeasures to internal threats in healthcare critical infrastructure. IEEE Access 2018, 6, 25167–25177. [Google Scholar] [CrossRef]
- Turner, J.T.; Gelles, M. Threat Assessment: A Risk Management Approach. 2012. Available online: https://www.tandfonline.com/doi/abs/10.1080/00029157.2009.10401683 (accessed on 7 June 2020).
- Brdiczka, O.; Liu, J.; Price, B.; Shen, J.; Patil, A.; Chow, R.; Bart, E.; Ducheneaut, N. Proactive insider threat detection through graph learning and psychological context. In Proceedings of the 2012 IEEE Symposium on Security and Privacy Workshops (SPW), San Francisco, CA, USA, 24–25 May 2012; pp. 142–149. [Google Scholar]
- Cassidy, T. Technical Detection of Intended Violence: Workplace Violence as an Insider Threat. 2017. Available online: https://insights.sei.cmu.edu/sei_blog/2017/12/technical-detection-of-intended-violence-workplace-violence-as-an-insider-threat.html (accessed on 12 June 2020).
- The Global State of Information Security. PWC, 2014. Available online: http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml (accessed on 10 June 2020).
- Ponemon Institute, LLC. Security of Cloud Computing Providers Study. 2011. Available online: http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computingproviders-final-april-2011.pdf (accessed on 11 June 2020).
- Rashid, T.; Agrafiotis, I.; Nurse, J.R.C. A new take on detecting insider threats: Exploring the use of hidden Markov models. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, Vienna, Austria, 28 October 2016; pp. 47–56. [Google Scholar]
- Yates, D.; Harris, A. International Ethical Attitudes and Behaviors: Implications for Organizational Information Security Policy. In Information Assurance and Security Ethics in Complex. Systems: Interdisciplinary Perspectives; IGI Global: Hershley, PA, USA, 2011; pp. 55–80. [Google Scholar]
- Greitzer, F.L.; Frincke, D.A.; Zabriskie, M. Social/ethical issues in predictive insider threat monitoring. In Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives; IGI Global: Hershey, PA, USA, 2010; pp. 132–161. [Google Scholar]
- Swiety, M. From Ethics to Insider Threats: How Can You Protect Your Business? 2018. Available online: https://www.luxoft.com/blog/mswiety/from-ethics-to-insider-threats-how-can-you-protect-your-business (accessed on 25 June 2020).
- Salem, M.B.; Hershkop, S.; Stolfo, S.J. A survey of insider attack detection research. In Insider Attack and Cyber Security; Springer: New York, NY, USA, 2008; pp. 69–90. [Google Scholar]
- Hashem, Y.; Takabi, H.; GhasemiGol, M.; Dantu, R. Inside the mind of the insider: Towards insider threat detection using psychophysiological signals. J. Internet Serv. Inf. Secur. 2016, 6, 20–36. [Google Scholar]
- Axelrad, E.T.; Sticha, P.J.; Brdiczka, O. A bayesian network model for predicting insider threats. In Proceedings of the IEEE Security and Privacy Workshops, San Francisco, CA, USA, 23–24 May 2013; pp. 82–89. [Google Scholar]
- Kont, M.; Pihelgas, M.; Wojtkowiak, J.; Trinberg, L.; Osula, A.-M. Insider Threat Detection Study. NATO Cooperative Cyber Defence Centre of Excellence (CCD COE). 2014. Available online: https://ccdcoe.org/uploads/2018/10/Insider_Threat_Study_CCDCOE.pdf (accessed on 14 June 2020).
- Privileged User Abuse & The Insider Threat. Ponemon Institute Research Report. May 2014. Available online: http://www.raytheoncyber.com/rtnwcm/groups/cyber/documents/content/rtn_257010.pdf (accessed on 11 June 2020).
- Viet, K.; Panda, B.; Hu, Y. Detecting collaborative insider attacks in information systems. In Proceedings of the 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Seoul, Korea, 14–17 October 2012; pp. 502–507. [Google Scholar]
- Bray, R.; Marsh, S. How to Secure Collaboration from Insider Threats. 2019. Available online: https://www.mesalliance.org/wp-content/uploads/2019/04/How-to-Secure-Collaboration-from-Insider-Threats-LiveTiles.pdf (accessed on 15 June 2020).
