In the modern-day climate, more and more industries have had to increase IT security expenses to provide a trusted system of security to all client/company PII from unauthorized users. The massive spike in IT security spending was brought on by the recent cyber breach on Equifax, in which millions of clients’ PII was accessed and distributed by an unauthorized user infiltrating the system. Like the Equifax attack, so many of these attacks require user-interaction to be activated or spread, so organizations must be on the forefront of understanding the internal threats of their own employees can impose.

1. Internal Threats: The New Sources of Attack
Contact Information:
Mekhi Daniels/ mddst697@mail.rmu.edu
Abstract:
In the modern-day climate, more and more
industries have had to increase IT security
expenses to provide a trusted system of security to
all client/company PII from unauthorized users.
The massive spike in IT security spending was
brought on by the recent cyber breach on Equifax,
in which millions of clients’ PII was accessed and
distributed by an unauthorized user infiltrating the
system. Like the Equifax attack, so many of these
attacks require user-interaction to be activated or
spread, so organizations must be on the forefront
of understanding the internal threats their own
employees can impose. Internal Threats are rarely
ever accidental, as negligence on part of user or
contractor is not considered accidental as can be
reasonably asserted, so we will focus more
attention on the different forms of attacks used
intentionally by internal threat actors to perform
cyber breaches. This paper will begin by
discussing the different forms of attacks that can
be utilized by internal threats within an
organization, and how to spot the gaps that allow
these threats opportunity. The focus of the paper
will then shift to how to end user-training, strict
IT regulation policies along with successfully
implemented frameworks, and some useful
applications can be helpful in minimizing the risk
of internal threats [1]. When a company has a full
understanding of the internal threats within an
organization, this allows the key decision makers
to create more extensive guidelines and
regulations, and fully utilize established tools such
as SIEM, which will enhance both the
performance and security of the network
infrastructure.
Keywords:
• Principle of Least Privilege: promoting
minimal user profile privileges on
computers, based on users' job necessities.
• Attack surface: IT term meaning the
number of data/users that could be
vulnerable to an internal or external attack
• Security Information and Event
Management: powerful tool used to
perform event correlation
• ACL: Access Control List used to
establish a list of user permissions for a
file, folder, or other object.
• Insider Threat Incident Response Plan: a
detailed plan how alerts and abnormalities
will be identified, managed, and escalated.
• DCATP: program that requires/perform
detailed documentation for all aspects of
data collection, processing, storage, and
sharing to ensure compliance with privacy
and civil liberties.
Introduction:
The focus of my research was on the
examining the vast field of Internal Threats in the
corporate landscape to determine a general
guideline on the threat actors who can become
part of such attacks, the methods in which they
are used most commonly by Internal Threats, and
a multi-step solution to minimizing the risk of
Internal Threats. Insider threat actors are split
between either malicious users or employees who
inadvertently cause data breaches/leaks.
Identifying employees who make mistakes as well
as when an employee will make a mistake is, at
best, a guessing game for the IT Security team.
Therefore, the organization must utilize user
education, which will be discussed later, to
prevent such inadvertent breaches. Now there are
common signs of a malicious users that can be
identified to stop one from taking the opportunity
to leverage an attack, these include: disgruntled
employees, employees who have made public
expressions about hating the company including
social media posts, and employees terminated for
previous harmful actions against the company.

