1
Insider Threat Indicator Ontology
CERT Insider Threat Center
This ontology is designed to provide an expression mechanism for potential indicators of malicious insider activity.
This property links a temporal thing that follows immediatly after a second temporal thing.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This predicate means that the TemporalThing subject starts immediately following the TemporalThing object. subject and object have no time points in common, but there is also no time point between the ending of object and the starting of subject. -Derived from OpenCyc 1.0.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This property means that the two temporal things have precisely the same temporal extent (see temporalExtent).
-Derived from OpenCyc 1.0
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
See inverse.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This predicate means that subject and object end at the same time and that the subject starts after the object.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
describes a computer account's access to an asset.
This relation defines an accomplice to the insider during the event.
An accomplice is a person who helps another commit a crime
This property links an event to its action(s).
This property links an action to its actor(s).
This property links an organization to one of its administrative assistants.
An administrative assistant is defined as an individual who provides various kinds of administrative support to people and groups in organizations.
Links an organization to an analyst.
An analyst is defined as an employee who analyzes or is skilled in analysis.
This property links an asset or actor to an asset it owns.
This links an event to the beneficiary organization for the event.
The beneficiary organization is defined as the organization that the insider intended to provide some benefit to through their malicious actions. The beneficiary organization may or may not have been knowingly involved in the incident.
Relates a person to a male friend with whom that person has a romantic relationship.
Relates a male to other sons and daughters of his parents.
Links an organization to a chief executive officer.
A chief executive officer is defined as a top executive in an organization.
Links an organization to a chief financial officer.
A chief financial officer is a top executive who manages the finances of an organization.
Links an organization to a chief technical officer.
A chief technical officer is defined as a top executive who runs the technology groups within an organization.
This property links colleagues.
A colleague is defined as a fellow worker or member of a staff, department, profession, etc.
http://dictionary.reference.com/browse/colleague?s=t
This property links competing individuals or organizations.
This relation defines conspirator for the insider during the event.
A conspirator is a person who is involved in a secret plan to do something harmful or illegal.
http://www.shrm.org/TemplatesTools/Glossaries/HRTerms/Pages/c.aspx
This property links a consulant to a customer.
A consultant is defined as an individual who works independently to assist and advise client organizations with various organizational functions and responsibilities on a fee-for-service basis.
Links an organization to a contractor.
A contractor is defined as a person or company that undertakes a contract to provide materials or labor to perform a service or do a job.
This property links an actor to a customer.
A customer is defined as person or organization that buys goods or services from a business or an organization.
http://www.onetonline.org/link/summary/43-4051.00
Links an organization to a customer service representative.
A customer service representative is defined as an individual who interacts with customers to provide information in response to inquiries about products and services and to handle and resolve complaints.
See parent definition
This property links an organization to an employee in the education system.
http://dictionary.reference.com/browse/employee?s=t
This property links an organization to one of its employees.
An employee is defined as a person working for another person or an organization for pay.
This property describes an actor's role in the insider event. This role can be in relation to the event itself or to another actor in the event.
Links an organization to an individual who is not a direct employee of the organization.
A connection between two people associated with familial ties.
Relates a male to his child or children.
See parent definition.
This defines friends of the insider who may have knowingly or unknowingly been involved in the event.
Relates a person to a female friend with whom that person has a romantic relationship.
Relates a married man to his spouse.
This property links an asset to the information it contains.
This links an action to an asset used in the action. This fits into an action as follows: "An actor performs an action on an object with an instrument."
This property defines the logical or physical locations of information, an asset, or an actor.
LInks an organization to a manager.
A manager is defined as an employee who manages a group within an organization.
Relates a female to her child or children.
Links an organization to a network administrator.
A network administrator is defined as an employee who is responsible for upkeep, configuration, and reliable operation of a network.
This links an action to the object that was acted upon. This fits into an action as follows: "An actor performs an action on an object with an instrument."
Links an organization to an office manager.
An office manager is defined as an employee that runs day-to-day operations within an office.
http://www.onetonline.org/link/summary/33-3051.00
Links an organization to a a police officer.
A police officer is defined as a person who maintains order and protects life and property by enforcing local, tribal, State, or Federal laws and ordinances. Performs a combination of the following duties: patrol a specific area; direct traffic; issue traffic summonses; investigate accidents; apprehend and arrest suspects, or serve legal processes of courts.
http://dictionary.reference.com/browse/professor
A teacher of the highest academic rank in a college or university.
