Identifying attack patterns for insider threat detection

Abstract

Insider threats pose major concerns to businesses, institutions and governmental organisations. Numerous approaches proposed to tackle this threat, however, few consider the full scope of the problem and its technical, organisational and behavioural aspects. In previous work, we defined a unifying framework that can fully characterise insider attacks across these domains. This article builds on that work to define attack patterns that could be key in assisting insider-threat detection. This research is based on 120 real-world case studies of attacks, including fraud and IP theft. We represent each case study as a series of attack steps and identify common trends between different attacks, along with human and machine-observable steps. We then apply the identified attack-pattern trees to two case studies.