June

2023

INSIDER THREAT
INDICATORS IN
USER ACTIVITY
MONITORING
JOB AID

Center for Development

of Security Excellence
INSIDER THREAT INDICATORS IN USER ACTIVITY MONITORING JOB AID 1

INTRODUCTION
Logging, monitoring, and auditing of information system activities can lead to early discovery and mitigation of
behavior indicative of insider threat. Insider Threat policies require User Activity Monitoring (UAM) on classified
networks in support of Insider Threat Programs for:
• DOD Components under DODD 5205.16
• Federal Agencies under E.O. 13587 and National Minimum Standards
• Cleared Industry under the 32 CFR Part 117 or NISPOM Rule
Implementation will be specific to your location, but all organizations must:
• Define what will be monitored
• Indicate how monitoring will be instituted
• Inform users of monitoring actions via banners
• Identify indicators that require review (e.g., trigger words, activities)
• Protect user activity monitoring methods and results
• Develop a process for verification and review of potential issues
• Establish referral and reporting procedures
UAM also plays a key role in insider threat programs. As such UAM development should include consideration of
potential acts of violence against organizational resources, including suicidal ideation.
Click on the links below for more information on developing your program.

UAM Policy and Defining Activity Key Word Indicators UAM Log Review Reporting and
Implementation Monitoring and Triggers Process Referral Procedures

Below are some of the areas to consider when you are developing UAM indicators and triggers for monitoring
and reporting. The illustrations below depict some of the potential risk indicators that may be detected by UAM.

Access Attributes Foreign Influence Financial Considerations

and Preference Reporting Insider Threat
Indicators is required
under Executive Order
13587, DOD Directive
5205.16 and the National
Industrial Security
Program.
Personal Conduct Substance Abuse and Criminal Conduct
Alcohol Consumption

For more Insider Threat resources visit:

https://www.cdse.edu/Training/Toolkits/Insider-Threat-Toolkit/

cdse.edu/catalog/insider-threat.html
INSIDER THREAT INDICATORS IN USER ACTIVITY MONITORING JOB AID 2

UAM POLICY AND IMPLEMENTATION

Governance, or the policies and procedures you enact
for your Insider Threat Program, will guide your efforts
in monitoring user activities on your organization’s
classified networks. These efforts should include
user and group management, use of privileged and
special rights, and security and policy changes. Key
components of governance include having employees
sign agreements acknowledging monitoring and
implementing banners informing users that their
system and network activity is being monitored.
Monitoring these elements ensures that users’ access
is limited to what is essential for their role. This allows
you to then prioritize monitoring efforts. It also allows
Monitoring these activities identifies when the
you to identify users who are abusing their privileges.
network is being accessed, any potential software
User Activity Monitoring helps identify users who are installs, and whether someone is accessing or making
abusing their access and may be potential Insider changes to the root directory of a system or network.
Threats. This includes monitoring file activities, such
Any UAM Program should, at minimum, be implemented
as downloads, print activities (such as files printed),
with Chief Information Officer concurrence before,
and search activities. Monitoring these activities can
during, and after a UAM system is considered.
identify abnormal user behaviors that may indicate
a potential Insider Threat. While you cannot monitor
every aspect of these activities, you can prioritize
efforts as they relate to the systems and information References:
that require the most protection. Industry
System Activity Monitoring will allow your program to DOD
identify possible system misuse. Activities or events
to monitor include logons and logoffs, system restarts Federal Agencies
and shutdowns, and root level access.