This property links a piece of information to a thing that it describes, is about, references, or makes mention to.
This property describes how an actor or event is related to another actor.
Links an organization to a representative.
A representative is defined as an employee who is chosen or appointed to act or speak for another or others, in particular.
Links an organization to a researcher.
A researcher is defined as an employee who investigates new areas of study and applications of technology.
Links an organization to a retailer.
A retailer is defined as a seller of goods or commodities in small quantities directly to consumers.
http://www.thefreedictionary.com/retailer
Links an organization to an employee that sells a product or service provided by the organization
Links an organization to a person who ensures the physical safety of people or assets.
http://www.onetonline.org/link/summary/33-9032.00
Links an organization to a security guard.
A security guard is defined as an employee who guard, patrols, or monitors premises to prevent theft, violence, or infractions of rules.
Relates a female to other sons and daughters of her parents.
Links an organization to an individual who creates software.
See parent definition
Relates a husband or wife to their partner.
http://dictionary.reference.com/browse/subcontractor?s=t
Links an organization to a subcontractor. A subcontractor is defined as a person or business that contracts to provide some service or material necessary for the performance of another's contract.
Links an organization to a system administrator.
A system administrator is defined as an employee who is responsible for upkeep, configuration, and reliable operation of computer systems.
Links an organization to an employee whose duties typically involve copmuters or computer networks.
Links an organization to a technical manager.
A technical manager is defined as an employee that provides technical direction and leadership for the development of products and projects.
http://dictionary.reference.com/browse/technician?s=t
Links an organization to a technician.
A technicial is defined as a person who is trained or skilled in the technicalities of a subject.
This property defines a collaborative professional relationship between organizations or people involving some level of mutual trust.
Links an organization to an employee who holds an upper management position within the organization.
http://dictionary.reference.com/browse/vendor?s=t
Links an organization to a vendor.
A vendor is defined as a person that sells something.
This links an event to the victim organization for the event.
A victim organization is an organization who suffers from the malicious actions of an insider.
Relates a married woman to her spouse.
This describes a professional relationship.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
See inverse.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This property defines a temporal thing that starts after, partially occurs during, and ends after another temporal thing.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This property defines a temporal thing that starts before, partially occurs during, and ends before another temporal thing.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This predicate means that subject and object start to occur or exist at the same time point (see startingPoint) and that subject ends or ceases to exist (see endingPoint) after object ends or ceases to exist. For example, subject might be a WeddingCeremony and object might be the bride's walk down the aisle. -Derived from OpenCyc 1.0
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
See inverse.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
See inverse.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This property links a subject to an object such that the subject starts and ends before the object starts.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This property links two entities so as to characterize their overlap in time.
This property defines a relationship between subject and object where the subject starts after and ends before the subject.
Adapted from Eric Peterson's SpaceTime ontology: http://semanic.org/OntDef/Cur/SpaceTime.owl
This property links a temporal thing with a non-reified float representing duration. It needn't be reified, because the temporal thing is a durational thing.
An instance of this class reporesents the infinite interval containing all time..
Instances of this class are maximally small intervals - time pixels if you will. This size of a pixel corresponds with the smallest resolvable time unit on the machine implementation in use. Time points are to be shared among all events in the data store.
To agree to start or change to a specific job role.
The act of gaining access to a system.
Information used to identify and authenticate a person on a computer or network
A thing performed by a direct actor and indirect participants on a direct object, which may produce a result. Optionally happens at a location, and/or with the help of an instrument.
Modifier that describes additional subjective details about an action.
http://schema.org/agent
The direct performer of driver of an action.
Event that is determined to deviate from a set baseline.
To submit an application for a job.
http://schema.org/Intangible
A utility class that serves as the umbrella for a number of tangible and intangible things, such as data, hardware, personally identifiable information (PII), software, etc.
A computer program designed to allow an unauthorized path into the network or a system.
A reserve copy of data, stored on magnetic tape media, for use if the original becomes lost or damaged.
http://www.investopedia.com/terms/a/account.asp
An arrangement by which an organization accepts a customer's financial assets and holds them on behalf of the customer at his or her discretion.
The information uniquely identifying a bank account, including account numbers and balance information.
http://www.shrm.org/templatestools/glossaries/hrterms/pages/b.aspx
The act of not upholding or violating the terms of a contract or agreement.
