a methodology and supporting techniques for the assessment of insider threats

Meet ing TENACEPhD Sess ion

Fa i de l l a Pagane l l a , 11 f ebb ra io 2014

Res i l ient Comput ing LabA methodology and supporting

techniques for the assessment of insider threats

Nicola NostroTutors

Bondavalli Andrea, Di Giandomenico Felicita

Università degli Studi di Firenze

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 2

Subject of the research• Nowadays the life of each of us is highly dependent on critical infrastructures.

• Characterized by heterogeneity, and dynamicity

• They may be prone to failures, intrusions, and attacks from outside and inside.

• It is crucial to design systems ensuring resilience and security.


Context•Security is a major challenge for today’s companies.

•Security measures are attentively selected and maintained to protect organizations from external threats.

•Several tools and solutions are available for this scopefirewalls, antivirus, intrusion detection systems,…

•What happens inside the system?


Motivations• Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers.

• They are difficult to detect and mitigate due to the nature of the attackers.

• How to detect data theft or sabotage by malicious insiders? • These activities can be difficult to differentiate from legitimate uses.• Protecting from insider threats requires a deep study on the socio-

economical profiles, possible actions, and the impact of these actions on the system.

• Insider attackers constitute an actual threat for ICT organizations.

• This calls for a tailored insider threats assessment activity


Objectives• Define a methodology and supporting libraries for insider threats assessment and mitigation.

• Evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs.

• Identify proper countermeasures.


The methodology in 6 steps◊ Identification of components◊ Interactions◊ Functional description

System under analysis

Profiling potential Insiders

Insider Threats

Iteration and Update

◊ All users are identified◊ Definition of attributes

◊ Identification◊ Description

◊ Selection proper countermeasures◊ Reference to a predefined library

Attack paths ◊ Identify exploitable paths◊ Set up the modeling approach

Countermeasures selection

◊ Reference to a predefined library

◊ Potential consequences

◊ Evaluation


Methodology - System description

•A system is characterized by• a number of resources: services, computers, removable drives, etc.

•more communication networks•users, which can use the system or in general interact with it

•new features can be integrated over time, due to the evolution of technologies, and the update of system specification or requirements.

•Providing a formal description of the overall system, may be expensive in terms of time.


Methodology - System description

• A semi-formal description limited to the aspects of interest of the system and the interactions that users may have with it, is appropriate.

• Through a semi-formal notation, it is possible to immediately understand the description of the system • by using graphical notations along with natural language descriptions.

• UML use case diagrams allow to describe the system's functionalities and use case scenarios, from the point of view of the users/insiders, and the use case descriptions are shown in tables.


Methodology – Insiders’ profile• Identify a taxonomy of system users and potential attributes

•A predefined library of insiders to consider•which constitute a consistent reference library describing the human agents involved in IT systems and that could pose threats to such kind of systems

•eight attributes defined:• Intent, Access, Outcome, Limits, Resource, Skill Level,

Objective, Visibility

T. Casey, “Threat Agent Library Helps Identify Information Security Risks,” Intel White Paper, September 2007


Methodology – Insider threats •We can identify a number of threats of different type of severity, related to the actions performed by the insiders• install malicious software/code, create backdoors, disable system logs and anti-virus, create new users, plant logic bombs, perform operation on data base.

•The idea is to list the possible threats and try to associate them to the previously identified insiders


Methodology – Attack Paths• Identify the path(s) exploitable by the insider(s) to realize the threat(s) and achieve the goal(s).• A critical step, especially if we think of unknown paths• Many insiders are able to set up unexpected attack paths, that are unknown

• Several techniques exist and are very useful for determining what threats exist in a system and how to deal with themattack trees, attack graphs, privilege graphs, ADVISE

• Evaluate success rate and effects of the attack is of paramount importance, allowing to get information on the probability of occurrence of an attack.


