Using Behavior Profiling to Identify Insider Threats – Part 2
I have just I have had my 2nd article on Behavior Profiling as a threat assessment tool published. (You will need to create an account if you don't
already have one)
"Detecting Insider threats requires understanding the differences between the various types of malicious behaviors including the motive, methodology, attack techniques and especially the victim profiles.
The first step in detecting malicious user behavior is identifying the organization’s “Victimology Profile”. This is done by having the organization look at their own vulnerabilities and risks to identify the likelihood of various types of criminal or malicious activity. What are the organization’s risks from saboteurs, data thieves, fraudsters, industrial espi
onage, malicious activists, or other threats? What would each of these attacks look like and how would an attacker behave during them? This victimology profile should drive the organization’s threat detection and monitoring program. For example, many organizations just block access to online gambling websites. But if the CFO has a pattern of trying to access these sites, then the organization may be at high risk for financial fraud or embezzlement.
Once an organization understands its victimology profile, it can focus on identifying a limited set of user actions to monitor and detect through technology and personal observation. The basic approach is to analyze “normal” user behavior to develop a normal user profile and then alert if actions outside of that “normal” profile are noticed. "