Cybersecurity measures are frequently focused on threats from outside an organization rather than threats posed by untrustworthy individuals inside an organization. However, insider threats are the source of many losses in critical infrastructure industries. Additionally, well-publicized insiders have caused irreparable harm to national security interests. An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States. Although policy violations can be the result of carelessness or accident, the primary focus of this project is preventing deliberate and intended actions such as malicious exploitation, theft or destruction of data or the compromise of networks, communications or other information technology resources. The Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Insider Threat project is developing a research agenda to aggressively curtail elements of this problem.
Motivation
Increasingly, insider threat cases and high-profile data leaks illustrate the need for strong insider threat programs within organizations. The number of infamous and damaging attacks against the government illustrates that the threat posed by trusted insiders is significant. This threat will continue to grow as increased information-sharing results in greater access to and distribution of sensitive information.
Approach
To address the growing concern of insider threats, this project seeks more advanced R&D solutions to provide needed capabilities to address six areas.
- Collect and Analyze (monitoring)
- Detect (provide incentives and data)
- Deter (prevention)
- Protect (maintain operations and economics)
- Predict (anticipate threats and attacks)
- React (reduce opportunity, capability and motivation and morale for the insider)
The beneficiaries of this research range from the national security bodies operating the most sensitive or classified systems to homeland security officials who need to share sensitive-but-unclassified/controlled unclassified information and to the healthcare, finance and many other sectors where sensitive and valuable information is managed. In many systems such as those operating critical infrastructures the integrity, availability and total system survivability are of the highest priority and can be compromised by insiders.
Performer
University of Texas San Antonio: Lightweight Media Forensics for Insider Threat Detection
This effort is developing novel methods to detect insider threats through disk-level storage behavior and how an individual’s behavior diverges from prior behavior and/or that of their organizational peers. Current approaches rely on rules/signatures and look for patterns matching previous attacks. Analyzing disk-level storage behavior with a lightweight media forensics agent will provide a more in-depth look at user behavior for indicators and proactively identify potential threats.
Resources
For the latest information about S&T Cybersecurity, visit the S&T Cybersecurity News, Publications, Videos and Events pages.