Software Engineering Institute

This report is the second in the quarterly series, Spotlight On, published by the Insider Threat Center at CERT and funded by CyLab. Each report focuses on a specific area of concern and presents analysis based on hundreds of actual insider threat cases cataloged in the CERT insider threat database. For more information about CERT's insider threat work, see http://www.cert.org/insider_threat/. 

In this article, we focus on insider threat cases in which the insider had relationships with the internet underground community. We begin by defining what we mean by the internet underground as it is used in the context of this article. We then provide a snapshot of the cases that focuses on who, what, why, and how. Next, we provide references to best practices that might have been effective in countering these incidents.

We would like to thank William Shore, retired Special Agent with the FBI who is now the Manager of Security at the Software Engineering Institute. Shore provided insights from the law enforcement perspective for this article. We would also like to thank our colleagues in CERT - including Julia Allen, Robert Seacord, and Carol Woody - who provided expertise related to the internet underground community, and Craig Lewis, who provided input on technical countermeasures for the cases in this article.