Information about how a business is run
Information contained in business policies. Policies provide high level criteria for developing business processes.
Information on how business processes are performed.
Sensitive information that requires special protections.
http://www.webopedia.com/TERM/C/compact_disc.html
A polycarbonate with one or more metal layers capable of storing digital information.
http://searchstorage.techtarget.com/definition/compression
The reduction in size of data in order to save space or transmission time.
http://msdn.microsoft.com/en-us/library/cc759279
A means for authenticating and auditing computer access to a network or domain resources.
http://www.merriam-webster.com/dictionary/connect
To establish a communications connection.
http://windows.microsoft.com/en-us/windows-vista/copy-a-file-or-folder
To duplicate an original item that you can then modify, delete, or store independently of the original.
http://www.merriam-webster.com/dictionary/create
To cause an asset to exist.
http://www.investopedia.com/terms/c/creditcard.asp
A card issued by a financial company giving the holder an option to borrow funds, usually at point of sale.
A unique number identifying a credit card account.
Information regarding an individual's history with borrowing money.
http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
The logical, but not necessarily physical, erasure of data from an operating system.
http://whatis.techtarget.com/definition/data-exfiltration-data-extrusion
The unauthorized transfer of data.
http://www.merriam-webster.com/dictionary/modification
The act or process of changing parts of data.
A unit of data which can be held in a file or datastore.
http://searchsqlserver.techtarget.com/definition/database
A collection of information that is organized so that it can easily be accessed, managed, and updated.
http://whatis.techtarget.com/definition/uncompressing-or-decompressing
The act of expanding a compressed file back into its original form.
To cryptographically restore cipher text to the plaintext form it had before encryption.
http://www.merriam-webster.com/dictionary/delete
To remove (something, such as words, pictures, or computer files) from a document, recording, computer, etc.
http://www.shrm.org/TemplatesTools/Glossaries/HRTerms/Pages/d.aspx
A permanent reassignment to a position with a lower pay grade, skill requirement, or level of responsibility than the employee’s current position.
https://www.bankofamerica.com/deposits/manage/glossary.go#alp-D
To add money to a customer’s bank account.
An action involving digital assets.
An asset in the digital realm
http://www.merriam-webster.com/dictionary/disable
To cause an asset to be unable to work in the normal way.
Unique number that identifies a person's drivers license
To cryptographically transform data to produce cipher text.
Defined class which includes one or more actions.
Action(s) performed in excess of organization-defined threshold for normal activity
An unsuccessful action, such as a failed login attempt.
http://www.merriam-webster.com/dictionary/file
a complete collection of data (as text or a program) treated by a computer as a unit especially for purposes of input and output
An asset involving money.
Information about financial assets
A transaction involving the movement of money.
http://www.webopedia.com/TERM/F/firewall.html
A system designed to prevent unauthorized connections to or from a private network.
http://en.wikipedia.org/wiki/Floppy_disk
A disk storage medium composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic carrier lined with fabric that removes dust particles.
http://www.merriam-webster.com/dictionary/fraud
Intentional perversion of truth to induce another to part with something of value or to surrender a legal right.
A deliberately deceptive action.
Examples include forging signatures on documents or falsifying PII.
http://www.oed.com/view/Entry/84122
A high-capacity, self-contained storage device containing a read-write mechanism together with one or more hard disks inside a sealed unit.
Address identifying a computer on a network.
Action is not performed legitimately
A representation of data
http://en.wikipedia.org/wiki/Installation_(computer_programs)
The act of making a program ready for execution.
Information about assets owned by the organization.
To change roles or positions at one's current employer or to begin a position with a new employer.
Event where an individual's job function changes.
To offer a job to a potential employee.
Event where an individual is offered employment.
http://www.webopedia.com/TERM/K/keylogger.html
A type of surveillance software that has the capability to record every keystroke made to a log file, usually encrypted.
http://www.webopedia.com/TERM/L/laptop_computer.html
A portable computer small enough to sit on your lap.
http://www.investopedia.com/terms/l/loan.asp
The act of giving money, property or other material goods to a another party in exchange for future repayment of the principal amount along with interest or other finance charges.
A malicious program that is coded to execute when a certain set of requirements are met.
https://definedterm.com/login
The process of presenting an identity (typically a user ID) and authentication (a password, token, or other item) to gain access to information systems and resources.
Unique address identifying a piece of networked hardware.
