Skip to main content

Book Review: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (2012) by Dawn M. Cappelli, Andrew P. Moore, and Randall F. Trzeciak

Executive Summary

The authors have reviewed more than 700 cases of insider threat attacks and developed a comprehensive list of mitigation controls that might have prevented them. The book is not very well organized, but the content represents the authoritative source on precursor behavior that may illuminate potential insider attacks. In that regard, it is a must-read for cyber security professionals. What is clear from reading the book is that there is no technical solution that will prevent insider attacks. Technology can aid in discovery, but it is not a panacea; it will not prevent a determined inside attacker. A good program will accomplish four tasks:
  • Train employees and their managers to watch for the signs of potential insider threat behavior.
  • Provide the mechanisms across the organization to report and review the activity.
  • Establish and maintain the apparatus to report potential abuse and respond to incidents when necessary.
  • Mitigate the risk before any damage is done.
The key to the entire program is the human element, and that is why defending against the insider threat is hard.


I am the CISO of a mid-sized government contractor company. When the Edward Snowden case hit the press in summer 2013,[1] my senior leadership rightly asked if our own insider threat program would have detected Snowden’s activities before he released classified information to the public. I had to admit that the honest answer is no. Because of his system administrator position, Snowden was a trusted employee (contractor). He had the keys to the city, or at least some of them.

We may have had better luck catching Bradley Manning. According to Bill Simpich at Reader Supported News (RSN), Manning released some 700,000 documents to the public.[2] That volume of exfiltrated documents may have been noticed by my automated monitoring system or would have been stopped by my preventative controls (not allowing access to the CD system on classified machines), but Snowden released only a handful of documents (with the promise of more later).[2] My monitoring system would not have noticed that kind of precision, and because he was a system administrator, he most likely had permission to turn off my preventive controls that stopped USB use.

With that stunning assessment, I picked up The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Dawn Cappelli, Andrew Moore, and Randall Trzeciak. I wanted to see if there was something else that could be done. 

What is clear from reading the book is that there is no technical solution that mitigates insider threat risks. Technology can aid in discovery, but it is only a part of an organization’s discovery options. For any insider threat program to be successful, leadership must coordinate across three lines of business activity: policy, training, and information technology (IT) discovery. 

Book Organization

The book itself is quite odd. It is written in an academic style that is not as direct as other technical security books that that I have come across. The authors scatter layers of the same information through the chapters. Specifically, they talk about the 16 mitigating controls in at least three locations at various levels of detail. Lists of Indicators of precursor behavior are all over the place and are not consistent. The thing they do get right is that they are very explicit about what the risk is and what you can do to counter the risk, but the design of the book and the execution are not tightly bound. 

The authors begin by explaining what the three kinds of insider threats are and offer high-level mitigation controls for each. They have a special chapter for preventing insider threat actions in the typical software development life cycle, but it was not clear to me why that particular vector was more important than all of the other ones described. They present a technical control chapter covering some lightweight suggestions about how to home grow your own technical solutions that can alert to potential insider threat actions, but they designed the examples to be illustrative and not comprehensive so that you might understand the design process. I did not find this chapter that useful. The meat of the book is the chapter discussing the 16 mitigation controls. Finally, they conclude with a case study chapter that I expect will be quite useful for anybody designing the security awareness training plan that the authors recommend building.

That said, there is good information here. Cappelli and her co-authors recommend specific administrative, technical, and physical controls that they have found useful in detecting and mitigating the insider threat. 

The authors define three types of insider threats:
  • Insider IT sabotage: Incidents in which the insider uses IT to direct specific harm at an organization or an individual.
  • Insider fraud: Incidents in which an insider uses IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or the IT theft of information that leads to an identity crime.
  • Insider theft of intellectual property: Incidents in which an insider uses IT to steal proprietary information from an organization.
They make a weak case that certain mitigations controls and certain precursor behavior go with specific types of insider threats, but they do not show that the data is conclusive. Nevertheless, insider threat programs must look for all potential precursor behavior and apply the correct mitigation control against it.

