Problem solve Get help with specific problems with your technologies, process and projects.

Monitoring strategies for insider threat detection

Insider threat detection is a vital part of the security of any enterprise organization. In this tip, part of the Insider Threats Security School lesson, learn about the best insider threat detection strategies.

This tip is part of's Intrusion Defense Security School lesson, Practical strategies to mitigate...

insider threats, featuring Dawn Cappelli. For additional resources visit our lesson home page, or to browse more Security School lessons, visit our Security School Course Catalog.

With so many logging and monitoring tools available, it may seem like detecting illicit insider activity in enterprise organizations should be easier. But the number of malicious insider cases continues to increase, mainly because most insiders who commit fraud, theft, IT sabotage or espionage use authorized access and perform the same types of online actions they perform every day: On the surface, their malicious activity does not look any different than their everyday online activity.

Data lost by insiders represents a significant threat to enterprises, so it's vital to have some strategies in place to detect and prevent or mitigate the actions of malicious insiders.

Data lost by insiders represents a significant threat to enterprises, so it's vital to have some strategies in place to detect and prevent or mitigate the actions of malicious insiders. In this tip, we'll review practical strategies for implementing insider threat detection tools based on my team's nine years of research, CERT's database of 400 actual insider threat cases, lessons learned from doing assessments, and behavioral patterns covered in our insider threat workshops.

Before getting into the insider threat detection process, it's important to briefly define the term malicious insider. A malicious insider can be considered any current or former employee, contractor or other business partner who:

  • Has or had authorized access to an organization's network, system or data and;
  • Intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

There are three types of insider crimes covered in this tip: insider IT sabotage, fraud and theft of intellectual property (IP); each requires its own set of insider threat detection tactics.

Insider IT sabotage: These are crimes in which the insider intended to cause harm to the organization or to individuals. These crimes, usually committed by disgruntled system administrators or database administrators, often bring down systems, wipe out data or disrupt business operations. These crimes are frequently committed following termination using technical methods like backdoor accounts, malicious code planted while still employed, or passwords obtained using password crackers or social engineering.

There are several key monitoring and detection tactics to pinpoint potential insider IT sabotage, all of which enterprises should consider incorporating into their standard security practices. They include:

  • Detection of configuration changes – Many insiders plant malicious code in operating system scripts, production programs or system utilities. The targets are many and the attack methods are constantly evolving. Using change controls, however, it is possible to use tools to detect changes to these files since they are rarely modified.
  • Perimeter controls to alert on suspicious traffic – Most organizations use tools like intrusion detection systems (IDS) to monitor inbound traffic. However, insiders in the CERT database used hacker tools and assistance from the Internet Underground (see the CERT report: Spotlight On: Malicious Insiders with Ties to the Internet Underground Community) to exfiltrate credentials and sensitive information. For this reason, it's important for organizations to consider using tools like IDS to create alerts on suspicious outbound traffic.
  • Monitoring for unauthorized accounts – Many insiders created backdoor accounts for attacking following termination. These accounts can be difficult to detect. We recommend comparing all accounts against the current employee directory, and a proactive process for vetting new accounts by validating that each account is associated with a current employee and that the need for an account has been approved by the employee's supervisor.

Insider fraud: These are crimes in which an insider uses IT for the unauthorized modification, addition, or deletion of an organization's data (not programs or systems) for personal gain or theft of information which leads to fraud (identity theft, credit card fraud).

Insider fraud is usually committed by low-level employees like customer support or help desk employees, using authorized access to systems they use every day. The primary detection strategy is to audit database transactions for suspicious activity involving personally identifiable information (PII), credit card information and other sensitive information. Such audits should take place regularly, but how often depends on an organization's own risk analysis.

For more information

Is the insider or outsider threat greater to enterprises? Read more.

Learn more about reacting to a business partner's insider threat.

Theft of IP: These crimes are usually committed by scientists, engineers and programmers who steal IP they created -- engineering drawings, scientific formulas and source code, for example. Their theft, on the surface, might not look illicit, which makes detecting the activity more difficult. Many data leakage prevention (DLP) products result in information overload and are impractical for detecting theft of proprietary information without associated policies and processes, such as those described below. CERT's research shows most insiders steal IP within 30 days of resignation.

Therefore, a practical set of monitoring tactics consists of:

  • Logging, monitoring and auditing system logs for queries, downloads, print jobs and email messages containing unusually large amounts of data, particularly proprietary information.
  • Alerting on emails to competitors, foreign locations or personal email accounts.
  • Monitoring network flow data for abnormally large file transfers, long connections, odd ports and suspicious source/destination IP addresses.
  • Use of host-based agents to log activity on desktops and laptops, including use of removable media.
  • Implementing targeted auditing of logs for employees with access to proprietary information that resigns. In summary, continuous logging, targeted monitoring for employees who fit the "profile" described in this article, and real-time alerting can enable organizations to defend themselves against insider threats.

About the author:
Dawn Cappelli, CISSP, is Technical Manager of CERT's Threat and Incident Management team and the CERT Insider Threat Center at Carnegie Mellon's Software Engineering Institute. Her team assists organizations in improving their security posture and incident response capability by researching threat areas; developing assessment methods; and providing information for preventing, detecting, and responding to illicit activity. Dawn has 30 years experience in software engineering, technical project management, and information security.

© 2010 Carnegie Mellon University


CERT® is a registered service mark of Carnegie Mellon University.

This was last published in August 2010

Dig Deeper on Security Awareness Training and Internal Threats-Information