• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Insider Threat and the Malicious Insider Threat / Introduction: Insider Threat and the Malicious Insider Threat – Analyze. Deter. Discover. Prevent. Respond

Introduction: Insider Threat and the Malicious Insider Threat – Analyze. Deter. Discover. Prevent. Respond

Published in Journal of Cyber Security and Information Systems
Volume: 6 Number: 1 - Insider Threat and the Malicious Insider Threat

Authors: Roderick A. Nettles and Michael Weir
Posted: 05/09/2018 | Leave a Comment

Building a quarterly journal that spans broad topical and technical themes can be challenging, and the selection of articles for any one journal intimidating. Over the last five years CSIAC has published special issues on military research laboratories (Volume 5 Number 1; Volume 4 Number 1), focused in on particular relevant technical thrusts (i.e., Serious Games M&S, Volume 5 Number 4, December 2017), and operational considerations (i.e., SCADA, Volume 1 Number 3). This quarter, the CSIAC Journal presents five articles which represent different perspectives on Insider Threat and approaches to understand and remediate that threat. Due to the cost of reproduction and distribution, we are releasing the print journal with the first four articles, and incorporating into the journal a reference to the longer and more complex fifth article available online at CSIAC.ORG. All five articles are included in the PDF version of the journal available online.

In this journal we are proud to identify and include work by two organizations with a long history of research and good counsel regarding Insider Threat – the Software Engineering Institute (SEI) at Carnegie Mellon University and the SANS Technology Institute.

Any collaboration between people in a group requires a certain degree of trust to be successful. Whether in financial, political, military, or social situations, the ability to trust those around you is a primary enabling factor to success. Misuse of that trust to gain advantage for purposes counter to the group’s success can also be a primary factor in the group’s failure. For the last few decades in the cybersecurity realm, the term “Insider Threat” has been used to identify individuals or entities that misuse some level of trust gained within an organization to adversely use information or information systems to the detriment of the organization. The designation is somewhat broad, encompassing intentional and unintentional actions, individuals and groups of people, even human and machine/computer activities. Approaches to the remediation of the Insider Threat are also quite broad, with current best practice combining several to achieve the best results. Physical, technical, behavioral, policy, and process means are all parts of an effective Insider Threat program.

When any concept or technology becomes widely relevant, it begins to differentiate into sub-components on its path to full maturity. New and innovative approaches leverage and augment the foundational ideas that generated the original concepts, frequently evolving to new areas and spawning their own subcomponents. Insider Threat remediation research has made that journey, growing in relevance and maturity, and many alternative paths evolved from those foundational ideas as the methods and technology behind information management (and the methods and technology available to Insider Threat actors) have become more powerful and complex. One piece of the puzzle has remained a constant – the human aspect.

The American origins of Insider Threat conduct go back at least to 1775. Benjamin Church was a British Loyalist and trusted insider who had access to important Colonial letters by virtue of his position. He diverted key messages to British general Sir Thomas Gage in an attempt to undermine American military movements1. The same human motivations that drove his actions have been repeated over and over again in the last two centuries, using different methods and technologies to access and misuse critical information. In the late 1980’s, the CIA initiated Project Slammer in an attempt to gather the most current and relevant information from captured insider spies to discern the primary influencers that enabled their conduct. At the end of that heavily redacted 19902 report, quote:

“Subjects almost invariably conceive of committing espionage after they are in a position of trust. While initial screening continues to be important, focusing on update and monitoring procedures seems increasingly worthwhile.”

In a Counterintelligence Trends document from 19933 summarizing the overall Project, it states clearly that none of the people studied intended to spy at the point they were granted access to information.

With that firmly in mind, this special issue will focus on the “Insider Threat and the Malicious Insider Threat” that pose unique security challenges to all organizations due to their knowledge, proficiencies, and authorized access to information systems.

How do you interpret people’s behavior in the context of the Insider Threat? The next article identifies and amplifies concepts associated with a core concern of many involved with Insider Threat – what about the unintentional insider? Professor Coffey expands on the Software Engineering Institutes’ (SEIs’) Insider Threat Ontology to recommend some ways to incorporate non-malicious behavior within that construct, and provides an exemplar of how it might be used.

If you can’t stop the Insider, how do you mitigate the effects? The following article identifies a truth about compromise (with enough effort, virtually any organization can be compromised) and then proposes methods for most effectively mitigating the effects of compromise. Dr. Cole proposes best-practice methodologies for Detect, Contain and Control with an emphasis on the Insider Threat.

How do you integrate policy and compliance with an effective Insider Threat program? A very different perspective is provided by Christian Moldes in his article on the policy-level components of an effective Payment Card Industry (PCI) compliance program, identifying the effective integration of the objectives of compliance with the organization’s organic actions/processes in place to assure protection of information assets.

What about the threat of “Insider Hardware” that isn’t even a person? With the Internet of Things (IoT) becoming a component part of any organization, what about the threat of embedded hardware inside your organization? Eric Jodoin provides a very detailed example of revealing an embedded devices’ information flow using serial port access. It is illuminating both for the ability to access embedded information streams and the reasoning process that can provide insight into how embedded devices can be used in an insider scenario.

How do we get better at finding Insider Threats? Matthew Hosburgh suggests a more contemporary method for actively identifying Insider Threat actors – applying the concepts of Threat Hunting to the problem. Involving people more actively in the hunting of Insider Threat actors using current Threat Hunting tools and techniques ratchets up the capability to find and remediate potential problems. This article also capitalizes on the Insider Threat Ontology from the SEI and identifies insertion points for the Threat Hunting methods.³

We hope that this combination of articles across a broad spectrum of Insider Threat remediation techniques and analyses will help you go beyond the basic, first-order effects of traditional Insider Threat tools and ideas and begin to reason about the wider aspects of how people, technology and policy can combine more coherently to analyze, deter, discover, and ultimately prevent such activities from occurring.


