1 / 48

Insider Threat – Analysis and Countermeasures

Insider Threat – Analysis and Countermeasures. Shambhu Upadhyaya Department of Computer Science and Engineering SUNY at Buffalo DIMACS Workshop February 6, 2014. Shambhu Upadhyaya. Outline. Introduction Problem Identification and Investigations The challenges of Insider threat Procedural

arin
Download Presentation

Insider Threat – Analysis and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Insider Threat – Analysis and Countermeasures Shambhu UpadhyayaDepartment of Computer Science and EngineeringSUNY at Buffalo DIMACS Workshop February 6, 2014 Shambhu Upadhyaya

  2. Outline • Introduction • Problem Identification and Investigations • The challenges of Insider threat • Procedural • Technical • A new threat assessment methodology and a tool • Research prototype • Detecting privilege abuse attacks • State of research down the road

  3. Insider Attack in Financial Institutions • A major bank in New York incurred a loss of $2.5 million • Involved a home equity line of credit (HELOC) wire transfer fraud – by social engineering TBC staff • A trader based in the stock trading unit initiated thousands of transactions without customer permission in order to drive up his commissions • Resulted in $650 million losses – greed and privilege abuse • An insider ran HR database queries in an attempt to find out how much everyone in the IT department was making, all the way up to the CTO • Snooping – no need to know, data harvesting attack • 1st – abnormal activity, 2nd – abnormal volume of data movement, 3rd – abuse of privilege

  4. Insider Attack in Intel. Communities • NSA contractor Edward Snowden (June 2013) • Leaked classified info on NSA’s PRISM project • Privileged user, but no need to know this info. • Detection failed due to lack of enforcement of monitoring tools

  5. The Insider – Who are They? • Who is an insider? • Those who work for the target organization or those having relationships with the firm with some level of access • Employees, contractors, business partners, customers, etc. • Recent CSI/FBI Survey key findings (2010) • Insider attacks have now surpassed viruses as the most common cause of security incidents in the enterprise • 25% of respondents felt that over 40% of their financial losses were due to malicious actions by insiders • Identity Theft Resource Center findings (2011) • Data breach due to insider theft – 13% (other causes – card-skimming, data lost on the move, etc.) • U.S. Secret Service/CERT/Microsoft E-Crime report (2010) • 67% of the respondents reported that insider attacks are the most costly and damaging type of attacks

  6. Major Facts Findings Studies • NSA/ARDA workshop in March 2004 (RAND Report, 2004) • Robert Hanssen, Aldrich Ames case studies • Developed some basic models based on these case studies • U.S. Secret Service, CMU CERT/Microsoft eCrime Watch Survey (2005) • Illicit Cyber Activity in the Banking and Finance Sector (Aug. 2004) • Computer System Sabotage in Critical Infrastructure Sectors (May 2005) • CMU CyLab Study (2012) • The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to IT Crimes (Theft, Sabotage, Fraud), Addison-Wesley, 2012 (http://www.informit.com/store/product.aspx?isbn=9780321812575) • DARPA SRS (2004) and CINDER (2010) programs • ACM CCS Workshop, 2010, MIST Workshops, 2009-13, SEI Training on demand

  7. Outline • Introduction • Problem Identification and Investigations • The challenges of Insider threat • Procedural • Technical • A new threat assessment methodology and a tool • Research prototype • Detecting privilege abuse attacks • State of research down the road

  8. Procedural Solutions Challenges • Examples of procedural solutions • Prevention by • Pre-hire screening of employees • Training and education • Establish good audit procedures • Disable access at appropriate times • Develop best practices for the prevention and detection • Separation of duties and least privilege • Strict password and account management policies • Policy-based solutions are hard to enforce • They involve the human factors • Human is the weakest link in security

  9. Technical Solutions Challenges • A known problem since 1980s, still no good solution • Getting good data to arrive at some consensus on the definition • Existing tools such as firewall, IDS, anti-virus not effective • State space explosion, NP-Hard problems • Problem inherently complex – insiders are trusted – ethical, legal issues • Low and slow, stealthy attacks – stretched for long periods – hard to detect by anomaly detectors

  10. Recent Progress on Technical Front • Insider threat detection tools exist in the market • Tools can help answer the following questions • How secure is the existing setup? • Which points are most vulnerable? • What are likely attack strategies? • Where must security systems be placed? • Challenges • What you cannot model and detect • Non-cyber events – disclosures, memory dumps, etc. • What could help? • Audit, video recording may help • Example: ObserveIT (http://www.observeit-sys.com/)