Source code for a piece of software that performs malicious actions
A malicious piece of software.
http://www.sans.org/security-resources/glossary-of-terms/?pass=m (adapted)
A system entity illegitimately poses as (assumes the identity of) another entity.
Information on an individual's medical history
To change a file or system
http://www.investopedia.com/terms/m/money.asp
An officially-issued legal tender generally consisting of currency and coin. Money is the circulating medium of exchange as defined by a government.
Information classified by a government as having potential to cause harm to national security in the wrong hands.
http://en.wikipedia.org/wiki/Computer_network
A collection of computers and other hardware components interconnected by communication channels that allow sharing of resources and information.
Information identifying a computer or device on a network
http://www.oed.com/view/Entry/132452
An organized body of people with a particular purpose, as a business, government department, charity, etc.
http://searchfinancialsecurity.techtarget.com/definition/password-cracker
A program that is used to identify an unknown or forgotten password to a computer or network resource.
Secret used for authentication for a computer account.
A human being
An asset in the physical realm
A software program which scans a network for systems with open ports.
To send a unit of work to a printer to create a physical representation of digital data on physical media, usually paper.
http://whatis.techtarget.com/definition/printer
A device that accepts text and graphic output from a computer and transfers the information to paper.
http://www.shrm.org/templatestools/glossaries/hrterms/pages/p.aspx
Career advancement within an organization, which includes increased authority, level of responsibility, status and pay.
http://www.shrm.org/TemplatesTools/Glossaries/HRTerms/Pages/r.aspx
Transferring individuals to alternative positions where their talents or skills may be best utilized to their own or the organization’s benefit or where they are better able to perform the job in accordance with required standards.
http://www.shrm.org/TemplatesTools/Glossaries/HRTerms/Pages/r.aspx
The practice of soliciting and actively seeking applicants to fill recently vacated or newly created positions using a variety of methods.
To disagree to start or change to a specific job role.
http://www.shrm.org/TemplatesTools/Glossaries/HRTerms/Pages/r.aspx
An oral or written reproach given to an employee as part of disciplinary action.
To terminate one's employment.
http://searchstorage.techtarget.com/definition/Secure-Digital-card
A tiny memory card used to make storage portable among various devices. An SD card is about the size of a postage stamp and weighs approximately two grams.
http://www.oed.com/view/Entry/169373 (adapted)
The act of deliberately destroying, damaging, or obstructing.
http://www.oed.com/view/Entry/174308
To peruse, look through, examine (writings, records) in order to discover whether certain things are contained there.
http://www.sans.org/security-resources/glossary-of-terms/?pass=s
A system entity that provides a service in response to requests from other system entities called clients.
A piece of software that runs in the background on a computer
Unique number assigned by the federal government that uniquely identifies an individual
http://www.oed.com/view/Entry/183938
The programs and procedures required to enable a computer to perform a specific task, as opposed to the physical components of the system.
The code from which a piece of software is compiled
The prohibition of an individual from holding his or her usual post or carrying out his or her usual role for a particular length of time.
Event that falls under organization-defined criteria for being potentially malicious.
Settings that specify how a system operates
Information about a computer or computer account
A software or hardware configuration change.
Information about or involving technology
http://www.shrm.org/templatestools/glossaries/hrterms/pages/t.aspx
Separation from employment due to a voluntary resignation, layoff, retirement or dismissal.
http://www.merriam-webster.com/dictionary/theft
http://www.merriam-webster.com/dictionary/stealing
The act of taking something that does not belong to you in a way that is wrong or illegal.
http://searchstorage.techtarget.com/definition/USB-drive
A plug-and-play portable storage device that uses flash memory and is lightweight enough to attach to a key chain.
Action that was not authorized by the organization or data/system owner
Information that is unique to an individual
Identifier for a user's computer account.
http://searchservervirtualization.techtarget.com/definition/virtual-machine
A software implementation of a computing environment in which an operating system (OS) or program can be installed and run.
A program that is capable of replicating itself and has malicious purposes
https://www.bankofamerica.com/deposits/manage/glossary.go#alp-D
The removal of funds from an account.
http://www.oed.com/view/Entry/37975
An electronic device (or system of devices) that is used to store, manipulate, and communicate information, perform complex calculations, or control or regulate other devices or machines and is capable of receiving information (data) and of processing it in accordance with variable procedural instructions (programs or software).
To send an email.
Information that is kept secret by the organization and is intended to provide some competitive advantage.