DEFINING ACTIVITY MONITORING

Clarification of Enterprise Audit Management information in order to detect insider threats and to
(EAM), User Activity Monitoring (UAM), Continuous support investigations.
Monitoring, and Continuous Evaluation. Enterprise Audit Management (EAM)- The
The following definitions are published in the identification, collection, correlation, analysis, storage,
Committee on National Security and reporting of audit information,
Systems (CNSS) Instruction No. 4009, and monitoring and maintenance of
National Information Assurance this capacity. A EAM solution should
Glossary. be deployed to collect, store, and
User Activity Monitoring (UAM)- provide access to audit data.
The technical capability to observe Continuous Monitoring- The process
and record the actions and activities implemented to maintain a current
of an individual, at any time, on any security status for one or more
device accessing U.S. Government information systems or the entire suite

cdse.edu/catalog/insider-threat.html
INSIDER THREAT INDICATORS IN USER ACTIVITY MONITORING JOB AID 3

of information systems on which the operational personnel security situations before they become
mission of the enterprise depends. larger problems, either by working with the cleared
Continuous Vetting (CV)- Continuous Vetting (CV) is individual to mitigate potential issues, or in some
a process that involves regularly reviewing a cleared cases suspending or revoking clearances.
individual’s background to ensure they continue to Trusted Workforce 2.0, the whole-of-government
meet security clearance requirements and should approach to reform the personnel security process
continue to hold positions of trust. and establish a single vetting system for the U.S.
CV works as automated record checks pull data Government, began implementation in 2018
from criminal, terrorism, and financial databases, following extensive planning and inter-agency
as well as public records, at any time during an coordination.
individual’s period of eligibility. When DCSA receives Relevant insider threat information partially realizes
an alert, it assesses whether the alert is valid and the agency specific information required for each
worthy of further investigation. DCSA investigators CV program. While complementary, insider threat
and adjudicators then gather facts and make programs operating with robust UAM are not a
clearance determinations. CV helps DCSA mitigate requirement.

KEY WORD INDICATORS AND TRIGGERS

Organizations monitoring for theft of classified and/
or confidential information need to consider the
wide variety of ways that information is pilfered
and customize their detection strategy accordingly
following unique patterns of insider threat behavior
(i.e. intellectual property (IP) theft, IT sabotage, fraud,
espionage, and accidental insider threats).
Every organization has a unique network topology
whose characteristics, such as bandwidth utilization,
usage patterns, and protocols, can be monitored for
security events and anomaly detection. Deviations
from normal network behavior can signal possible
documents copied to removable media; preventing or
security incidents, including insider threats. However,
detecting emails to competitors, outside the U.S., to
administrators must have visibility into a network
Gmail or Hotmail accounts, and so on.
to understand it. Various tools and software
packages can collect information about keyword Organizations may find it challenging to maintain
activity behavior and develop a network topology. employee privacy while collecting data to establish
Additionally, organizations should consider that the a baseline. The collection, use, maintenance, and
use of keywords and triggers are dynamic to the dissemination of information critical to the success of
current threats and policies which are subject to government efforts to counter insider threats must
change over time. comply with all applicable laws and policy issuances,
including those regarding whistleblower, civil liberties,
Several tools are available that enable the
and privacy protections.
organization to perform functions like alerting
administrators to emails with unusually large
attachments; tagging documents that should not
Additional Resources:
be permitted to leave the network; tracking or
preventing printing, copying, or downloading of Carnegie Mellon Insider Threat Best Practices
certain information, such as personally identifiable OMB Circular No. A-130, Appendix III, “Security
information or documents containing certain of Federal Automated Information Resources”
words like new product codenames; tracking of all

cdse.edu/catalog/insider-threat.html
INSIDER THREAT INDICATORS IN USER ACTIVITY MONITORING JOB AID 4

