Like a lie detector detects physical changes in the body based on sensitivities to specific questions, we believe there are physical changes in the body that are represented in observable behavioral changes when committing actions someone knows is wrong. Our solution is to develop a paranoia-meter to measure these observables. Using shoplifing as an example, there are peaks and valleys of adrenaline during the entire theft process. There is the moment the thief puts an item in their pocket (high), then as they walk around the store the adrenaline begins to valley a bit, then they attempt to walk out of the store (very high). It is at these points that we want to be able to take as many behavioral measurements as possible because it is at these points the insiders activity will be as far from normal behavior. In this hypothesis we will have a rootkit on the host that monitors keystrokes, mouse movements, and visual cues through the system camera. We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes as well as physical observations such as surveying surroundings, shifting more frequently, etc.

The method we propose employing for monitoring for insider threat observables is a full functional rootkit on every host or on targeted hosts that can have complete control over the operating environment. The rootkit loads as a stealth kernel-mode base implant, which will consist of the basic driver framework and installation and removal program. The rootkit will collect select file access, process execution with parameters, email communications, keyboard activity with a time/date stamp, network/TDI activity (and the actual network data if appropriate), and IM traffic. If detailed surveillance is required, it can be enabled to capture screenshots and construct a video stream. All traces of the rootkit installation will be removed after the initial deployment (event log, etc). Collected data will be exfiltrated over a covcom channel to a controlling server. Communication outbound to the controlling server will emulate outbound HTTP browsing, and if possible will be burst transmitted at the same time as the user is browsing the web or using some other messaging or social media application. The outbound burst will be formatted to resemble an ad-click or some other appropriate subterfuge. This analysis combined with data tagging, and behavioral risk values will give us a much clearer picture of individuals within the organization.

Mission: Recruited Agent in Government Organization X wants to remain as an employee of the organization while continuously identifying, gaining access, collecting, and exfiltrating information on the organizations programs as well as its IP on technologies. The scenario is broken down into six categories (aka ‘dimensions’) of behavior: Exploration; Analysis; Collection; Preparation; Exfiltration; Security.

Exploration: Insider threats will actively explore the data stores and networked systems they have direct access to. As well, they will try to gain access to data and systems outside their immediate data tree or organizational structure. They will likely attempt to monitor communications, open files on different programs, study organization charts, study program structures, and scour internal social media/collaboration spaces. They will communicate with various people in the organization that have access to areas of interest. Their primary means of gaining access will be through normal operations or through careless operational security rather than trying to break into systems. They will continue to try and expand their knowledge of and access to the organization.

Analysis: Insider threats who are able to bring mobile devices in and out of the organization will likely dump files onto the device for later analysis outside of the organization. If they don’t have a mobile device, the insider would likely open files they have access to and review the contents for information of interest. Over time they will learn the programs and people that usually produce the information they want. They will access organizational charts to develop corporate and project link analysis trees to understand what is done where and by whom. They will review file and system attributes to see who has access to what systems, and who develops certain types of data. This information would be recorded and analyzed to determine programs and people of interest.

Collection: Once information is deemed of interest they will pull the information to their local system (if in digital form) or to a shared store only they have access to (email or file). They will create collection files where they can cut and paste information from disparate sources. They may create spreadsheets that are password protected to help organize their information. They will store internal communications for later review, such as email, IM chats, forum, and wiki data.

Preparation: The insider threat will look to use the most inconspicuous or least observable method for exfiltrating data and will want to take the necessary precautions that the exfil process will not be detected. If the Insider has an approved laptop that can leave the facility, they will likely use that system to store the information. Alternatively, the insider will store the information on a removable media such as a USB drive or CD, or they might store the information in email or on a protected file share so it can be accessed remotely through a VPN or remote email gateway. In the hardest of cases they might print certain information because laptops and removable media are not allowed in the facility and they are on a closed network. This process will likely entail consolidation and organization of information, possibly encryption or some other type of obfuscation or data hiding (stegonography).

Exfiltration: Once the data is prepared the insider will choose an option for exfiltration out of the organization; either transmit the data through some communication protocol smtp, http, ftp), access the data remotely through vpn or remote email gateway, physically walk the paper or removable media out of the facility for transmission, or take a laptop or other mobile computing device that contains the identified information out of the facility.

Security: The insider will be preoccupied with security. How does the organization secure its infrastructure? How does it monitor information and employees? The insider will likely review systems for changes to security software or settings, looking for monitoring capabilities. The insider will also likely look for quiet places to work rather than central locations surrounded by people, maybe working through lunches, after hours.

Detecting insider threat actions is highly challenging and will require a sophisticated monitoring, baselining, analysis, and alerting capability. Human actions and organizational operations are complex. You might think you can just look for people that are trying to gain access to information outside of their program area of expertise. Yet there are legitimate reasons for accessing this information. In many cases the activity you might call suspicious can also be legitimate. Some people are more or less inquisitive and will have different levels of activity in accessing information outside their specific organization. Some of the behaviors on systems vary widely depending on function. Software developer behavior will be very different than an HR person or senior manager. All of these factors need to be taken into account when developing detection capabilities for suspicious activity. We cannot focus on just a particular action is potentially suspicious. Instead we must quantify the legitimate reasons for the activity and whether this person has a baseline, position, attributes, and history to support the activity.