2. Internal Threats: The New Sources of Attack
Also, companies should take extra time to focus
on the following user group: as majority of attacks
are waged by them, privileged users who have the
most opportunities to un/intentionally cause data
breaches due to their access to majority of
company sensitive data. If an organization can
pay attention to signs like these they can identify
employees who have the urge, or potential, to
commit malicious activity before it happens.
These preventive measures can end up saving a
company from all the danger an Insider threat
harbors, such as: [5]
• If system is not properly monitored,
insider threats can go undetected for years
and as the time increases so do
remediation costs.
• When an employee is forced to deal with
sensitive data on a daily basis, it is hard to
distinguish harmful actions from regular
work.
• Those employees smart enough to wage
malicious attacks on network, have
enough IT savvy to cover their tracks
making proving guilt difficult, at minimal.
These dangers all can be detrimental to a
business, costing them at minimum to waste the
labor resources to investigate the claim, even
though most times systems are not in place to
acquire the correct evidence to prove guilt. The
above list contains only some of the dangers that
Insider threats can harbor, so security teams must
take the allocated time to determine any specific
dangers that are specific to the organization or the
industry in which they partake.
The rationale for insider attacks are as varied
as the dangers they can possess, although below is
a list of the most common reasons for these
attacks: [2]
• Making a Statement: Employees use the
attack as a method for political or social
statements against organization
• Competitors: Employees can be offered
financial incentives by competitors to
reveal trade secrets or can use these secrets
or sensitive data to start their own
competitive business.
For companies understanding the rationale of
insider threats is kin to the old saying “know your
enemy” [7], because when you understand how
and why they perform these malicious attacks you
can predict what they are going to do. This will
allow for the ability to make a full detailed
implementation plan that addresses all dangers
these threat actors can produce.
In the same line with one must know your
enemy, a wise man will also tell you it pays to
know what weapons your enemies have in their
arsenal. So to fully understand Internal Threat
Actors, key decision-makers must look in-depth at
the methods used by such actors. The following is
a list of the most common methods used by threat
actors to engage in malicious activity including a
definition of each attack: [1]
• Phishing: Using email or another form of
communication to transport malicious files
which require user activation through
either the opening of an attachment or just
the message itself as can be coded in.
These attacks can come from both internal
and external sources.
• Theft of Information: which is the illegal
transfer of corporation data or property off
site without consent. Employees will use
this method to exfiltrate information for a
variety of means.
• Unauthorized Remote-Control: which is
an attack waged by an insider to allow
intentionally or unintentionally a threat
actor to have remote access to a system,
which can cause variety of breaches
including using system to launch a
network-wide attack.

3. Internal Threats: The New Sources of Attack
Understanding the ways that threat actors will
attack your system helps in creating the exact
safeguards needed to stop the threat actors from
utilizing these tools. Still many companies chose
to ignore the threat of these weapons, especially
when thinking of one of their own being the
triggerman.
According to a 2017 Insider Threat Report, “53
percent of companies estimate remediation costs
of $100,000 and more, with 12 percent estimating
a cost of more than $1 million. The same report
suggests that 74 percent of companies feel that
they are vulnerable to insider threats, with seven
percent reporting extreme vulnerability” [1]. This
report is a sign for all operations to begin
understanding that Internal Threats are by far the
most damage producing attacks usually, and most
time are equally as hard to discover until too late.
Nowadays companies are forced to think of
threats from all angles, even the inside as
safeguards must be put in place to ensure that
such attacks can be prevented or ceased quickly
and efficiently [8].So, companies must begin to
think about the safeguards needed for Internal
Threats and how they can keep themselves
protected from such attacks from occurring. Upon
completion of this reading I want key decision
makers to have the knowledge of internal threat
actors, the many forms they can take, the methods
used by such actors, and the outcomes/solutions
of such breaches to help better prepare their
organization for the uncertainty of tomorrow.
I. Literature Review
The key to controlling the internal threat has
always be focused around the ideal of having the
following three types of security measures to best
minimize the risk possess, which include:
Preventive, Detective, and Responsive measures
[4]. So we will talk piece by piece the best
solutions available for each of the security
measures as to compile the best complete solution
to the issue of Internal Threats.
Preventive:
The leading guideline in the field of
preventive security measures is the ideal termed
Principle of Least Privilege. Principle of Least
Privilege is a general guideline to user access
control aimed to enhance the security
environment by minimizing the internal attack
surface [3] The principle dictates “that each new
account in the organization be created with the
least number of privileges possible. The level of
privilege is then escalated if necessary” [1]. So
users should be given only the permissions to
network objects (files , folders, and applications)
that are required for the completion of job duties.
Failure to limit these permissions will allow some
users access to sensitive data on the system that
could be used for malicious activity. The second
step to the guideline is to ensure that all users who
are terminated, quit, or loss access to network
have their accounts disabled [4]. Therefore, the
credentials are no longer able to access the
network, eliminating the risk of the account being
used to wage any malicious activity. The same
principles should be applied when dealing with
third-parties as they should only have access to
the files needed to perform the work, and accounts
should be set to expire upon completion of work.
A common tip is to assign the parties only
temporary credentials, eliminating the need to
waste any labor resources needed to manually
manage the accounts [10]. Refer to Figure 1 for
reference of ACL [3].
Figure 1