UAM LOG REVIEW PROCESS

Security and logging capabilities have reached the Part 117.18 of 32
point where data overload is as challenging a problem CFR or the NISPOM
as data collection. Information security vendors Rule, addresses
have responded to the expanding cyber threat the Information
landscape with a plethora of security solutions. This Systems Security
growth has introduced two major challenges to the and cites that
problem of cybersecurity: volume and complexity. The CSA will issue
To overcome the barriers of volume and complexity, guidance based on
organizations must identify exactly which of their requirements for
data feeds are critical. Use a log correlation engine to federal systems,
log, monitor, and audit employee actions. Successful pursuant to 44
implementation of such a solution depends on U.S.C. Ch. 35 of subchapter II, also known as the
knowing what data to collect. Simply logging “Federal Information Security Modernization Act,”
all online events is not sufficient to protect an and as set forth in National Institute of Standards and
organization’s infrastructure from malicious activity. Technology (NIST) Special Publication 800– 37.
Correlating events will produce more relevant alerts The primary purpose of audits is to promote User
and better informed decisions. accountability. While requirements may be different
Audit policy for US Government systems is established depending on your organization, the following are
in the Federal Information Security Management Act recommended as a good baseline: conduct Audit Log
(FISMA). This policy is reinforced for DOD Components Reviews weekly and archive Audit Logs for a period
under both Cybersecurity and Insider Threat policy of one year or one review cycle. Applicable laws,
and for cleared industry under the NISPOM. regulations, and policies may mandate a different
Audit logs are an important part of continuous period of retention.
monitoring and fundamental to operational resilience. For more information, see the “Continuous
As stated in DODI 8500.01, Cybersecurity policy on Monitoring” eLearning course available at CDSE.edu.
operational resilience, “Attempts made to reconfigure,
self-defend, and recover should produce an incident
audit trail.” DODD 5205.16, The DOD Insider Threat Additional Resources:
Program, states that Component programs will
maintain an “...integrated capability to monitor and OMB Circular No. A-130, Appendix III, “Security
audit information for insider threat detection and of Federal Automated Information Resources”
mitigation…”

REPORTING AND REFERRAL PROCESS

Insider Threat Programs must report certain types disclosed in an unauthorized manner to a foreign
of information. DOD, Federal agency, and industry power or an agent of a foreign power. In addition,
Insider Threat Programs operate under different Federal Insider Threat Programs must follow any
regulations and requirements for reporting. other internal reporting procedures established
Federal Insider Threat Programs, including those in within the organization. To report to the FBI, use the
DOD, are obligated to report to the FBI under Section FBI Headquarters email point of contact for secure
811 of the Intelligence Authorization Act when reporting or contact your local field office.
classified information is being, or may have been,

cdse.edu/catalog/insider-threat.html
INSIDER THREAT INDICATORS IN USER ACTIVITY MONITORING JOB AID 5

DOD Components are also required to report the Program may be able to employ alternate
information that meets identified thresholds to the mitigation options concurrent with external actions.
Defense Insider Threat Management and Analysis Your Insider Threat Program must ensure that early
Center via the DITMAC System of Systems or DSOS. In actions taken in incident response do not interfere
addition, items meeting reporting with the ability of law enforcement
thresholds under the DODD 5240.06, or counterintelligence to conduct
Counterintelligence Awareness and investigations or operations, or inhibit
Reporting, must be reported to the future prosecution, in cases that
cognizant Counterintelligence Office. require reporting to external agencies.
Under 32 CFR Part 117.8 (b) or Work with your general counsel and
NISPOM Rule, industry must report the referral agency to ensure that any
certain events that may have an evidence associated with the incident
effect on the status of the entity’s or is handled properly and adheres to
an employee’s eligibility for access the proper chain of custody. See the
to classified information. These include events that CDSE eLearning courses Preserving Investigative and
indicate an insider threat to classified information or Operational Viability in Insider Threat and Insider
to employees with access to classified information, as Threat Mitigation Response for more information.
well as events that affect the proper safeguarding of
classified information or that classified information
has been, or suspected to be lost or compromised. Additional Resources:
Under certain circumstances, such as the opening of Insider Threat Toolkit: Reporting Tab
an investigation or inquiry, your Program may need
to cease activities upon referral. In other instances,

