The CERT Guide to Insider Threats: Insider Theft of Intellectual Property

This chapter offers a model to prevent insider theft of intellectual property. The first half of this chapter describes the model at a high level.The second half of the chapter digs deeper into the technical methods used in committing these crimes and mitigation strategies that you should consider based on all of this information.

This chapter is from the book

This chapter is from the book

This chapter is from the book 

• Insider theft of intellectual property (IP): an insider’s use of IT to steal proprietary information from the organization. This category includes industrial espionage involving insiders.
• Intellectual property: intangible assets created and owned by an organization that are critical to achieving its mission.1

Types of IP Stolen

The types of IP stolen in the cases in our database include the following:

• Proprietary software/source code
• Business plans, proposals, and strategic plans
• Customer information
• Product information (designs, formulas, schematics)

What if one of your scientists or engineers walked away with your most valuable trade secrets? Or a contract programmer whose contract ended took your source code with him—source code for your premier product line? What if one of your business people or salespeople took your strategic plans with him to start his own competing business? And possibly worst of all, what if one of them gave your intellectual property to a foreign government or organization? Once your IP leaves the United States it’s extremely difficult, often impossible, to get it back.

Those are the types of crimes we will examine in this chapter. Organizations in almost every critical infrastructure sector have been victims of insider theft of IP.

In one case of insider theft of IP, an engineer and an accomplice stole trade secrets from four different high-tech companies they worked for, with the intention of using them in a new company they had created with funding from a foreign country. In another, a company discovered that an employee had copied trade secrets worth $40 million to removable media, 2 and was using the information in a side business she had started with her husband. In yet another, a large IT organization didn’t realize that it had been victimized until it happened to see a former employee at a trade show selling a product that was remarkably similar to the organization’s!

When we began examining the theft of IP cases in our database we surmised that insiders probably stole IP for financial reasons. We were very wrong about that! We found that quite the opposite is true: Very few insiders steal intellectual property in order to sell it. Instead, they steal it for a business advantage: either to take with them to a new job, to start their own competing business, or to take to a foreign government or organization.

Very few insiders steal intellectual property in order to sell it. Instead, they steal it for a business advantage: either to take with them to a new job, to start their own competing business, or to take to a foreign government or organization.

Another misconception about theft of IP is that system administrators are the biggest threat, since they hold “the keys to the kingdom.” Not according to our data! We don’t have a single case in our database in which a system administrator stole intellectual property, although we do have a few cases involving other IT staff members. However, keep in mind that we only have cases in which the perpetrator was discovered and caught; it is possible that system administrators are stealing IP and are simply getting away with it.

In fact, the insiders who steal IP are usually current employees who are scientists, engineers, programmers, or salespeople. Most of them are male. We checked the U.S. Bureau of Labor Statistics to determine if most of those types of positions are held by men, but the results, listed here for 2010, were inconsistent.

• 12.9% of all architectural and engineering positions were held by women.
• 45.8% of all biological scientists were women.
• 33.5% of all chemists and materials scientists were women.
• 26.2% of all environmental scientists and geoscientists were women.
• 39.5% of all other physical scientists were women.
• 49.9% of all sales and related occupations were held by women. 3

Insiders who steal IP are usually current employees who are scientists, engineers, programmers, or salespeople.

We are not suggesting that you assume men are more likely than women to commit these types of crimes. On the contrary, we suggest that rather than focusing on demographic characteristics, you should focus on the following:

• Understanding the positions at risk for these crimes
• Recognizing the patterns and organizational factors that typically surround insider theft of IP incidents
• Implementing mitigation strategies based on those patterns

These types of crimes are very difficult to detect because we found that these insiders steal information for which they already have authorized access, and usually steal it at work during normal business hours. In fact, they steal the same information that they access in the course of their normal job. Therefore, it can be very difficult to distinguish illicit access from legitimate access.

Insiders steal information for which they already have authorized access, and usually steal it at work during normal business hours. In fact, they steal the same information that they access in the course of their normal job. Therefore, it can be very difficult to distinguish illicit access from legitimate access.

Fortunately, we have come up with some good strategies based on our MERIT model of insider theft of intellectual property that we will detail in this chapter. The first half of this chapter describes the model at a high level. In the second half of the chapter we will dig deeper into the technical methods used in committing these crimes and mitigation strategies that you should consider based on all of this information.

The MERIT model describes the profile of insider theft of IP by identifying common patterns in the evolution of the incidents over time. These patterns are strikingly similar across the cases in our database. Unfortunately, we were not quite as lucky in creating our theft of IP model as we were in creating our insider IT sabotage model. While we found one very distinct pattern that was exhibited in almost every IT sabotage case, we could not identify a single pattern for theft of IP. Instead, we ended up identifying two overlapping models.

• Entitled Independent: an insider acting primarily alone to steal information to take to a new job or to his 4 own side business
• Ambitious Leader: a leader of an insider crime who recruits insiders to steal information for some larger purpose

The cases in our database break up just about 50/50 between the two models. In addition, the models have different but overlapping patterns; the Ambitious Leader model builds from the Entitled Independent model. This is good news, as our suggested mitigation strategies apply to both models.