4. Internal Threats: The New Sources of Attack
As with every great solution the principle
still can have its problems. So to help shed light
on the impact the implementation of the
principle can have on an example generic
network, I will list out the most commonly
reported strengths and weakness of
implementation.
Strengths:
• Better security by lowering the number of
people in the organization who had high-
level privilege, or removing any unneeded
privilege from individual user accounts
• Minimizes the Attack Surface by lowering
the number of accounts who have the
potential to wage a malicious attack
through UAC.
• Improved Audit Readiness as the scope
can be lowered during the auditing process
by wasting less time examining user
access controls when they know the
process of least privilege is being enforced
as standard.
• Better stability of IT environment as the
principle will limit the changes to the
declared zones by users.
Weaknesses:
• If the policy is taken to the extreme then
this can cause a disruption in business
operations if users aren’t given the
necessary permissions to complete all of
their job duties. Especially in
organizations in which the job duties for
employees can be everchanging.
• At the beginning can require some cost
for implementation, accumulated from the
training of employees on the standard, and
back-dating the standard on all active
accounts.
Even with the weaknesses, implementing the
principle of least privilege is the best (and most
commonly accepted) first step to preventing the
threat of internal attacks, rather caused
intentionally or unintentionally. Though the
preventive measures are only effective until an
attack is successfully launched.
Detective:
Once an attack has been successful
launched past your preventive safeguards, is
when the detective measures, the next line of
defense, take action so the source of the attack
can be identified and neutralized. Now in the
field of internal threats the most common
solution is user monitoring software. Th leading
product in the industry is TeraMind, refer to
Figure 2. User monitoring software, like
TeraMind, aim to monitor all the actions of the
employees so there is a clear audit trail when a
malicious attack is leveraged against the
organization [6]. Most utilize video to record all
the actions of the users on the network, so if
needed the security specialist can review the
footage to determine exactly how the malicious
attack was waged, and more importantly by
who. These controls have become so popular
due to the increase of access controls and
incident response capabilities being included
with the software [6]. Making the software
address all three types of the needed security
measures to minimize the risk of Internal
threats. The video recordings are also valuable
in a legal sense as they provide hard evidence
for the corporation if the matter ever reaches
court.
Figure 2

5. Internal Threats: The New Sources of Attack
Now most of the user monitoring services
are relatively cheap, such as TeraMind priced at
$125, so the key information needed for
decision-makers to determine if user monitoring
software can be successful within their
organization is to understand the strengths and
weaknesses of the specific product. In general
though here are the strengths and weaknesses of
implementation of the average user monitoring
software:
Strengths:
• User-friendly software meaning it
provides a platform that is easy to navigate
for most professionals. Which is nice
when going through implementation
process as it expedites the process.
• Can improve audit readiness as the
software will be continually monitoring
the actions of users and providing detailed
audit trails, which lowers the scope of the
audit.
Weaknesses: [9]
• Can lead to some repercussions depending
to the extent in which you monitor the
users actions, as some monitoring may
become a violation of users privacy. So
consult with a legal professional is
essential before the implementation of an
user monitoring software.
The utilization of such software will allow for
the proper identification of any malicious activity
on the sever, and alert the programmed chain of
command , to begin remediation on the issue.
Now once an attack has been identified, you
must have the proper steps in place to deal with
the impact of the attack by minimizing the effects,
while neutralizing the source of the attack. These
are were responsive measures take over in the
third phase of the security plan.
Responsive:
The responsive principle is always about
preparation for the majority of attacks so that a
plan can be put into place to deal with such
attacks to ensure the attack is dealt with
efficiently and effectively. This plan is called an
Incident Response Plan, which can be developed
on-site or the service can be outsourced where the
third-party company will have a researched and
reliable Incident Response Plan. Rather the route,
Incident Response Plans are a essential part of the
responsive security measure [5]. Since IRP(s) are
so specific, going into any more detail would be
unneeded. As the key decision-makers must
determine the specific(s) of the kind and sources
of threats that their particular organization might
face. From this analysis an effective IRP can be
launched to address all the specific issues that the
organization has determined. Refer to Figure 3 for
example of IRP sections.
Figure 3
Even though each IRP must be individual
developed based on an organization’s
environment, the strengths and weakness common
among the IRPs is consistent. The following is a

