IBM System G Insider Threat Solution

Demo Website | Software Package v1.2 (released 11/15/14, for authorized user)

Recent Announcements: Maritime and Port Authority of Singapore | US Department of Homeland Security





Motivation to advance insider threat detection technology



Insiders usually show a series of 'weak signals' before real attack; Traditional cybersecurity methods which focus on the last step are usually too late. Furthermore, insider is usualy a legitimate user, e.g., accessing data, entering a building, etc. That makes the security mechanisms for intruder protection not applicable. Here is an example of the WikiLeak case.



To understand insiders one needs to consider them from many different angles. Machine-based long term human behavior understanding and reasoning is needed in order to make progress on insider threat detection.




Technologies of IBM System G Insider Threat Solution



Multi-Modality Multi-Layer Human Behavior Understanding



Software Package



Schematic Function Description



Example of Feature and Concept Layer Detectors -- Outliers



Example of Feature and Concept Layer Detectors -- Emotions



Example of Other Concept and Semantic Layer Detectors



Cognitive Reasoning of Espionage and IP Theft



Cognitive Reasoning of Sabotage



Cognitive Reasoning of Insider Fraud




Performance Testing



Insider Threat Test Scenarios (created by CERT)

  1. Stealing Login Credentials: An employee steals usernames and passwords from co-workers and emails them to an outside party.

  2. Exfiltration Prior to Termination: An employee is leaving the company and decides to take all of their emails and files with them.

  3. Masquerading: One user is masquerading as another on an unattended workstation.

  4. Bona Fides: Prints a bona fides package and takes it to a foreign embassy.

  5. Hiding Undue Affluence: An employee possesses undue affluence because of ongoing espionage activity. They need to hide the existence of the money from investigators and they perform research on how to do so.

  6. Exfiltration of Sensitive Data Using Screenshots: An employee steals proprietary/sensitive docs by taking screenshots of specific pages, recursively encrypting the files, and emailing them to a webmail address.

  7. Exfil with Complex Steganography: An employee uses steganography to hide data in an image file, then uploads that file to a website.

  8. Anomalous Encryption: A Subject wishes to pass sensitive company information to a foreign government in exchange for that government setting him up with his own business in the foreign country. Subject researches monitoring capabilities with regard to encryption. Subject generates a long random passphrase and stores it in a text document, then tests encrypting and mailing data to their personal account. The subject then exfiltrates sensitive documents by encrypting them with the key and emails the key to an accomplice/handler by including it as an email signature.

  9. Insider Startup: Three co-conspirators collude to steal company IP. They coordinate the synchronized theft of proprietary information before leaving the company.

  10. Circumventing Monitoring Software: A user circumvents monitoring to commit a crime.

  11. Masquerading 2: Subject sets up a rogue SSH server on another user's machine. They also make a copy of the local Windows password file and copy the file off over the network.

  12. Layoff Logic Bomb: An engineer is worried about rumors of impending layoffs feels that he needs some kind of an 'insurance policy', in case he gets laid-off or fired. He creates a "logic bomb" which will delete all files from a number of company Linux systems in five days, unless he resets the timer before then. We may or may not observe the subject changing the timer, depending on the scenario variation.

  13. Outsourcer's Apprentice: A software developer outsources his job to China and spends his workdays surfing the web. Some surfing activity occurs on his main workstation while the subcontractor is active, but most of it occurs on a second laptop he uses to try to minimize his interference with the subcontractor. He pays just a small fraction of his salary to a company based in China to do his job. The developer provides remote access to his machine by providing his VPN credentials to the Chinese company and enabling Terminal Services on his workstation. The Chinese consulting firm sends the developer PayPal invoices for the work performed, and the developer pays them.

  14. Survivor's Burden: The subject is disgruntled after his team experienced layoffs (and a logic bomb), greatly increasing his workload. He hopes to become the team lead, but is passed over for the position and takes matters into his own hands by stealing company IP using DropBox

  15. Manning Up: Subject has conducted extensive research concerning Bradley Manning, Bradley Manning connected to WikiLeaks, and Bradley Manning's treatment by the U.S. Government. Subject has engaged co-workers concerning Bradley Manning. Subject has been researching the DNS protocol exploits, and specifically how to hand craft DNS queries, including through batch files. Subject has been experimenting DNS queries for unknown purpose.

