The Insider Threat Center conducts research on insider cyber threats and develops socio-technical solutions to address these threats. It has collaborated with the U.S. Secret Service since 2002 to identify, assess, and manage potential insider threats. The Center also conducts confidential vulnerability assessments for organizations to evaluate their exposure to insider threats and provides recommendations to mitigate risks.

1. Insider Threat Research
The Insider Threat Center in the CERT (Computer Emergency
Response Team) is considered to be a highly trusted broker to help
community in both short & long term through the researches. The
real insider threat cases were gathered from different public
resources such as news media and industry reports. This center
conducts research and analysis to develop Socio-Technical
solutions and answer to fight those insider cyber threats.

2. Case Analysis
• Since 2002, the Insider Threat Study team has collaborated
with the U.S. Secret Service to identify, assess, and manage
potential threats to, and vulnerabilities of, data and critical
systems. This work augments security and protective practices
by:
– finding ways to identify, assess, and mitigate cybersecurity threats to
data and critical systems that impact physical security or threaten the
mission of organizations
– finding ways to identify, assess, and manage individuals who may pose
a threat to those data or critical systems
– developing information and tools that can help organizations and law
enforcement identify cybersecurity issues

3. • The Insider Threat Study is a central component of the
multi-year collaboration between the Secret Service
and the CERT Division. The study focuses on employees
who use or exceed their authorized access to their
organization's information systems to harm the
organization by stealing intellectual property or other
confidential or sensitive information, by committing
fraud, or by sabotaging information technology within
critical infrastructure sectors. The study was the first
comprehensive analysis of the insider threat problem
and has led to analyses of several different public and
private sectors.

4. Vulnerability Assessments
• A confidential Insider Threat Vulnerability Assessment helps you
understand your exposure to insider threat along multiple vectors
(technical, behavioral, process, and policy) and delivers a single
actionable framework to manage these issues and associated risks.
• The assessment instrument, which is based on more than 550
insider threat cases in our database, encompasses information
technology, human resources, physical security, business processes,
legal, management, and organizational issues. It merges technical,
behavioral, process, and policy issues into a single, actionable
framework.
• Members of the Insider Threat Center staff spend three to five days
at your organization. During that time, we review documents,
interview key personnel in your organization, and observe key
processes and security issues. We sign non-disclosure agreements,
and all collaborations are confidential.

5. • After the onsite visit, we provide you with a confidential report that
contains the findings of the assessment and considerations for
potential mitigation strategies. Organizations have used this report
to
– identify and implement short-term tactical countermeasures
– help guide their ongoing risk management process for implementing
long-term, strategic countermeasures
– justify follow-up actions to key decision makers
• The CERT insider threat vulnerability assessment, which is based on
psychological and technical expertise, helps you to better safeguard
your critical infrastructure. The purpose of the assessment is to
– enable you to gain a better understanding of your vulnerability to
insider threats and an enhanced ability to assess and manage
associated risks
– include technical, organizational, personnel, and business security and
process issues from our research in a single, actionable framework
– benefit all individuals involved in the insider threat vulnerability
assessment process: information technology, human resources,
physical security, data and business process owners, and all levels of
organizational management

6. • The insider threat can come in several forms:
– Employees who steal intellectual property
– Unhappy IT professionals who damage data and
systems
– Professionals who use confidential information for
financial or political gain

7. Behavior Monitoring
• A history of disregarding rules and regulations
• Participating in questionable activities; enticing others
to participate in them
• A history of deception or lying to supervisors or co-
workers
• Argumentative behavior towards peers and supervisors
• Previous attempts to avoid or defeat security audits
and/or security systems
• Coming to office under the influence of drugs/alcohol
• Threatening to use violence

8. Dealing with Potential Defectors
• Here is a step by step approach for improving behavioral monitoring, preventing defection, and
appropriately handling defectors.
• Ensure employees know all that they must know. A company must ensure that its employees
know and completely understand the company’s policy in respect to use of information resources
and employee behavior.
• Additional monitoring for potential defectors. An unsatisfied employee may be tempted in
destroying, stealing, or sharing confidential data if he or she feels sidelined or unappreciated.
Organizations can prevent such incidences by identifying potential defectors and monitoring them.
• Train employees to detect suspicious behavior. All employees must be adequately trained to
detect suspicious behavior. Equally importantly, they must be made to understand the need of
promptly bringing such behavior to the notice of authorities.
• Safeguard the interests of the whistleblowers. Employees often don’t want to become personally
involved, so a mechanism should be in place that protects their anonymity. This can be achieved in
different ways, for instance, by installing a toll-free number for registering tips to suspect behavior.
• Take prompt and adequate action. Organizations should respond quickly to any breach of faith and
the response should be in line with the level of the offense. Remediating the problem should be the
first preference, rather than termination, which can lead to litigations if used without much
deliberation.

9. Technical Monitoring
• Need-to-know
• Least privilege
• Separation of duties

10. Administration
• The controls discussed above work to mitigate suspicious
activities by IT administrators, but they alone are not
sufficient. This is because administrators enjoy privileges
that other employees don’t. For instance, administrators, if
they want to, can create backdoor accounts or tweak logs.
Both vulnerabilities can be effectively eliminated with aid
of monitoring duties and separation of duties.
• to nullify insider threats from administrators
– Log the use of a shared admin account every time
– Change passwords of all shared accounts every time an
administrator leaves the organization
– If budget allows, use a password-management solution

11. CERT Related Controls & Indicators
• In organizations with access to the internet, the potential for data
leakage is ever present. The insider threat control described in this
technical note can monitor web request traffic for text-based data
exfiltration attempts and block them in real time. Using this control
can help an organization protect text-based intellectual property,
including source code repositories.
• As part of the plagiarism detection control, the Insider Threat team
offers two control systems code samples:
– WebDLPIndexer, a Java agent, assists with the implementation of the
team's data loss prevention (DLP) control
– WebDLP Client forwards outgoing web requests to the WebDLPIndexer
agent for comparison against an index of intellectual property.