- Kolokotronis, N.; Brotsis, S.; Germanos, G.; Vassilakis, C.; Shiaeles, S. On blockchain architectures for trust-based collaborative intrusion detection. In Proceedings of the IEEE World Congress on Services (SERVICES), Milan, Italy, 8–13 July 2019; pp. 21–28. [Google Scholar] [CrossRef]
- Ujjan, R.M.A.; Pervez, Z.; Dahal, K. Snort based collaborative intrusion detection system using blockchain in SDN. In Proceedings of the 13th International Conference on Software, Knowledge, Information Management and Applications (SKIMA), Island of Ulkulhas, Maldives, 26–28 August 2019; pp. 1–8. [Google Scholar] [CrossRef][Green Version]
- Boral, L.; Disla, M.; Patil, S.; Williams, J.; Park, J.S. Countering insider threats in personal devices. In Proceedings of the IEEE 2017 Intelligence and Security Informatics, New Brunswick, NJ, USA, 23–24 May 2007; p. 365. [Google Scholar]
- Majeed, A.; Haq, A.U.; Jamal, A.; Bhana, R.; Banigo, F.; Baadel, S. Internet of everything (IoE) exploiting organisational inside threats: Global network of smart devices (GNSD). In Proceedings of the IEEE International Symposium on Systems Engineering (ISSE), Edinburgh, UK, 3–5 October 2016; pp. 1–7. [Google Scholar] [CrossRef]
- Haim, B.; Menahem, E.; Wolfsthal, Y.; Meenan, C. Visualizing insider threats: An effective interface for security analytics. In Proceedings of the 22nd ACM International Conference on Intelligent User Interfaces Companion (IUI Companion), Limassol, Cyprus, 13–16 March 2017; pp. 39–42. [Google Scholar]
- Shabtai, A.; Bercovitch, M.; Rokach, L.; Gal, Y.; Elovici, Y.; Shmueli, E. Behavioral Study of Users When Interacting with Active Honeytokens. ACM Trans. Inf. Syst. Secur. 2016, 18. [Google Scholar] [CrossRef]
- White, J.; Panda, B. Implementing PII honeytokens to mitigate against the threat of malicous insiders. In Proceedings of the 2009 IEEE International Conference on Intelligence and Security Informatics, Dallas, TX, USA, 8–11 June 2009; pp. 233–239. [Google Scholar]
- Harilal, A.; Toffalini, F.; Homoliak, I.; Castellanos, J.; Guarnizo, J.; Mondal, S. The wolf of SUTD (TWOS): A dataset of malicious insider threat behavior based on a gamified competition. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 2018, 9, 54–85. [Google Scholar]
- Cheh, C.; Thakore, U.; Fawaz, A.; Chen, B.; Temple, W.G.; Sanders, W.H. Data-driven model-based detection of malicious insiders via physical access logs. ACM Trans. Model. Comput. Simul. 2019, 29. [Google Scholar] [CrossRef][Green Version]
- Nkosi, L.; Tarwireyi, P.; Adigun, M.O. Insider threat detection model for the cloud. In Proceedings of the 2013 Information Security for South Africa, Johannesburg, South Africa, 14–16 August 2013; pp. 1–8. [Google Scholar]
- Nguyen, N.; Reiher, P.; Kuenning, G.H. Detecting insider threats by monitoring system call activity. In Proceedings of the IEEE Systems, Man and Cybernetics Information Assurance Workshop, West Point, NY, USA, 18–20 June 2003; pp. 45–52. [Google Scholar]
- Mavroeidis, V.; Vishi, K.; Jøsang, A. A framework for data-driven physical security and insider threat detection. In Proceedings of the 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), Barcelona, Spain, 28–31 August 2018; pp. 1108–1115. [Google Scholar]
- Legg, P.A.; Buckley, O.; Goldsmith, M.; Creese, S. Caught in the act of an insider attack: Detection and assessment of insider threat. In Proceedings of the 2015 IEEE International Symposium on Technologies for Homeland Security (HST), Waltham, MA, USA, 14–16 April 2015; pp. 1–6. [Google Scholar]
- Legg, P.A.; Buckley, O.; Goldsmith, M.; Creese, S. Automated insider threat detection system using user and rolebased profile assessment. IEEE Syst. J. 2017, 11, 503–512. [Google Scholar] [CrossRef][Green Version]
- Servos, D.; Osborn, S.L. Current research and open problems in attribute-based access control. ACM Comput. Surv. 2017, 4. [Google Scholar] [CrossRef]