PRIVACY & CIVIL LIBERTIES

Although lawful agency monitoring of employee
communications serves legitimate purposes, federal
law also protects the ability of workers to exercise
their constitutional rights including the right to report
questionable government activity without fear of
retaliation. The collection, use, maintenance, and
dissemination of information critical to the success of
government and industry efforts to counter insider
threats must comply with all applicable laws and
policies, including those regarding whistleblower, civil
liberties, and privacy protections. Laws, policies, and
regulations vary depending on your organization.
Federal agencies, including the DOD, must protect DOD Privacy policy and Civil Liberties Policies. Cleared
Personally identifiable information (PII) for U.S. industry programs are also required to comply with
persons in accordance with section 552a of Title applicable federal, state, and local privacy and civil
5, U.S.C. (also known as “The Privacy Act of 1974”) liberties policies and regulations.
and other federal regulations. In addition, all One way to balance information-sharing and privacy
Constitutional rights must be protected. Activities is to minimize the number of personnel who have
related to the DOD insider threat program, including access to sensitive data. While all information owners
information sharing and collection, must comply with (i.e. human capital, corporate or agency records

cdse.edu/catalog/insider-threat.html
INSIDER THREAT INDICATORS IN USER ACTIVITY MONITORING JOB AID 6

custodians, supervisors and non-management they meet all legal requirements and disclosures.
workers, security groups, etc.) may contribute their Moreover, organizations should evaluate their
threat detection data and ideas, only a small, core monitoring policies and practices, and take measures
insider threat team should receive and analyze that to ensure that these policies and practices do not
information. These inputs may be the result of a data interfere with lawfully disclosing questionable
call, or they may be a real-time, automated data feed. government activity.
Each stakeholder should have a trusted agent who
can provide data feeds or additional information. The
insider threat team should identify trusted agents
ahead of time, so they can be contacted immediately
when an incident occurs.
Organizations should consult legal counsel before
implementing any monitoring program to ensure

REFERENCES
INDUSTRY REFERENCES DOD Internal Information Collections,” December
• 32 CFR Part 117 (NISPOM Rule) 5, 2022

• DCSA Assessment and Authorization Process • Secretary of Defense Memorandum, “Final

Manual, 31 Aug 2020 Recommendations of the Washington Navy Yard
Shooting Internal and Independent Reviews,”
DOD REFERENCES March 18, 2014
• Department of Defense Directive 5205.16 - The • DODD 5205.83, “DOD Insider Threat Management
DOD Insider Threat Program and Analysis Center (DITMAC)“ March 30, 2017
• DOD 5400.11, Ch. 1, “DOD Privacy and Civil Liberties FEDERAL AGENCY REFERENCES
Programs ” December 8, 2020
• Executive Order 13587 , “Structural Reforms to
• DOD 6025.18-R, DOD Health Information Privacy Improve the Security of Classified Networks and the
Regulation, March 13, 2019 Responsible Sharing and Safeguarding of Classified
• DOD Directive 5143.01, “Under Secretary of Defense Information,” October 7, 2011
for Intelligence,” April 6, 2020 • Presidential Memorandum - National Insider Threat
• DOD Directive 5200.27, “Acquisition of Information Policy and Minimum Standards for Executive
Concerning Persons and Organizations not Branch Insider Threat Programs (Dated Nov. 21,
Affiliated with the Department of Defense,” January 2012)
7, 1980 • United States Code, Title 5, Section 522a (also
• DOD Instruction 1000.29, Ch. 1, “DOD Civil Liberties known as “The Privacy Act of 1974”)
Program,” November 26, 2014 • GAO- Federal Information System Control Audit
• DOD Instruction 8580.02, “Security of Individually Manual
Identifiable Health Information in DOD Health Care • NIST- Federal Information System Management Act
Programs,” August 12, 2015
• U.S. Office of Special Counsel Agency Monitoring
• DOD Manual 5240.01, Ch. 3, “Procedures Governing Policies and Whistleblower Disclosures Memo Feb
the Conduct of DOD Intelligence Activities,” 01, 2018
November 9, 2020
• DOD Manual 8910.01, Volume 1, Ch. 4, “DOD
Information Collections Manual: Procedures for

cdse.edu/catalog/insider-threat.html