Volume 3 - Issue 4
Chronological Examination of Insider Threat Sabotage: Preliminary Observations
- William R. Claycomb
CERT Insider Threat Center Carnegie Mellon University Pittsburgh, Pennsylvania, USA
claycomb@cert.org
- Carly L. Huth
CERT Insider Threat Center Carnegie Mellon University Pittsburgh, Pennsylvania, USA
clhuth@cert.org
- Lori Flynn
CERT Insider Threat Center Carnegie Mellon University Pittsburgh, Pennsylvania, USA
lflynn@cert.org
- David M. McIntire
CERT Insider Threat Center Carnegie Mellon University Pittsburgh, Pennsylvania, USA
dmmcintire@cert.org
- Todd B. Lewellen
CERT Insider Threat Center Carnegie Mellon University Pittsburgh, Pennsylvania, USA
tblewellen@cert.org
Keywords: insider threat, sabotage, security
Abstract
The threat of malicious insiders to organizations is persistent and increasing. We examine 15 real
cases of insider threat sabotage of IT systems to identify several key points in the attack time-line,
such as when the insider clearly became disgruntled, began attack preparations, and carried out the
attack. We also determine when the attack stopped, when it was detected, and when action was taken
on the insider. We found that 7 of the insiders we studied clearly became disgruntled more than 28
days prior to attack, but 9 did not carry out malicious acts until less than a day prior to attack. Of the
15 attacks, 8 ended within a day, 12 were detected within a week, and in 10 cases action was taken
on the insider within a month. This exercise is a proof-of-concept for future work on larger data sets,
and in this paper we detail our study methods and results, discuss challenges we faced, and identify
potential new research directions.