- General Patterns in Insider Theft of Intellectual Property Crimes
- The Entitled Independent
- The Ambitious Leader
- Theft of IP inside the United States Involving Foreign Governments or Organizations
- Mitigation Strategies for All Theft of Intellectual Property Cases
- Mitigation Strategies: Final Thoughts
Mitigation Strategies for All Theft of Intellectual Property Cases
The intent of the MERIT models is to identify the common patterns of each type of insider threat over time based on our analysis of the cases in our database. We have found that the models suggest key mitigation strategies for you to defend yourself against these types of threats. We therefore propose countermeasures based on expert opinions in behavioral psychology, organizational management, and information security.
Your insider threat mitigation strategies should involve more than technical controls. An overall solution should include policies, business processes, and technical solutions that are endorsed by senior leadership in HR, legal, data owners, physical security, information security/information technology, and other relevant areas of the organization. It is critical that all levels of management recognize and acknowledge the threat posed by their current and former employees, contractors, and business partners, and take appropriate steps to mitigate the associated risk. It may not be realistic to expect that all intellectual property exfiltrated by insiders will be stopped before the information leaves your network, but it is realistic to expect that you can implement countermeasures into your infrastructure and business processes to allow you to detect as many incidents as possible, thereby minimizing the financial impact on your organization.
The remainder of this chapter describes potential countermeasures that we believe could be effective in mitigating insider theft of intellectual property.
We begin this section by providing more in-depth details of the technical methods used by insiders to steal IP in our database. Methods varied widely, but the top three methods used were email from work, removable media, and remote network access. Table 3-3 describes the primary methods of exfiltration.
Table 3-3 Exfiltration Methods
Insiders exfiltrated information through their work email account. The email may have been sent to a personal email account or directly to a competitor or foreign government or organization. Insiders used email attachments or the body of the email to transmit the sensitive information out of the network.
Common removable media types were USB devices, CDs, and removable hard drives.
Insiders printed documents or screenshots of sensitive information, and then physically removed the hard copies from the organization.
Remote network access
Insiders remotely accessed the network through a virtual private network (VPN) or other remote channel to download sensitive information from an off-site location.
The insider was at work, on the company network, and transferred a file outside of the network using the Web, File Transfer Protocol (FTP),18 or other methods. Although email could potentially fit this category, we thought that email should be considered separately due to the large number of crimes that used email.
Insiders exfiltrated data by downloading IP onto a laptop at work and bringing it outside the workplace. For example, one insider was developing an application for his company on a laptop and later purposely leaked the source code. In other cases the insiders simply downloaded sensitive files onto their laptops for personal or business use later.
We dug a little deeper into those methods to determine where our mitigation strategies need to be focused—on the host, the network, or the physical removal of information—and found that more than half involved the network, 42% involved the host, and only 6% involved physical removal.
Network Data Exfiltration
Data exfiltration over the network was the most common method of removing information from an organization, used by more than half of the insiders in the database who stole IP. Removal methods included in this category were email, a remote network access channel (originating externally), and network file transfer (originating outside the network).
About one-fourth of the insiders used their work email account to send the IP outside the network, either sending IP to their personal email account, or directly emailing the IP to a competitor or foreign government or organization.
For example, an insider in one case sent customer lists and source code he had written from his work email account to his personal email account. During this time, he was being recruited by a competing organization. He accepted the competitor’s offer and took the customer lists and source code to his new job to help him get a head start there.
In another case, an insider asked his superiors for confidential data about their product costs and materials. Two months later, he accepted a new job with a competitor. The original employer warned him against taking or distributing any of its proprietary information. However, the insider emailed internal business information from his work email account to two of his new supervisors before he started at the new company.
Interestingly, almost half of the cases involving email exfiltration also involved another type of exfiltration. This suggests that if you suspect an insider is stealing information you should check other communication channels for similar activity. Most frequently, the additional exfiltration path involved stealing information on a laptop, but use of remote access channels and theft of printed documents each happened a few times in combination with theft via email.
The second most frequent network exfiltration method was remote network access. As in the MERIT model, many of these cases occurred immediately before resignation or shortly after acceptance of a new job at a competitor. In more than one-third of these cases, the remote connections were established after normal work hours; in almost one-third of the cases, the time of exfiltration was unknown.
