CERT and the United States Sectret Service published an insider threat research that focuses on both technical and behavioral aspects of actual compromises. The key findings are
- Current and former employees carried out insider activities in nearly equal numbers.
- Sixty-three percent of the insiders held technical positions within the targeted organizations.
- Thirty-eight percent of insiders had prior arrests.
- A specific work-related event triggered most (73%) insiders’ actions.
- The majority (76%) of insiders planned their activities in advance.
- Half (50%) of the insiders had authorized access to the system/network at the time of the incident.
- Over half (58%) of the insiders used relatively sophisticated tools or methods for their illicit activities, including scripts or programs, autonomous agents, toolkits, probing, scanning, flooding, spoofing, compromising computer accounts, or creating unauthorized backdoor accounts.
- Insiders committed their illicit activities both from the workplace (51%) and remotely (43%) in nearly equal numbers.
- The incidents took place during (51%) and outside (49%) normal working hours in nearly equal numbers.
- Most (80%) of the insider incidents were only discovered through manual (non-automated) detection of an irregularity or failure of an information system.
- The majority (74%) of the insiders took steps to conceal their identities and their activities.