- Sallam, A.; Bertino, E. Result-based detection of insider threats to relational databases. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY), Richardson, TX, USA, 25–27 March 2019; pp. 133–143. [Google Scholar]
- Chattopadhyay, P.; Wang, L.; Tan, Y. Scenario-based insider threat detection from cyber activities. IEEE Trans. Comput. Soc. Syst. 2018, 5, 660–675. [Google Scholar] [CrossRef]
- Moyano, F.; Fernandez-Gago, C.; Paci, F. Detecting insider threats: A trust-aware framework. In Proceedings of the 8th International Conference on Availability, Reliability and Security (ARES), Regensburg, Germany, 2–6 September 2013; pp. 121–130. [Google Scholar]
- Toffalini, F.; Homoliak, I.; Harilal, A.; Binder, A.; Ochoa, M. Detection of masqueraders based on graph partitioning of file system access events. In Proceedings of the IEEE Security and Privacy Workshops, San Francisco, CA, USA, 24 May 2018; pp. 217–227. [Google Scholar]
- Lu, J.; Wong, R.K. Insider threat detection with long short-term memory. In Proceedings of the ACM Australasian Computer Science Week Multiconference (ACSW), Sydney, Australia, 29–31 January 2019; pp. 1–10. [Google Scholar]
- Gritzalis, D.; Stavrou, V.; Kandias, M.; Stergiopoulos, G. Insider threat: Enhancing BPM through social media. In Proceedings of the 6th International Conference on New Technologies, Mobility and Security (NTMS), Dubai, United Arab Emirates, 30 March–2 April 2014; pp. 1–6. [Google Scholar]
- Le, D.C.; Heywood, M.I.; Zincir-Heywood, N. Benchmarking genetic programming in dynamic insider threat detection. In Proceedings of the ACM Genetic and Evolutionary Computation Conference Companion (GECCO), Kyoto, Japan, 15–19 July 2018; pp. 385–386. [Google Scholar]
- Xiangyu, L.; Qiuyang, L.; Chandel, S. Social engineering and insider threats. In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Nanjing, China, 12–14 October 2017; pp. 25–34. [Google Scholar]
- Clark, J.W. EAR: An e-mail attachment receiver to search concerning images in the context of insider threat. In Proceedings of the 40th IEEE Annual Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA, 10–14 June 2016; pp. 365–370. [Google Scholar]
- Greitzer, F.L. Insider threats: It’s the human, stupid! In Proceedings of the ACM Northwest Cybersecurity Symposium (NCS), Richland, WA, USA, 8–10 April 2019; pp. 1–8. [Google Scholar]
|Recruitment/Tipping||An engineer hands in his resignation, unknown to his team at the time he was leaving to resume duty with a competitor.||Email or paper.|
|Reconnaissance||For four months, the engineer visited some network shares on the system that contain data from different divisions of the organization. He explored several areas for accessing documents, opening files, and browsing directories.||PCs, browsers, webpages, ping sweeps, social networks, port scanning, network sharing, Telnet/R-login.|
|Exploitation||The organization did not control the critical and sensitive zones of its network with the correct level of permissions. Therefore, open and free access to data and information was available to those who have access.||Remote access tool (RAT) and exploit kits, particularly, Blackshades—Blackhole; DarkComet—Nuclear; Bozok—Redkit; Poison ivy—Styx; Njrat—Sweet orange; Apocalypse—Infinity; and Browser exploitation framework (BEF).|
|Acquisition||Once the engineer had discovered the data he wanted to steal, he downloaded a piece of software that is designed to create backups. He installed it on his system and configured it to retrieve the needed files from the network and secure them in a single file. He was sensible enough to configure the software to perform incremental backup after the initial backup. This means if there is any change or addition to the file location, the software will only add the new changes.||Backup software—Acronis True Image, EaseUS ToDo Backup, Paragon Backup & Recovery, NovaBackup, and Genie Timeline.|