Behavior to Watch Out For

Regardless of what kind insider threat risks are present, employees and managers can look for and be aware of precursor behavior indicating that an employee is considering an insider threat attack. When these things happen, an insider threat attack could be following. The authors did not describe this, but I found that the precursor behaviors fell into six distinct categories:

The company imposes Internet restrictions:
  • Employee’s online actions restricted 
  • Employee’s use of company resources restricted 
An employee’s work performance suffers:
  • Employee lack of a work ethic or decrease in work ethic
  • Employee missing deadlines
  • Employee/supervisor issues that include a new supervisor replacing a favorite former supervisor or disagreements with existing supervisors
  • Employee job dissatisfaction
  • Employee conflicts with coworkers or supervisors
  • Employee developing a sudden pattern of missing work, arriving late, or leaving early
  • Employee’s job performance suffers
  • Employee demotions
  • Employee reprimands
  • Employee suspensions
  • Employee threats against the organization
  • Employee bragging about the damage he or she could do to the organization
The employee experiences distracting personal issues:
  • Employee financial problems
  • Employee drug use
  • Employee exhibits aggressive or violent behavior
  • Employee mood swings
  • Employee bizarre behavior
  • Employee sexual harassment
  • Employee poor hygiene
  • Employee association with known criminals or suspicious people outside the workplace
  • Employee uses organizational resources for a side business or discusses starting a competing business with coworkers
  • Employee recruits other employees to join his or her schemes, particularly to steal or modify company information for financial gain
A compensation disappointment occurs:
  • Employee passed over for promotion
  • Employee disagreement over salary and compensation
Key work is taken away from an employee:
  • Employee key projects taken away and outsourced
  • Employee transfer between departments
  • Contractor subcontract terminated
  • Partnership termination due to financial issues
  • Employee responsibilities removed from projects
The employee tampers with the company “network” and leaves traces of Technical indicators that are consistent with Insider Threat Activity:
  • Employee changes all passwords immediately before resignation.
  • Employee disables system logs.
  • Employee removed history files.
  • Employee fails to create backups as required.
  • Employee fails to document systems or software as required.
  • Employee accesses customers’ systems without permission.
  • Employee uses coworkers’ machines without permission.
  • Employee shares passwords with others and demands passwords from subordinates.
  • Employee refuses to swipe badges to record physical access.
  • Employee accesses websites prohibited by the organization’s acceptable use policy.
  • Employee refuses to return a laptop upon termination.
  • Employee conducts large downloads close to resignation.
  • Employee attempts to gain employees’ passwords or obtain access through trickery or exploitation of a trusted relationship (often called social engineering).
With these behaviors identified, organizational leadership can design an insider threat program that monitors for these kinds of behaviors and takes actions to mitigate the situation before anything serious occurs.

16 Mitigation Practices

The most important nugget of information I got from this book was this epiphanous comment from the authors:

“If you learn only one thing from this book, let it be this: Insider threats cannot be prevented and detected with technology.”

There is no magic bullet here. The mitigations this book describes are the same mitigations that any group of CISOs standing around a white board for an hour might come up with. What makes the book valuable is that it is backed up with real data. After analyzing some 700 cases, the authors can make reasonable assertions about what might work. The epiphany for me was that the bulk of the recommendations do not fall within the technical realm. More than half fall into the administrative side, which may be why detecting the insider threat is so hard. For any insider threat program to work, it must rely on humans communicating clearly across business boundaries: from the executive leadership team down to the minions regarding policy, from the internal business units to the external trusted business partners about acceptable use, from the managers observing employee behavior and reporting anomalies to human resources, and from the IT department gathering evidence for leadership to make a decision. The authors describe 16 strategic goals to help prevent an insider threat attack and suggest a number of tactical controls for an organization to put in place to make that strategic goal successful.

Administrative Practices

Practice 1: Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments

  • Monitor intellectual property to which access is provided.
  • Maintain access rights management.
  • Understand the personnel policies and procedures of the trusted business partner.
  • Create clear contractual agreements that specifically state that the business partner is responsible for protecting the company’s organizational resources.