In this chapter we will describe the patterns identified in both models, and will present mitigation strategies that use those patterns to your advantage. 5 These techniques include a combination of automated and manual countermeasures. In addition, some are focused on protection of your most valuable information assets, while others are targeted at specific employees triggered by indicators that could suggest an increased risk of attack.

For example, if you can identify your most critical assets, technical solutions such as digital watermarking, 6 digital rights management, 7 and data loss prevention systems 8 can be implemented to prevent those assets from leaving your network. There are several drawbacks to these technical solutions, however. First of all, most organizations can’t or haven’t identified and located all of their most critical computer files. This can be an overwhelming task, particularly in a large organization. In addition, many of you have trusted business partners that legitimately move your critical files back and forth from their own networks to yours. Those types of environments can complicate use of those types of technologies.

Because of the complexity of implementing a purely technical solution focused on critical assets, we also suggest targeted monitoring of employees or contractors who are leaving your organization. We found that most insiders steal intellectual property as they are leaving the organization, suggesting that it could be beneficial to watch their actions more closely, specifically those involving removable media, email, and other methods used in exfiltrating information.

We will provide suggested countermeasures throughout this chapter, and detailed technical information for the theft of IP cases in the section Mitigation Strategies for All Theft of Intellectual Property Cases at the end of the chapter. The bottom line is that unlike IT sabotage, where the goal is to catch the insider as he is setting up his attack—planting malicious code or creating a backdoor account—you cannot really detect theft of IP until the information is actually in the process of being stolen—as it is being copied to removable media or emailed off of the network. In other words, your window of opportunity can be quite small, and therefore you need to pay close attention when you see potential indicators of heightened risk of insider theft of IP.

We have some “good-news” cases that indicate that it is possible to detect theft of IP using technical measures in time to prevent disastrous consequences.

• An organization detected IP emailed from a contractor’s email account at work to a personal email account, investigated, and discovered significant data exfiltration by the contractor. The organization found the contractor was working with a former employee to steal information to start a competing business. Obviously, the stolen IP was extremely valuable, as the contractor was arrested, convicted, ordered to pay a fine of $850,000, and sentenced to 26 years in prison!
• After a researcher resigned and started a new job, his former employer noticed that he had downloaded a significant number of proprietary documents prior to his departure. This led to his arrest before he could transfer the information to his new employer’s network. The information was valued at $400 million.
• During an organization’s routine auditing of HTTPS traffic9 it discovered that an employee who had turned in his resignation had exfiltrated proprietary source code on four separate occasions to a server located outside the United States. Although the employee claimed the transfer was accidental, and that he had only uploaded open source information, he was arrested.

Impacts

The impacts of insider theft of IP can be devastating: Trade secrets worth hundreds of millions of dollars have been lost to foreign countries, competing products have been brought to market by former employees and contractors, and invaluable proprietary and confidential information has been given to competitors. More than half of our theft of IP cases involved trade secrets.

More than half of our theft of IP cases involved trade secrets.

In addition, impacts in these cases can reach beyond the victim organization. Here are some examples.

• Source code for products on the U.S. Munitions List was shared with foreign military organizations. 10
• A government contractor stole passwords that provided unauthorized access to sensitive, potentially classified information.
• Source code was added to software in a telecommunications company that enabled the perpetrators to listen in on phone calls made by 103 high-ranking government and nongovernment officials.

Estimated financial impacts in the theft of IP cases in the CERT database averaged around $13.5 million (actual) and $109 million (potential). 11 The median estimated financial impact was $337,000 (actual) and $950,000 (potential). This means that a few extremely high-impact cases skew the average significantly. The highest estimated potential financial losses were

• $1 billion in a high-tech case in the IT sector
• $600 million in a telecommunications company
• $500 million in a pharmaceutical company
• $400 million in a chemical company
• $100 million in a biotech company

The highest estimated actual financial losses were

• $100 million in a manufacturing business
• $40 million in a manufacturing business
• $6 million in the financial services sector
• $1.5 million in a high-tech software development organization

These are only some of the cases with the highest financial consequences. We provided this list for several reasons. First, we are frequently asked how to calculate return on investment (ROI) for insider threat mitigation. That is a very difficult question, and one that has not yet been answered adequately for cybersecurity in general. To start, you should identify what your critical assets are, and estimate the potential loss if those assets were to leave your organization. The losses we listed from actual cases should help you to convince your management that insider threat is not to be taken lightly!

Second, although almost half of the insider theft of IP cases occurred in the IT sector, we want to emphasize that these types of crimes have resulted in significant losses in other sectors as well.

We strongly suggest that you pay close attention to this chapter if you are concerned about the security of your proprietary and confidential information. Now that we have caught your attention, let’s look at the characteristics and “big picture” of insider theft of intellectual property.