6. Internal Threats: The New Sources of Attack
list of these common strengths and weaknesses:
Strengths:
• Preparation is key in the technology world.
So extensive IRPs create an effective
responsive plan that will minimize the risk
of a malicious attack causing serious
amount of damage.
• IRPs usually require you to run real-time
stimulations of attacks on the server which
are valuable learning material for the IT
security team in case of the real event.
Weaknesses:
• IRPs no matter how extensive cannot
plan for every case scenario so if an
attack happens that is not covered by
IRP it becomes useless, this is why the
study of an organization’s own
environment is so important.
• Without outsourcing, many companies
require a large deal of financial and
labor resources to develop and
implement an effective IRP guideline.
Especially upon updating the IRPs to
match the everchanging tools of
hackers.
• Only valuable if use of the plan is
standard, or the attack could occur and
not be dealt with in accordance to IRPs
which can be costly in time and
financial resources.
IRPs can be very useful tools that can save
companies thousands and sometimes millions
of dollars in remediation cost by quickly
neutralizing a network threat. Though like any
tool it has its limitations, and must be properly
utilized by the user to experience the desired
benefits [9]. So the understanding of an
organization’s own environment and the threats
within the environment is key to developing
effective responsive measures.
II. COMPLETE PROTETCION ULTILIZNG
SIEM TECHNOLGY
To being describing my proposed solution
I will list the testing methods used, tools, and
data acquired:
• Testing Method: Usage of the tool
AlienVault demo stimulation, an SIEM
software
• Tools: AlienVault demo software
• Data Acquired: Compared the overall
effectiveness of SIEM to achieve complete
protection, meaning including all three
types of security measures: Preventive,
Detective, and Responsive.
So to share my acquired data I will
provide screenshots to the different areas of
the demo software to determine if the SIEM
can be for corporations an all-in-one security
application:
Preventive Sections:
Figure 4
This section of the SIEM is called the
Vulnerability Assessment. In this section, the
software goes through the current security
configuration to determine if there are any
vulnerabilities in the system. This acts as a
preventive measure, as it helps alert IT Admins to
the vulnerabilities in their system before they can
be used as a harbor for malicious activity.

7. Internal Threats: The New Sources of Attack
Figure 5
This screen shows an audit trail of all the
events that have occurred in the system. The
software tracks all changes of files or system
configurations down to the second, and keeps a
detailed log of what was modified. This acts as a
preventive measure, as it helps IT Admin know
what is exactly being done in real-time, so if a
unauthorized user is editing system configurations
to launch a malicious attack it can be stopped
before attack occurs.
Detective Sections:
Figure 6
This screen is of the Alarm section. In this
section of the SIEM, the software will accumulate
all the alarms that have occurred on the system.
From here the “Alarm” data is categorized by
time and alarm intent to help give the IT Admin a
complete view of the types of alarms being
thrown and their frequency [9].This is considered
as a detective measure as it detects any red flag
activities and then alarms the user through the
platform.
Figure 7
This screen is called IP Reputation tool,
this tool analyzes different IPs who are in
communication with the network to determine
what sort of content is being transmitted by said
IP. If proven to be majority malicious content,
then the software will alert the authorized user so
they can determine the next course of actions.
This is an example of an detective tool as, the
application by continuous monitoring of IPs
detect those who are sources of malicious content,
and could be sources of future malicious attacks.
Responsive Sections:
Figure 8
This screen is called the Issue Manager, as
any issues that require user-interaction will
populate here. The software is able to identify any
issues in the system, so that the proper chain of
command can be notified, and the issue resolved.
This acts as a responsive measure, because the
software presents the user with all the issues that
an attack could inflict, and allows for the easy
navigation through them as they are resolved.