Previous Article:
« Early Synthetic Prototyping Digital Warfighting For Systems...
Next Article:
Extensions to Carnegie-Mellon University’s Malicious Insider Ontology... »

Footnotes

  1. Benjamin Church, probably the first Surgeon General of the US, provided information to the British prior to the Battle of Lexington, reference here: http://clements.umich.edu/exhibits/online/spies/people.html#church
  2. Project Slammer Interim Report, 12 April 1990, redacted and declassified version available here: https://www.cia.gov/library/readingroom/docs/DOC_0000218679.pdf
  3. "Counterintelligence Trends", DCI Counterintelligence Center, January 1993, page 10; approved for release March 2002, available here: https://cryptome.org/2013/06/cia-why-spy.pdf

Authors

Roderick A. Nettles
Roderick A. Nettles
Mr. Roderick A. Nettles is currently serving as the Deputy Director under our current Cyber Security and Information Systems IAC (CSIAC) Basic Center Operations (BCO) contract, developing/implementing means of improving/assuring performance with existing resources to meet and exceed the customer’s requirements. Mr. Nettles is responsible for leading Quanterion efforts to develop and maintain a viable training program under the CSIAC BCO contract using a mix of company, subcontractor and subject matter expert instructed courses. In addition, serving as the Chief Editor of a cybersecurity journal. Responsible for managing all the day-to-day operations of a quarterly publication. As the editor-in-chief, oversee the editorial board and peer-review team of the quarterly publication and ensures each issue is released on time. Mr. Nettles has a bachelor’s degree in Computer Science and Master in Information Technology Management. He has over 20 years of oversight of Cyber Command and Control Mission System weapon system to include Automated Information Systems which enables mission by synchronizing other cyber weapon systems to produce operational level effects in support of Combatant Commanders worldwide. Mr. Nettles was assigned to CONUS NORAD Region (CONR) 1AF/A6 at Tyndall Air Force Base as the Office In Charge , Command and Control Systems Branch. He was responsible for developing cyber defense Table Top Exercise; validated C2 Tactics, Techniques and Procedures with Twenty-Fourth Air Force (24AF), 33d Network Warfare Squadron (33NWS), Canadian Forces Network Operations Centre (CFNOC), Canadian NORAD Region (CANR) & 5 Air Defense Sectors to hardened NOARD's front line Command and Control Systems. Mr. Nettles was charged with eliminating security vulnerabilities systems—secured C2 mission systems. As the Chief of C2 Systems Branch, Mr. Nettles bridged CANR, CONR & 6 sectors to Defensive Cyber Operations combat methodologies. As a Cyber Operational Planner, he led efforts to identify mission key terrain, "Mapped the Mission” for NORAD Network Enterprise.
Michael Weir
Michael Weir
Michael Weir is currently working with Quanterion Solutions, Inc as a Senior Technical Advisor/Subject Matter Expert for the Cybersecurity and Information Systems Information Analysis Center (CSIAC), and with the Griffiss Institute as the developer/facilitator for the AFRL-sponsored Machine Learning Bootcamp, a multi-month immersion program for AFRL engineers. Mr. Weir was previously the Director of the CSIAC, and before that the Chief of Communications and Information Systems at the Eastern Air Defense Sector (EADS), Rome, New York. EADS is one of two NORAD/NORTHCOM air defense sectors in the Continental United States. He was responsible for setting up and maintaining the Sector's cyber posture during and after 9/11 and evolving the data/communication/sensor integration through the following decade. Mr. Weir has Bachelor's degrees in Music Performance and in Electrical and Computer Engineering, and a Master's Degree in Information Systems, along with certifications in the cybersecurity domain.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Cully Patch

An internal CSIAC SME with a passion for learning, teaching, and supporting the warfighter, Mr. Cully Patch has been a member of the CSIAC staff for 5 years. Cully was instrumental in leading the development and instruction of an extensive course on DoD Cybersecurity Analysis and Reporting (DoDCAR) - a threat-based approach to addressing system cybersecurity. As a senior program manager for cybersecurity and intelligence, Mr. Patch has extensive experience in providing cybersecurity training and education to both university students and military operators. Cully is a retired US Air Force military officer with career accomplishments in the fields of research, Intelligence, cybersecurity operations, planning, and technical course instruction. CSIAC is honored to have Mr. Patch as a subject matter expert, where he leads teams of technologists through problem solving, training program development, scientific and technical information generation, and analysis of complex system requirements.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Explore the Innovare Advancement Center-Part 1 Series: Innovare Advancement Center & The CSIAC Podcast
  • Cybersecurity Maturity Model Certification (CMMC): The Road to Compliance Series: The CSIAC Podcast
  • Deep Learning for Radio Frequency Target Classification Series: CSIAC Webinars
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
View all Podcasts

Upcoming Events

Thu 29

Data Connectors Phoenix Virtual Cybersecurity Summit

April 29
Organizer: Data Connectors
636-778-9495
May 17

SANS Purple Team Summit & Training 2021

May 17 - May 28
Organizer: SANS Institute
May 27

DockerCon LIVE 2021

May 27 @ 06:00 - 14:00 EDT
May 28

LayerOne 2021

May 28 - May 30
Oct 18

IEEE Secure Development Conference

October 18 - October 21
Organizer: Institute of Electrical and Electronics Engineers (IEEE)
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT