Early warning system insider attacksStarted in April 2021
When an attack comes from the inside, the impact of an attack can be catastrophic, and could cause financial, reputational and regulatory consequences.
Cyberattacks can be catastrophic, and could cause financial, reputational and regulatory consequences. Usually, cyber-attacks are launched by external attackers from outside the organization. But they also could be triggered from the inside, e.g. an employee sells private data, or an employee is planted as a mole by another organisation.
But because the impact is so high, the PCSI project ‘early warning system insider attacks’ explores ways to detect and prevent potential insider attacks in an early stage. The idea is to exchange information on insider attacks, give out an early warning to other organizations, and collaboratively build intelligence on modus operandi and other critical information to improve the detection and prevention of such attacks in the future. We will apply a multidisciplinary approach in which we combine intelligence on human behavior with technical intelligence to enable cross organisational learning about modus operandi of insider fraud for better detection.
In the Explore phase we investigated the feasibility of the concept of an early warning system. We explored how this could best be implemented to enable cross organisational learning. At the same time, we validated that this concept would be new and add an unexplored dimension in detecting insider attacks. By creating an understanding of how we could share data and what has already been tried, we could optimally position our solution to resolve the current pains within the partnered organisations.
Conclusion at the end of the Explore phase: We found that some technical solutions exist which record all electronic footprints of employees within an organisation. But, at the same time, there is no solution yet that helps organisations to collaborate using their intel to better detect insider attacks in the future. Using the PIFI protocol, relevant data of the modus operandi can be shared between organisations. In turn, this provides an overview of historical cases for participating organisations which can be used for data- and trend analysis. Finally, sharing this intel pre-warns the other organisations of a potential attack, making this a suitable solution for an early warning system.
Activities within the Proof of Concept phase: the goal of the PoC phase is to enable cross organizational learning about modus operandi of insider fraud for better detection. This will be done by setting up an intel sharing platform where actual modus operandi for insider threats in financial organizations can be shared. These modus operandi are shared between financial organizations who all contribute to the data on the platform. We have developed a template with input fields which will be used and validated in the PoC as input for the threat intel sharing platform.
As part of the PoC phase we will set up the Threat intel Sharing Platform as well as develop the Information Sharing Form. The Information Sharing Form is already developed in the form of a template but will be further validated and completed as part of the PoC.
 Protocol Incidenten-waarschuwingssysteem Financiële Instellingen
This project is part of the trend
Growing number of insider attacks
Employees are increasingly getting involved in data leaks intentionally or unintentionally due to social as well as technical reasons. A growing market has emerged for confidential data on the Dark Web. As a result on the social side, data is increasingly being stolen and sold by malicious employees or used in other kinds of ways. There are different forms of intentional insider attack threats; e.g. an employee radicalizes, is extorted or has been premeditated to work in an organization. Also due to technical reasons (access without official permission) attacks (can) take place.