Abstract

In recent years, organizations ranging from defense and other government institutions to commercial enterprises, research labs, etc., have witnessed an increasing amount of sophisticated insider attacks that manage to bypass existing security controls. Insider threats are staged by either disgruntled employees, or employees engaged in malicious activities such as industrial espionage. The objectives of such threats range from sabotage, e.g., in order to disrupt the completion of a project, to exfiltration of sensitive data such as trade secrets, patents, etc. Insiders are often skilled and motivated individuals with good knowledge of internal security measures in the organization. They devise effective and carefully planned attacks, prepared over long periods of time and customized to inflict maximum damage. Such attacks are difficult to detect and protect against, because insiders have the proper credentials to access services and systems within the organization, and possess knowledge that may allow them to deceive network defense controls. As a result, a large number of hosts may be taken over, allowing malicious insiders to maintain control over the network even after leaving the organization.