David A. Mundie

Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits

Organizations often suffer harm from individuals who bear no malice against them but whose actions unintentionally expose the organizations to risk-the unintentional insider threat (UIT). In this paper we examine UIT cases that derive from social engineering exploits. We report on our efforts to collect and analyze data from UIT social engineering incidents to identify possible behavioral and technical patterns and to inform future research and development of UIT mitigation strategies.

Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies

Organizations often suffer harm from individuals who bear them no malice but whose actions unintentionally expose the organizations to risk in some way. This paper examines initial findings from research on such cases, referred to as unintentional insider threat (UIT). The goal of this paper is to inform government and industry stakeholders about the problem and its possible causes and mitigation strategies. As an initial approach to addressing the problem, we developed an operational definition for UIT, reviewed research relevant to possible causes and contributing factors, and provided examples of UIT cases and their frequencies across several categories. We conclude the paper by discussing initial recommendations on mitigation strategies and countermeasures.

A pattern for increased monitoring for intellectual property theft by departing insiders

A research project at the CERT® Program is identifying enterprise architectural patterns to protect against the insider threat to organizations. This paper presents an example of such a pattern---Increased Monitoring for Intellectual Property (IP) Theft by Departing Insiders---to help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP. Our case data shows that many insiders who stole IP did so within 30 days of their termination. Based on this insight, this pattern helps reduce that risk through increased monitoring of departing insiders during their last 30 days of employment. The increased monitoring suggested by the pattern is above and beyond what might be required for a baseline organizational detection of potentially malicious insider actions. Future work will develop a library of enterprise architectural patterns for mitigating the insider threat based on the data we have collected. Our goal is for organizational resilience to insider threat to emerge from repeated application of patterns from the library.

An Ontology for Malware Analysis

Malware analysis is an information security field that needs a more scientific basis for communicating requirements, hiring, training, and retaining staff, building training curricula, and sharing information among analysis teams. Our group is building an OWL-based malware analysis ontology to provide that more scientific approach. We have built a malware analysis dictionary and taxonomy, and are currently combining those with a competency model with the goal of creating an ontology-based competency framework. This paper describes the state of the work and the methodology used.

Toward an Ontology for Insider Threat Research: Varieties of Insider Threat Definitions

The lack of standardization of the terms insider and insider threat has been a noted problem for researchers in the insider threat field. This paper describes the investigation of 42 different definitions of the terms insider and insider threat, with the goal of better understanding the current conceptual model of insider threat and facilitating communication in the research community.

Building an Incident Management Body of Knowledge

The CERT Incident Management Body of Knowledge (CIMBOK) was built using a systematic process that starts with a controlled vocabulary and evolves through taxonomies, static ontologies, dynamic ontologies, intentional ontologies, and metamodels. The CIMBOK builds on 10 previous standards for incident management. This paper describes the components of the CIMBOK and how they were constructed.

A pattern for trust trap mitigation

Insider threat research at the CERT Program has shown that many organizations fall into a vicious cycle of trust and insider threat: organizations do not detect any suspicious insider behavior, so they trust their insiders, do not monitor them, and consequently do not detect suspicious insider behavior. This paper presents a pattern that can break this vicious cycle.