  16. Manning Up Redux: Subject has continued with research concerning Bradley Manning, Bradley Manning connected to WikiLeaks, and Bradley Manning's treatment by the U.S. Government. Subject has engaged a co-worker concerning Bradley Manning. Subject has been researching whistleblower laws, sites that accept and post whistleblower material, and confidential reporting mechanisms. Subject has created text files and batch files that export segments of the text files through specially DNS queries.

  17. Selling Login Credentials: Subject is a system administrator who can create local user accounts. This individual is looking for ways to use his position to make extra money. Co-conspirator A is an unknown individual, probably in Russian organized cybercrime, who needs access to corporate computers. Co-conspirators B and C are firewall and VPN administrators that are unwitting accomplices of Subject. Subject creates fake local accounts and enables remote access to those machines, selling temporary access to CCA, with the unwitting assistance of CCB and CCC.

  18. Indecent RFP: Subject uses an inappropriate relationship with another employee to illegally influence vendor selection for a lucrative catering contract in order to obtain personal financial gain.

  19. Credit Czech: Subject runs an illicit business trafficking in stolen credit card numbers, using the organization's IT resources. He acts as a middleman between various external purveyors of stolen numbers and a Russian operative who buys the collected numbers.

  20. Czech Mate: Similar to Credit Czech, but the new protocol calls for twice-daily emails to Subject's Russian counterpart in order to keep the operation alive.

  21. Breaking the Stovepipe: An employee with access to information in two different paths of competing proprietary interests accidentally sends an email to a person at the wrong company. Realizing their contact has access to files that would give them a competitive advantage, the other company manages to bribe the employee to share the first company's proprietary files.

  22. Snowed In: A sysadmin discovers and reports a website security vulnerability. He becomes disgruntled after his supervisor dismisses his concern and his supervisor's supervisor officially reprimands him for his activities. Later, during the course of his normal duties, he discovers a classified document containing shocking revelations about a secret government program on a co-worker's machine. (The government is secretly using snowplows collect information from unsecured wifi networks.) For the remainder of the month, each time he moves a file for his normal job duties, he also exfiltrates the file.

  23. Naughty by Proxy: A disgruntled employee seeks revenge by logging on to her manager's computer and visiting questionable websites.

  24. Byte Me: Subject did a good friend (CCA) a big favor by coding his/her badge so that he/she could pass through a restricted-access door to get to the smoking area without having to walk all the way around the building. The friend begins selectively referring smoking buddies to Subject to have their badges similarly modified. Subject only accepts customers referred by CCA and has a strict "no walk-ins" policy.

  25. Indecent RFP 2: Subject has exfiltrated sensitive company documents and maliciously performed and unauthorized disclosure of those documents to a non-employee of the company. Subject appears to be blackmailing another employee of the company.

  26. Byte Me Middleman: Variation of Byte Me where all illicit electronic communication with Subject goes through CCA. Other co-conspirators communicate with Subject in person (so are unobserved).

  27. Passed Over: Subject learns that his/her project is being phased out in a company re-organization. Subject becomes extremely disgruntled, makes demands and threats to his/her leadership, and then installs malware on several machines before submitting a resignation.


Performance Report I (benchmarks reported in October 2013).

Pink background represents the detection result of the scenario by the same type detector. For instance, the abnormal person at the first case 'Scenario 12 Sabotage' was detected as Top #4 by our Sabotage detector. That means there were 3 false-alarms, which shall then be further examined by the Analyst. The espionage bad guy (Scenario 8) ranked Top #1 by our Espionage detector. The 'All' ranking is the sorting of the highest risk score of a person by the 3 detectors -- sabotage, espionage and fraud. It is used when Analyst only wants to look at 1 (combined) detector rather than 3. In that situation, the 3 bad guys in Dec 2012 were ranked #1, #2, and #9 out of 5,500.



Performance Report II (benchmarks reported in April 2014)