Malicious Insiders’ Information Search and Collection Indicators from UAM: Experimental Design and Findings
Prosecuted insider threat cases within the Federal Government suggest malicious insiders can use their legitimate computer privileges to gather and disclose—without authorization—sensitive information that harms national security. Current computer network defense tools like intrusion detection and log auditing systems, focus on detecting rule-breaking behavior. Should malicious insiders avoid such rule-breaking, they fly under the radar. Lessons learned from previous MITRE insider threat research suggests these malicious insiders can be identified by observing their patterns of behavior in cyber sensors. Today, most insider threat detection programs deploy user activity monitoring (UAM) tools, but lack data-driven indicators to apply. The challenge lies in identifying characteristics of malicious information search and collection, determining which characteristics differentiate malicious from normal users, validate indicators, and identify automated detectors. MITRE’s objective is to improve the research and security practitioner community’s understanding of how malicious insiders behave from an information-use perspective. Researchers must understand what malicious information seeking behavior looks like on a computer to successfully develop new techniques for insider threat detection. Security practitioners need to better understand malicious behavior in order to adapt their enterprise monitoring programs to leverage current, expensive data sources, and develop empirically based and effective indicators for spotting privileged user misuse. MITRE has findings from a multi-year, 150 participant experiment, sharing statistically significant UAM indicators ready for transition to and evaluation in active insider threat detection programs.