|Exfiltration||Once the engineer was done, he unplugs his endpoint from the network and copies the backed-up file to a drive.||USB thumb drive, Hard disk.|
|Definitions of security policies regarding insider threats||Omar , CERT Common Sense Guide to Mitigating Insider Threats ||Gaps in policies||Concise and coherent; penalties for violating rules|
|Pre-employment and monitoring suspicious or disruptive behavior||Shaw et al. , Greitzer et al. ||Non-trustworthy candidates, disruptive behavior||Background checks, enforce policies and procedures|
|Prevention of data exfiltration methods||Hunker et al. , Scott et al. ||Data leaving critical systems (copied, transferring, USBs, etc.)||Shadow copy creation, audit media devices, virtual desktop infrastructure environments, data loss prevention|
|Strict access controls and monitoring policies for privileged users||Giani et al.  Oracle Database Vault ||System administrators and privileged users, sabotage previous employees||Disable system access for required users, strict encryption solutions, principle of least privilege, protect user data from DBAs|
|Separation of duties||Cappelli et al. , Iyer et al. ||Privileged users, system misconfiguration||Strict organizational rules, collaborative network systems|
|Segregation of duties||Moore et al. ||Authentication attempts suspicious activities||Audit logs, dashboards, alerts, and alarms for security analysts to inspect|
|Indicators of compromise||Mihai et al. ||Intrusion kill chain||Use of a security incident and event management (SIEM)|
|Human behavioral and psychological approaches||Greitzer et al. ||Unintentional insider threat (UIT) from social engineering||Collecting and analyzing the data for behavioral and patterns|
|Liu et al. ||Range of insider threats (mostly the traitor, masquerader, and unintentional perpetrator)||APT intrusion kill chain|
|Nurse et al. ||Motivation behind malicious threats and unintentional human factors||Technical and behavioral aspects|
|Chen et al. ||Insider threats based on the access structure||Community anomaly detection through logs of collaborative environments|
|Reconnaissance||Website Traffic||Firewall Access Control List (ACL)||-||-||-||-|
|Weaponization||Network IDS||Network IPS||-||-||-||-|
|Delivery||Cautious User||Proxy Filter||In-line Antivirus||Scheduling in Queuing||-||-|
|Exploitation||Host-based IDS||Patch||Data Execution Prevention||-||-||-|
|Installation||Host-based IDS||Modified system||Antivirus||-||-||-|
|Command and Control||Network IDS||ACL||Network IPS||Tarpit||DNS Redirect||-|
|Action on Objective||Log files||-||Network IPS||Quality of Service||Honey Pot||-|
|Indicators of Compromise (Insider Threat)|
|12 months plus unused vacation||An increasing # of logins, variation in remote/local|
|Consistent first in and last out of office||Logging into the network at odd times|
|Life change/marital status||Remote logins using employee credential|
|Lay-off notification||Changes in website visited work and personal|
|Passed over for promotion/raise||Increased printer usage|
|Disciplinary action||Export of large reports/downloads report|
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Saxena, N.; Hayes, E.; Bertino, E.; Ojo, P.; Choo, K.-K.R.; Burnap, P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses. Electronics 2020, 9, 1460. https://doi.org/10.3390/electronics9091460
Saxena N, Hayes E, Bertino E, Ojo P, Choo K-KR, Burnap P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses. Electronics. 2020; 9(9):1460. https://doi.org/10.3390/electronics9091460Chicago/Turabian Style
Saxena, Neetesh, Emma Hayes, Elisa Bertino, Patrick Ojo, Kim-Kwang Raymond Choo, and Pete Burnap. 2020. "Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses" Electronics 9, no. 9: 1460. https://doi.org/10.3390/electronics9091460