Introduction: Insider Threat and the Malicious Insider Threat – Analyze. Deter. Discover. Prevent. Respond


Posted: May 9, 2018 | By: Roderick A. Nettles, Michael Weir

Building a quarterly journal that spans broad topical and technical themes can be challenging, and the selection of articles for any one journal intimidating. Over the last five years CSIAC has published special issues on military research laboratories (Volume 5 Number 1; Volume 4 Number 1), focused in on particular relevant technical thrusts (i.e., Serious Games M&S, Volume 5 Number 4, December 2017), and operational considerations (i.e., SCADA, Volume 1 Number 3). This quarter, the CSIAC Journal presents five articles which represent different perspectives on Insider Threat and approaches to understand and remediate that threat. Due to the cost of reproduction and distribution, we are releasing the print journal with the first four articles, and incorporating into the journal a reference to the longer and more complex fifth article available online at CSIAC.ORG. All five articles are included in the PDF version of the journal available online.

In this journal we are proud to identify and include work by two organizations with a long history of research and good counsel regarding Insider Threat – the Software Engineering Institute (SEI) at Carnegie Mellon University and the SANS Technology Institute.

Any collaboration between people in a group requires a certain degree of trust to be successful. Whether in financial, political, military, or social situations, the ability to trust those around you is a primary enabling factor to success. Misuse of that trust to gain advantage for purposes counter to the group’s success can also be a primary factor in the group’s failure. For the last few decades in the cybersecurity realm, the term “Insider Threat” has been used to identify individuals or entities that misuse some level of trust gained within an organization to adversely use information or information systems to the detriment of the organization. The designation is somewhat broad, encompassing intentional and unintentional actions, individuals and groups of people, even human and machine/computer activities. Approaches to the remediation of the Insider Threat are also quite broad, with current best practice combining several to achieve the best results. Physical, technical, behavioral, policy, and process means are all parts of an effective Insider Threat program.

When any concept or technology becomes widely relevant, it begins to differentiate into sub-components on its path to full maturity. New and innovative approaches leverage and augment the foundational ideas that generated the original concepts, frequently evolving to new areas and spawning their own subcomponents. Insider Threat remediation research has made that journey, growing in relevance and maturity, and many alternative paths evolved from those foundational ideas as the methods and technology behind information management (and the methods and technology available to Insider Threat actors) have become more powerful and complex. One piece of the puzzle has remained a constant – the human aspect.

The American origins of Insider Threat conduct go back at least to 1775. Benjamin Church was a British Loyalist and trusted insider who had access to important Colonial letters by virtue of his position. He diverted key messages to British general Sir Thomas Gage in an attempt to undermine American military movements1. The same human motivations that drove his actions have been repeated over and over again in the last two centuries, using different methods and technologies to access and misuse critical information. In the late 1980’s, the CIA initiated Project Slammer in an attempt to gather the most current and relevant information from captured insider spies to discern the primary influencers that enabled their conduct. At the end of that heavily redacted 19902 report, quote:

“Subjects almost invariably conceive of committing espionage after they are in a position of trust. While initial screening continues to be important, focusing on update and monitoring procedures seems increasingly worthwhile.”

In a Counterintelligence Trends document from 19933 summarizing the overall Project, it states clearly that none of the people studied intended to spy at the point they were granted access to information.

With that firmly in mind, this special issue will focus on the “Insider Threat and the Malicious Insider Threat” that pose unique security challenges to all organizations due to their knowledge, proficiencies, and authorized access to information systems.

How do you interpret people’s behavior in the context of the Insider Threat? The next article identifies and amplifies concepts associated with a core concern of many involved with Insider Threat – what about the unintentional insider? Professor Coffey expands on the Software Engineering Institutes’ (SEIs’) Insider Threat Ontology to recommend some ways to incorporate non-malicious behavior within that construct, and provides an exemplar of how it might be used.

If you can’t stop the Insider, how do you mitigate the effects? The following article identifies a truth about compromise (with enough effort, virtually any organization can be compromised) and then proposes methods for most effectively mitigating the effects of compromise. Dr. Cole proposes best-practice methodologies for Detect, Contain and Control with an emphasis on the Insider Threat.

How do you integrate policy and compliance with an effective Insider Threat program? A very different perspective is provided by Christian Moldes in his article on the policy-level components of an effective Payment Card Industry (PCI) compliance program, identifying the effective integration of the objectives of compliance with the organization’s organic actions/processes in place to assure protection of information assets.

What about the threat of “Insider Hardware” that isn’t even a person? With the Internet of Things (IoT) becoming a component part of any organization, what about the threat of embedded hardware inside your organization? Eric Jodoin provides a very detailed example of revealing an embedded devices’ information flow using serial port access. It is illuminating both for the ability to access embedded information streams and the reasoning process that can provide insight into how embedded devices can be used in an insider scenario.

How do we get better at finding Insider Threats? Matthew Hosburgh suggests a more contemporary method for actively identifying Insider Threat actors – applying the concepts of Threat Hunting to the problem. Involving people more actively in the hunting of Insider Threat actors using current Threat Hunting tools and techniques ratchets up the capability to find and remediate potential problems. This article also capitalizes on the Insider Threat Ontology from the SEI and identifies insertion points for the Threat Hunting methods.³

We hope that this combination of articles across a broad spectrum of Insider Threat remediation techniques and analyses will help you go beyond the basic, first-order effects of traditional Insider Threat tools and ideas and begin to reason about the wider aspects of how people, technology and policy can combine more coherently to analyze, deter, discover, and ultimately prevent such activities from occurring.


  1. Benjamin Church, probably the first Surgeon General of the US, provided information to the British prior to the Battle of Lexington, reference here:
  2. Project Slammer Interim Report, 12 April 1990, redacted and declassified version available here:
  3. “Counterintelligence Trends”, DCI Counterintelligence Center, January 1993, page 10; approved for release March 2002, available here:

Want to find out more about this topic?

Request a FREE Technical Inquiry!