Methodology – Countermeasures•Selection of the proper countermeasure(s), to avoid or mitigate the identified threat(s).

•A defined library which lists the countermeasures can be used.

• Introduction of such countermeasures may require to re-assess the system.

• In case a model of the system and of the countermeasure is available, these can be integrated with the attack path.


Methodology application – System & Insider Profiling

• Insiders: Operator, Domain expert, Unknown user, System Expert, System Administrator (SA)

System Maintenance Use CaseActor/s: SAPre-condition: The actor must be authenticated.Post-condition: The SA has full access to the system.Description: Apply OS patches and upgrades on a regular basis the system, and the administrative tools and utilities. Configure/add new services as necessary. Upgrade and configure system software or Asset Management applications. Maintain operational, configuration, or other procedures. Perform periodic performance reporting. Perform ongoing performance tuning, hardware upgrades, and resource optimization.

Data ManagementActor/s: SAPre-condition: The actor must be authenticated.Post-condition: The SA has full access to the data.Description: Perform daily backup operations, ensuring the integrity and availability of data.

Profile Management Use CaseActor/s: SAPre-condition: The actor must be authenticated.Post-condition: The SA has full access to the system data.Description: Create, change, and delete user accounts.Crisis Management Use CaseActor/s: SAPre-condition: The actor must be authenticated.Post-condition: The SA has full access to the system data.Description: Repair and recover from hardware or software failures or from cyber attacks. Coordinate and communicate any recovery actions.


Methodology application – Insider Threats

Threats1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Insider

Disable system logs

Corrupt data

View confidential data

Add not required services

Improper configuration

Improper user management

Elevate users privileges

Install vulnerable supporting sw

Install vulnerable Secure! services

Use of defective hw

Transfer confidential files

Access to crypto keys

Putting Trojan horses

Disabling protection of components

Altering audit trails and logs

SA YES YES YES YES YES YES YES YES YES YES YES YES YES YES YESSE NO YES NO NO NO NO NO NO YES NO YES NO YES YES NO

Attribute Value - SAIntent Hostile Access Internal, External

Outcome/Goal Damage,Acquisition/Theft

Limits Code of Conduct, Legal, Extra-legal

Resources Individual

Minimum Skills Adept

Objective Copy, Destroy, TakeVisibility Clandestine

Matching attributes-values

Mapping Insiders to Threats

Attack goals: - degradation of the performance of the system,

- theft of sensitive data


Methodology application – Attack Paths

• ADVISE attack execution graph for Data Theft

• Rectangular boxes represent the attack steps;

• Squares are the access domain;

• Circles are the knowledge items;

• Ovals represent the attack goal.


Methodology application - Countermeasures

• Countermeasures:• Identify the sensitive data and set up a detection system that prevents all queries on such data

• Keep track of accesses (username, timestamp, event description (computer system, devices, utilized software, software installation, error condition, etc.).

• Implement biometric system, which every predetermined time (minutes, hours), performs an identity check.

• Avoid to log into the system during holiday days or outside the office hours.

• Allow printing reports only in specific printers• Implement an e-mail system with an automatic cc forwarding to a higher-ranking person.


Conclusions• Several techniques exists to avoid or detect the risk that a

legitimate user abuses of its authority.

• Technological protection from external threats is important, but• Defending against insider attacks is and will remain challenging.• Insider attacks are difficult to detect, either by human or technical

means.

• We identified a lack in the definition of a methodology and related supports for the systematic investigation and assessment of insider threats.


Future works• Define a method which supports the creation, usage and maintenance of the threats library.

• Identify an approach to support the selection of the input parameters that characterize the attack path

to understand the costs and dangerousness of an attack.

• Mapping between the Insider Library and ADVISE profiles must be provided, also assigning numerical values.


Thank You

a methodology and supporting techniques for the assessment of insider threats

Documents

overall system

insider attackers

update of system specification

external threats

n5the methodology

predefined libraryattack

exploitable paths

security measures