Malicious Insiders with Ties to the Internet Underground Community

Abstract

In this paper, we investigate insider threat cases in which the insider had relationships with the Internet under-ground community. To this end, we begin by explaining our insider threat corpus and the current state of Internet underground forums. Next, we provide a discussion of each of the 17 cases that blend insider threat with the use of malicious Internet underground forums. Based on those cases, we provide an in-depth analysis to include:1) who the insiders are, 2) why they strike, 3) how they strike, 4) what sectors are most at risk, and 5) how the insiders were identified. Lastly, we describe our aggregated results and provide best practices to help mitigate the type of insider threat we describe.