During the remote sessions, insiders downloaded sensitive documents to their remote computers. In one case, an insider and a coworker were employed as contract software developers for the victim organization. Their contracts were periodically renewed when modifications to the software were needed. Each time their contracts ended, the victim organization neglected to disable their remote access to the network since the organization knew they would be contracted again in the near future. However, at one point both insiders suddenly claimed that the programs they developed belonged to them, and requested that the organization cease using them. The company continued to use the applications, and the insider and accomplice were able to remotely access and download the proprietary source code they claimed to own.
The least common method of network data exfiltration was transferring data outside the network through outbound channels such as FTP, the Web, or instant messaging. These crimes were all perpetrated by more technically skilled insiders. Examples include the following.
- A computer programmer at an investment banking organization submitted his letter of resignation to his manager. He then used a script that copied, compressed, and merged files containing source code, and then encrypted, renamed, and uploaded the files using FTP to an external file hosting server.
- An insider transferred trade secrets and source code to a password-protected Web site using standard HTTP. The insider intended to start a side business with the company’s stolen IP.
- An insider who failed to receive a raise and whose request for transfer was rejected submitted his resignation and downloaded proprietary information from his organization for potential use in a new job. He used FTP to transfer the data to his home computer.
What Can You Do?
Most cases that involved use of the network to perpetrate the theft involved email and remote access over VPN. Given that several cases involved email to a direct competitor, you should consider at least tracking, if not blocking, email to and from competing organizations. Our cases did not explicitly show sophisticated concealment methods, such as use of proxies19 or extensive use of personal, Web-based email services. However, we did find that insiders periodically leverage their personal, Web-based email as an exfiltration method. You should carefully consider the balance between security and personal use of email and Web services from your network.
As mentioned, most insiders steal IP within 30 days of leaving an organization. You should consider a more targeted monitoring strategy for employees and contractors when they give notice of their exit. For instance, check your email logs for emails they sent to competitors or foreign governments or organizations. Also check for large email attachments they sent to Gmail, Hotmail, and similar email accounts.
Further, you should consider inspecting available log traffic for any indicators of suspicious access, large file transfers, suspicious email traffic, after-hours access, or use of removable media by resigning employees. Central logging appliances and event correlation20 engines may help craft automated queries that reduce an analyst’s workload for routinely inspecting this data.
Host Data Exfiltration
Host-based exfiltration was the second most common method of removing IP from organizations; close to half of the cases involved an insider removing data from a host computer and leaving the organization with it. In these cases, insiders often used their laptops to remove data from the organization. We had difficulty determining the exact ownership and authorization of the laptops used. However, we do know that about one-sixth of the insiders who stole IP used laptops taken from the organization’s site during normal work hours. Half of them transferred proprietary software and source code; the other half removed sensitive documents from the organization.
In one case, the insider worked for a consulting company and stole proprietary software programs from a customer by downloading them to a laptop. He attempted to disguise the theft by deleting references to the victim organization contained in the program, and then attempted to sell portions of the program to a third party for a large sum of money.
Another case involved an insider who accessed and downloaded trade secrets to his laptop after he accepted an offer from a foreign competitor. He gave his employer two weeks’ notice, and continued to steal information until he left.
By far, the most common method of host-based exfiltration in the database was removable media; 80% of these cases involved trade secrets, and the majority of those insiders took the stolen trade secrets to a competitor. The type of removable media used varied. Where information was available, we determined that insiders most often used writable CDs. Thumb drives and external hard disks were used in just 30% of the cases. However, the type of removable media used has changed over time. Insiders primarily used CDs prior to 2005. Since 2005, however, most insiders using removable media to steal IP use thumb drives and external hard drives. This trend indicates that changes in technology are providing new and easier methods of stealing data from host computers.
In one case, an insider resigned from his organization after accepting a position at another organization. He downloaded personal files as well as the organization’s proprietary information onto CDs. Despite signing a nondisclosure agreement, the insider took the trade secrets to a competitor.
In a similar example, an insider received an offer from a competitor three months prior to resignation. He lied about his new position and employment status to coworkers. Only days before leaving the organization, he convinced a coworker to download his files to an external hard drive, supposedly to free up disk space. He came into work at unusual hours to download additional proprietary information onto a CD. Finally, he took this information with him to his new position at a competing organization.