8. Internal Threats: The New Sources of Attack
Figure 9
This screen is unique because it allows the
user not only to see the issues present within the
system in real-time, though allows the user to
filter through issues from variables such as
security level so the IT Admin can more effective
deal with the important issues plaguing the
organizational network. This takes IRPs a step
further by giving you a full list of all issues in
real-time, and giving you the ability and
instruction to fix the issues.
From the AlienVault demo I was able to
determine that corporations can utilize the SIEM
tool as an all-in-one security application that
address all three types of needed security
measures. Also I found that SIEM software take it
a step further by allowing for users to have more
ease navigating through all measures allowing for
more time efficiency in the IT Security
department. I would recommend an SIEM
software to any corporation looking for an
application with extensive features to replace the
redundancy of using multiple applications
compiled to create a complete protection
environment.
III. CONCLUSION
With the implementation of my proposed
solution, a SIEM software, companies will be able
to address all three areas of needed measures
utilizing one application to address the
shortcomings of applications that mainly focus on
only one of the security measures requiring the
implementation of multiple applications to
accomplish complete coverage. Now all these
features can be centralized in one location for the
ease of access of the authorized users, and act as a
full analysis for the complete security environment
of you internal system real-time. This enables an
authorized Admin in a couple clicks to have a real-
time and recorded full analysis of one’s
environment providing him with any relevant
information needed to determine if malicious
activity has occurred. As we look towards the
future of Internal Threats, only time can tell with
the methods used by the threat actors of tomorrow
to infiltrate a system. As such organizations must
allocate time to understanding the threat actors at
play in their modern day environment, and
continually be updating all three types of security
measures to ensure you are always minimizing the
risk of a cyber breach.
As a closing word, it’s worth the time to
reiterate that insider threats are one of the top
cyber security threats and a force to be reckoned
with. Every company will face insider-related
breach sooner or later regardless of whether it will
be caused by a malicious action or an honest
mistake. As so it’s much better to put the
necessary security measures now than to spend
millions of dollars later. As Benjamin Franklin
once said “ By failing to prepare, you are
preparing to fail” [7].
REFERENCES:
[1] ZDNet, “The top five internal security threats,”
ZDNET, Mar. 10, 2008. [Online].

9. Internal Threats: The New Sources of Attack
[2] D. M. Upton, and S. Creese, “The Danger from
Within,” Harvard Business Review, Sept. 2014.
[Online]
[3] N. Lord, “What Is the Principle of Least Privilege
(POLP)? A Best Practice for Information Security and
Compliance,” DataInsider, Jul. 26, 2017.
[4] Tripwire Guest Authors, “Insider Threats as the Main
Security Threat in 2017,” Tripwire, Apr. 11, 2017.
[Online].
[5] [5] R. Trzeciak, “5 Best Practices to Prevent Insider
Threat,” CMU Software Engineering Institute Insights,
Nov. 6, 2017. [Online].
[6] R. Marvin, “The Best Employee Monitoring Software
of 2018,” PCMag, Nov. 30, 2017.[Online].
[7] Artemis, “35 Quotes for Why You Shouldn’t Be
Passive about Harassment Even if You’re Not Doing
It,” Medium, Mar. 11, 2016. [Online]
[8] E. Onraet, K. Dhont, A. Van Hiel, “The Relationships
Between Internal and External Threats and Right-Wing
Attitudes,” Sage Journals, Feb. 25, 2014.
[9] M. K. Slack, J. R. Draugalis, “Establishing the internal
and external validity of experimental studies,”
PubMed.gov, Nov. 15, 2018. [Online].
[10] D. S. Wall, “Enemies within: Redefining the insider
threat in organizational securitypolicy,”Security
Journal, Apr. 2013. [Online].