Insider Threat

Insider Threat

Cybersecurity measures are frequently focused on threats from outside an organization rather than threats posed by untrustworthy individuals inside an organization. However, insider threats are the source of many losses in critical infrastructure industries. Additionally, well-publicized insiders have caused irreparable harm to national security interests. An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States. Although policy violations can be the result of carelessness or accident, the primary focus of this project is preventing deliberate and intended actions such as malicious exploitation, theft or destruction of data or the compromise of networks, communications or other information technology resources. The Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Insider Threat project is developing a research agenda to aggressively curtail elements of this problem.

Motivation

Increasingly, insider threat cases and high-profile data leaks illustrate the need for strong insider threat programs within organizations. The number of infamous and damaging attacks against the government illustrates that the threat posed by trusted insiders is significant. This threat will continue to grow as increased information-sharing results in greater access to and distribution of sensitive information.

Approach

To address the growing concern of insider threats, this project seeks more advanced R&D solutions to provide needed capabilities to address six areas.

  1. Collect and Analyze (monitoring)
  2. Detect (provide incentives and data)
  3. Deter (prevention)
  4. Protect (maintain operations and economics)
  5. Predict (anticipate threats and attacks)
  6. React (reduce opportunity, capability and motivation and morale for the insider)

The beneficiaries of this research range from the national security bodies operating the most sensitive or classified systems to homeland security officials who need to share sensitive-but-unclassified/controlled unclassified information and to the healthcare, finance and many other sectors where sensitive and valuable information is managed. In many systems such as those operating critical infrastructures the integrity, availability and total system survivability are of the highest priority and can be compromised by insiders.

Performers

University of Texas San Antonio: Lightweight Media Forensics for Insider Threat Detection

This effort is developing novel methods to detect insider threats through disk-level storage behavior and how an individual’s behavior diverges from prior behavior and/or that of their organizational peers. Current approaches rely on rules/signatures and look for patterns matching previous attacks. Analyzing disk-level storage behavior with a lightweight media forensics agent will provide a more in-depth look at user behavior for indicators and proactively identify potential threats.

Resources

Insider Threat Fact Sheet

Visit the cybersecurity projects, news and resources pages for cyber specific articles and other written products or connect with us at the next S&T cybersecurity event.  

Contact

Program Manager: Megan Mahle

Email: SandT-Cyber-Liaison@hq.dhs.gov

 

Was this page helpful?

This page was not helpful because the content:
Back to Top