What Can You Do?
It is unlikely that the victim organizations in our database prohibited removable media in their daily computing environments. You should consider carefully who in your organization really needs to use removable media. Perhaps access to removable media is a privilege granted only to users in certain roles. Along with that privilege could come enhanced monitoring of all files copied onto such devices. In addition, understanding who requires removable media and for what purposes can help you to determine what may constitute normal and healthy business use, and to monitor for usage patterns that deviate from that. Inventory control, as it pertains to removable media, may also be helpful. For example, you could allow use of removable media only on company-owned devices prohibited from leaving your facility. Organizations requiring the highest-assurance environment should consider disallowing removable media completely, or allowing it only in special situations that are carefully audited.
Finally, recall the 30-day window in our theft of IP cases. Can you log all file transfers to removable media? You might not have the resources to review all of those logs (depending on how restricted your use of such media is). However, if the logs exist, you can audit them immediately on the hosts accessed by any employee who has announced his resignation. This would provide one quick mechanism for detecting IP that might be exfiltrated by an employee on his way out the door.
Only 6% of the theft of IP cases involved some sort of physical exfiltration. We found that physical exfiltration usually occurs in conjunction with some other form of exfiltration that would have produced a more obvious network or host-based observable event.
Exfiltration of Specific Types of IP
Once we determined what kinds of IP were stolen and how, we determined what methods of exfiltration were associated with the different types of IP. Several interesting findings surfaced. In particular, business plans were stolen almost exclusively through network methods, particularly using remote access. Conversely, proprietary software and source code involve a much higher use of non-network methods. This may be due in part to the volume of data associated with different asset types. Software and source code files are often large, but business plans are usually smaller documents that are easier to move over a VPN or as an email attachment. Enumerating the most frequent methods by which particular assets are exfiltrated may help steer monitoring strategies with respect to computers that house particular types of assets or are allowed to access given assets over the network.
Some insiders attempted to conceal their theft of IP through various actions. These cases signify a clear intent to operate covertly, implying the insiders may have known their actions were wrong. In one case, an insider was arrested by federal authorities after stealing product design documents and transferring them to a foreign company where he was to be employed. After being arrested, he asked a friend to log in to his personal email account, which was used in the exfiltration, and delete hundreds of emails related to the incident.
Another case involved an insider who used an encryption suite to mask the data he had stolen when moving it off the network.
Trusted Business Partners
Trusted business partners accounted for only 16% of our theft of IP cases, but this is still a complicated insider threat that you need to consider in your contracting vehicles and technical security strategies.
For example, a telecommunications company was involved in a lawsuit, and had to hand over all of its applicable proprietary information to its attorneys, which it did in hard-copy form. The law firm subcontracted with a document imaging company to make copies of all of the information. One of the employees of the document imaging company asked his nephew, a student, if he would like to make a little extra spending money by helping him make the copies at the law firm. The nephew realized that he had access to proprietary access control technology that the telecommunications company used to restrict its services based on fees paid by each individual customer. He felt, like many others, that the company unfairly overcharged for these services, so he posted the information online to the Internet underground. This basically released the telecommunications company’s “secret sauce,” and now it was easy for members of that community to obtain free services. When the post was discovered, law enforcement investigated the source of the post and traced the activity back to the student.
It is important that you consider these types of threats when drawing up contracts with your business partners. Could that scenario happen to you? Do you write legal language into your contracts that dictates how your confidential and proprietary information can and cannot be handled?
It is important that you understand the policies and procedures of your trusted business partners. You establish policies and procedures in order to protect your information. When you enlist the support of a trusted business partner, you should ensure that their policies and procedures are at least as effective as your safeguards. This includes physical security, staff education, personnel background checks, security procedures, termination, and other safeguards.
In addition, you should monitor intellectual property to which access is provided. When you establish an agreement with a trusted business partner, you need assurance that IP you provide access to is protected. You need to get assurances that access to and distribution of this data will be monitored. You should verify that there are mechanisms for logging the dissemination of data, and review their procedures for investigating possible disclosure of your information.
These are just a few recommendations. We detail eight recommendations in Chapter 9, Conclusion and Miscellaneous Issues, regarding trusted business partners.