Practice 2: Clearly Document and Consistently Enforce Policies and Controls

  • Define acceptable use of your systems, information, and resources.
  • Define ownership of information created as a paid employee or contractor.
  • Establish processes and procedures for addressing employee grievances.
  • Schedule periodic employee training on the policies, justification, implementation, and enforcement.
  • Establish management response to negative workplace issues.
  • Establish process for contentious employee terminations including the retrieval of all organization property during the termination process.
  • Establish process to monitor and control changes to organizational systems.
  • Establish the separation of duties between employees who modify customer accounts and those who approve modifications or issue payments.
  • Perform background checks and evaluate prospective employees based on the information received.
  • Investigate and respond to all rule violations committed by employees and contractors.
  • Establish process to maintain the organization’s insider incident response plan.
  • Ensure that all passwords are strong, employees do not share their passwords with anyone, employees change their passwords regularly, and all computers automatically execute password-protected screen savers after a fixed period of inactivity.

Practice 3: Institute Periodic Security Awareness Training for All Employees

  • Train employees on the policies, justification, implementation, and enforcement of the insider threat program.
  • Train employees on recognizing and responding to employee precursor behavior.
  • Train employees on detecting and reporting disruptive behavior by employees.
  • Train employees on how to monitor for adherence to organizational policies and controls.
  • Train employees on how to monitor and control changes to organizational systems.
  • Train employees on the details of specific separation of duties requirements between employees who modify customer accounts and those who approve modifications or issue payments.
  • Train employees on how to detect and report security violations of the organization’s facilities and physical assets.
  • Train employees on how system activity is actively monitored, especially system administrators and other privileged users.
  • Train employees on personal responsibility for protecting the information with which they are entrusted and the possibility that unscrupulous individuals could try to take advantage of their access to that information.
  • Train employees on acceptable IT use.
  • Train employees on how to respond to a negative workplace issue.
  • Train employees on the organizational practices and policies for acceptable workplace behavior, dress code, acceptable usage policies, work hours, and career development.
  • Train employees on the organization’s intellectual property agreements and non-compete agreements.
  • Train employees on the employee’s intellectual property agreements and non-compete agreements he or she signed when joining the company.
  • Train employees on how managers must remind a terminated employee of the intellectual property agreements and non-compete agreements he or she signed when joining the company.
  • How managers will retrieve all organization property when an employee is terminated.
  • Train department heads on the details of the insider threat response plan.
  • Train employees on what a strong password is, that employees should not share their passwords with anyone, that the company requires employees to change their passwords regularly, and that all computers automatically execute password-protected screen savers after a fixed period of inactivity.

Practice 4: Monitor and Respond to Suspicious or Disruptive Behavior

  • Evaluate the employee’s access to critical information assets.
  • Review and assess logs regarding recent online activity by the employee or contractor.
  • Provide options to the employee for coping with the behavior, perhaps including access to a confidential employee-assistance program.

Practice 5: Anticipate and Manage Negative Workplace Issues

  • Encourage employees to discuss work-related issues with a member of management or human resources without fear of reprisal or negative consequences.
  • Managers will handle contentious employee terminations according to policy.
  • Encourage employees to seek assistance according to policy.
Practice 8: Enforce Separation of Duties and Least Privilege

  • Require online management authorization for critical data entry transactions.
  • Institute code reviews for the software development and maintenance process.
  • Use configuration-management processes and technology to control software distributions and system modification
  • Design auditing procedures to protect against collusion.

Practice 9: Consider Insider Threats in the Software Development Life Cycle

Practice 10: Use Extra Caution with System Administrators and Technical or Privileged Users

  • Establish procedures that promote nonrepudiation of actions.
  • Immediately disable system administrator and privileged user accounts.

Practice 11: Implement Formalized System Change Controls

  • Protect change logs and backups so that unauthorized changes can be detected.

Practice 16: Develop an Insider Incident Response Plan

  • Design and maintain the plan according to policy.
  • Minimize the chances that the internal perpetrator is assigned to the insider threat response team or is aware of its existence.
  • Develop specific actions for the insider threat response team to control damage by malicious insiders.
  • Describe the general process to be followed and the responsibilities of the members of the insider threat response team.
  • Assign a trusted mediator to the insider threat response team for communication between the departments of your organization.
  • Do not share the details of the insider threat response plan with all employees.
Technical Practices

Practice 7: Implement Strict Password- and Account-Management Policies and Practices

  • Make unauthorized access difficult.
  • Log and monitor suspicious access.
  • Attribute the computer account to the individual associated with it.
  • Ensure that all passwords are strong.
  • Ensure that all employees change their passwords regularly.
  • Ensure that all computers automatically execute password-protected screen savers after a fixed period of inactivity.

