We all know computer hackers are trouble for our economy—whether they’re looking to steal credit card data or just disrupt daily business operations. But did you know that employees who use their computer access to steal proprietary data or intellectual property also cause significant business losses?

Though the actual number of these "insider threat" incidents is low compared to hacking attempts, the targeted nature of the crimes can cost companies dearly. According to a report released by the Bureau of Justice Statistics in 2008, the types of cyber offenses that include intellectual property theft comprise only 11 percent of cyber crimes against businesses, but cause approximately 52 percent of the monetary losses. Moreover, such crimes are overwhelmingly the result of insiders—approximately 75 percent.

Unfortunately, although these malicious insiders have a negative impact on our economic competitiveness, their crimes are considerably harder to detect and prevent. After all, employees must be trusted to do their jobs, so they need access to all kinds of data and information on company networks. To find wrongdoers requires learning where the valid business needs of employees cross the line into illegal behavior and then determining the best way to stop the misconduct.

To upend this trend, MITRE's Greg Stephens, a principal information security engineer, leads a multi-year research effort investigating malicious insiders. His team has made progress in learning how to detect suspicious behavior, while also identifying some of the challenges that remain to be overcome. By publishing its findings, the team is contributing valuable research to the body of knowledge about detecting and countering insider threats.

Different Technology, Same Humans

Stephens notes that people don't really change: ideology, revenge, ego, financial desperation, and garden-variety greed are among the many reasons malicious insiders behave as they do—and always have. What has changed is the technical and economic landscape of the U.S., which makes it easier for them to gain access to critical information. This makes deterring such behavior a growing concern.

"As a nation, we depend more and more on our intellectual property," he says. "Losing trade secrets puts our nation at a competitive disadvantage. But technology now makes it easier than ever to download lots of information—think of how much data can be stored on a removable flash drive. We're more and more networked. We're globalized. All these factors point to people being able to misuse company information more easily."

Stephens began his research several years ago after concluding that standard network intrusion-detection software couldn't root out bad behavior originating on the inside. Using a MITRE-funded prototype called ELICIT—which he co-designed with colleague Marcus Maloof—Stephens ran several experiments over a three-year period to see if certain patterns of behavior on a company's network set off alarms about potential illegal or unethical actions. ELICIT (which stands for "Exploit Latent Information to Counter Insider Threats") yielded a number of suspicious behaviors to look for and a methodology to assess the significance of those behaviors. Although the initial work was promising, Stephens and his colleagues believed more research was needed to enumerate behaviors that truly differentiate malicious from benign users. This motivated their latest efforts.

Adding Social Science to the Mix

His recent research, in collaboration with MITRE colleagues Deanna Caputo, Brad Stephenson, and Minna Ling, has been supported by the Institute for Information Infrastructure Protection (I3P), a consortium managed by Dartmouth College dedicated to strengthening the cyber infrastructure of the United States. (Others participating in MITRE's I3P project were Dartmouth, Columbia University, Cornell University, Indiana University, Purdue University, and the RAND Corporation.)

The newer work adds a much-needed component to the research: the social and business context of malicious behavior. "To design our most recent experiment, we applied social science methodologies that computer scientists don't usually use," Stephens says. "We ran our experiment on MITRE's own internal network, testing two groups operating under similar conditions but with differing motivations—one malicious, one benign. All the participants knew they were being monitored for the test, but none of them knew what we were looking for or why we were conducting the test. They were just given tasks to obtain certain kinds of information in a relatively short timeframe."

The experiment was conducted in double-blind fashion to prevent bias. An independent proctor who didn't know who was playing what role monitored the action. Most important, there was a controlled baseline group of participants so that valid statistical comparisons could be made.

"We wanted to know," says Stephens, "would participants act differently if their intent in seeking information was different? If you can find the key ways in which people behave, key differentiators, you can build more accurate detection systems and tools. That's what we're hoping to contribute to the body of knowledge."

The experiment revealed some eye-opening results. "One of the things we learned is that malicious insiders go for grab-and-go—quantity over quality," says Caputo, a behavioral psychologist and the lead social scientist on the project. "This was not what we expected—we thought it would be 'low and slow,' done meticulously to avoid raising suspicions. But our data didn't show that—in many ways, that finding was counter-intuitive."

Perhaps less surprising, she adds, is that "the malicious group also showed signs of evasion—they would close their doors, look over their shoulders, or create innocuously named computer folders to put material in."

Meanwhile, the members of the "benign" control group performed their assigned task in a deliberate and unhurried manner. "Our benign group was more organized," she says. "They took time to create documents and synthesize information."

Successful Research Raises More Questions

These and other findings are among the many facets of the work that Stephens, Caputo, and the rest of the team hope to reproduce in the future. "We want to replicate our work so that we can have even more confidence in our findings—which is the hallmark of good science—and investigate other variables as well," Caputo adds.

"Good research always sparks more questions than it delivers answers. For instance, right now companies use many different techniques for deterring bad acts. But which of these security measures or combination of measures is most effective? This one question alone could result in many research projects."

Stephens agrees. "The issue of what security controls work best is important because people still need to do their jobs. You don't want to get in the way of productivity or have employees believe their employers don't trust them." (For a list of some of the ways companies can guard themselves against malicious insiders, see "Advice on Preventing and Mitigating the Insider Threat," below.)

Stephens believes one of the breakthroughs of the research lies in the experimental design itself, which depended on the rigorous intersection of computer and social sciences. "The experimental protocol is significant because people trying to study this problem don't have data to do so, and this gives them a blueprint for developing that data," he says.

He also notes that MITRE's ability to combine technical expertise in network and computer security with social science and organizational know-how adds extra dimensions to the work. "By taking an interdisciplinary approach, we learned a lot about understanding how malicious insiders gather and use information differently from benign users," he says. "The problem isn't solved, but we can now give a list of things to be looking for and provide numbers to support why we believe that."

—by Alison Stern-Dunyak

Related Information

Articles and News

• MITRE Celebrates a Decade of Software Security with CVE
• Countering the Loss of Satellite Communications and GPS
• Merging Data for Better Decisions Under Pressure
• The Dynamics of Decisions: Modeling Sudden Changes in Group Behavior
• Targeting the 25 Most Dangerous Programming Errors
• MITRE's Security Standards Support Massive Government IT Alignment
• MITRE Releases New Security Software
• Building with Cyber-Steel to Protect Computer Networks
• Private Eyes: Keeping Personal Information Safe

Technical Papers and Presentations

• Human Behavior, Insider Threat, and Awareness: An Empirical Study of Insider Threat Behavior [PDF]
• Selected MITRE Cyber-Related Research and Initiatives

Websites

• MITRE's Center for Integrated Intelligence Systems
• Our Work: Homeland Security
• Our Work: MITRE Research Program
• MITRE Research Areas: Information Assurance
• MITRE Research Areas: Social and Behavioral Sciences
• Common Vulnerabilities and Exposures
• Making Security Measurable
• Institute for Information Infrastructure Protection (I3P)

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.

Privacy Policy | Contact Us