Practice 12: Log, Monitor, and Audit Employee Online Actions

  • Review and verify changes to all critical assets.
  • Audit for integrity as well as legitimacy.
  • Automate integrity checking to flag a required manual review of suspicious transactions that do not adhere to predefined business practices.
  • Automate tools to detect the creation of backdoor accounts such as system administrator accounts not associated with a current employee.
  • Alert administrators to e-mails with unusually large attachments.
  • Tag documents that should not be permitted to leave the network.
  • Track or prevent printing, copying, or downloading of certain information, such as personally identifiable information (PII) or documents containing certain words, such as codenames for new products.
  • Track all documents copied to removable media.
  • Prevent or detect e-mails to competitors, to governments and organizations outside the United States, to Gmail or Hotmail accounts, and so on.
  • Evaluate the need for every account in your organization.

Practice 13: Use Layered Defense against Remote Attacks

  • Routinely review policies for granting remote access to critical data, processes, and information systems.
  • When remote access to critical data, processes, and information systems is deemed necessary, offset the added risk with closer logging and frequent auditing.
  • Disable remote access for terminated employees.
  • Track all employee account creations and periodically review them to ensure that all access can be quickly disabled when an employee is terminated.
  • Terminate shared accounts.

Practice 14: Deactivate Computer Access Following Termination

  • Execute rigorous termination procedures that disable all access points available to the terminated employee.
  • Review employee’s desktop computer, laptop, and system logs to ensure no software or applications have been installed that may permit the employee back into your systems.

Practice 15: Implement Secure Backup and Recovery Processes

  • Control access to the facility where the backups are stored.
  • Control access to the physical media (e.g., no one individual should have access to both online data and the physical backup media).
  • Enforce separation of duties and the two-person rule when changes are made to the backup.
  • Ensure that multiple copies of backups exist with redundant copies stored off-site in a secure location.
  • Ensure physical media on which backups are stored are also protected from insider corruption or destruction.
  • Perform and periodically test backups.
  • Protect media and content from modification, theft, or destruction.

Physical Practices

Practice 6: Track and Secure the Physical Environment

  • Ensure that your office environment is free from occupational hazards and threats to employees from outsiders.
  • Devote adequate resources to protecting critical infrastructure.
  • Ensure physical protection of backup media.


Assessing my organization’s ability to detect and prevent insider threat activity similar to actions performed by Snowden and Manning was sobering. With the controls I currently have in place, I most likely would not have been successful. Cappelli’s book outlines specific mitigating controls to consider for preventing this kind of activity in the future. Although the book is frustratingly academic, the specific assertions about what to put in place are backed by more than 700 case studies. It is the authoritative source about what works and what does not for this threat. What I learned from reading this book is that there is no technical solution that mitigates insider threat risks. For any insider threat program to be successful, leadership must coordinate across the entire business in terms of policy, training and implementation to ensure four tactical goals:

1. Train employees and managers to watch for the signs of potential insider threat behavior.

2. Provide mechanisms across the organization to report and review the activity.

3. Establish and maintain the apparatus to monitor for potential abuse.

4. Mitigate the risk before any damage is done.

The key to the entire program is the human element, and that is why defending against the insider threat is hard.


[1] "General Alexander at Black Hat 2013: Privacy vs. Security vs. Transparency," by Rick Howard, Terebrate, 20 August 2013, Last Visited 23 August 2013,

[2] "Manning Chose Documents for Release as Selectively as Snowden," by Bill Simpich, Reader Supported News (RSN), 12 June 2013, Last Visited 20 August 2013,


"Edward Snowden and the NSA files – timeline," by Mirren Gidda, The Guardian, 25 July 2013, Last Visited 20 August 2013,


Popular posts from this blog

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It has been very exciting.

This i…

Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011)

Executive Summary
Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the highlights of…

Book Review: “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012)” by Parmy Olson

Executive Summary: 

This book is a must read for all cyber security professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. If you seek to understand the Hacktivist movement, this book is a primer.


The Anonymous Franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find [12]), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run. It was the perfect storm of technology, disenfranchised youngish people, “Internet Pranks as an Art Form,” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of th…