  11. Examples of Insider Threat Mitigation Tools • Skybox View (generic tool) http://www.skyboxsecurity.com/ • Threat modeling and risk analysis tool • Uses dictionary-based vulnerability scanning • Sureview from Oakley Networks http://www.raytheon.com/ • Now it is Raytheon Oakley tool (since 2007) • Endpoint monitoring for transmission of sensitive data • iGuard from Reconnex http://www.mcafee.com/us/ • Now it is McAfee Reconnex iGuard Monitor (since 2008) • A rule-based system to monitor information leak • Content Alarm from Tablus http://www.rsa.com • Now it is RSA Tablus Content Alarm (since 2007) • Policy violation based system • Vontu from Vontu, Inc. http://www.symantec.com • Now it is Symantec Vontu Network Discover (since 2007) • All these have made market penetration ($20K – $100K)

  12. Outline • Introduction • Problem Identification and Investigations • The challenges of Insider threat • Procedural • Technical • A new threat assessment methodology and a tool • Research prototype • Detecting privilege abuse attacks • State of research down the road

  13. ICMAP (Info-Centric Modeler and Auditor) • At University at Buffalo • Information-centric modeling concept • A Capability Acquisition Graph (CAG) generation for insider threat assessment • Part of a DARPA initiative • Ideas published in ACSAC 2004, IEEE DSN 2005, JCO 2005, IEEE ICC 2006, IFIP 11.9 Digital Forensics Conference 2007, Springer 2010, RAID 2010 • DOE SBIR (technology transfer in 2010-11)

  14. Types of Insider Threat • Privilege escalation by impersonation • Privilege escalation by exploiting vulnerabilities • Own privilege abuse • Social engineering attacks • Colluding attacks

  15. Basic CAG Model Focus on an insider's view of an organization such as Hosts, Reachability, and Access Control

  16. Network entity rules ICMAP Engine vulnerabilities Cost Rules Authentication mechanism Social Eng. Awareness ICMAP Overview Network topology Cap. acquisition graph Perform sensitivity analysis Defense centric approach feedback

  17. A Financial Institution Example • Scenario • Every teller performs sundry personal accounting tasks • Manager endorses large transactions and also performs business transactions • The two databases are separated • All transactions to the DB are encrypted • Teller to personal accounts DB uses lower strength encryption • Business transactions require the manager to refer to a PKI server and get a session key • Both DBs are protected behind a firewall • Attack • Teller knows the manager doesn’t apply security patches regularly • Rogue teller exploits some vulnerability to compromise manager’s account

  18. Modeling the Attack (Physical Graph)

  19. user root sshd x-user user firewall root ssh_allowed ftpd Physical Topology A Simple Example: Physical to Logical Conversion

  20. ssh-vuln exec_key ssh_key sshd 0 ssh_key root_pd user_pd 0 0 0 user root firewall 0 0 host x-user 0 root_pd fw_key fw-root fw_pd user_pd user root root_pd && fw_key 0 user_pd && fw_key 0 ftp_key 0 ftpd 0 ftp-vuln ftp_key exec_key Physical to Logical Conversion… Logical graph

  21. Practical Considerations • How is a model instance generated? • Define the scope of the threat • A step-by-step bottom up approach starting with potential targets • Who constructs the model instance? • A knowledgeable security analyst • How are costs defined? • Cryptographic access control mechanisms have well-defined costs • Use attack templates, vulnerability reports, attacker’s privilege and the resources that need to be protected • Low, Medium and High – relative cost assignment

  22. Threat Analysis Illustration • Interesting attack strategy – minimize attack cost • This problem is called Min-Hack

  23. Illustration on Telcordia Testbed

  24. Telcordia Network – Physical

  25. Telcordia Network – Logical

  26. Scenario: Exploiting a Vulnerability (CAG) • Source is the “red-team” account on Ooty • Target is the “taos-jewel” on Taos • Access control – only root on Taos has access to the jewel • The attack sequence is: • rd_ooty logs into Taos • rd_taos exploits the ssh vulnerability in Taos to become root_taos • Using root_taos the insider can access the jewel

  27. Scenario: Exploiting a Vulnerability (CAG)

  28. Sensor Placement Recommendation • Recommend sensor placement for multiple target nodes: • The heuristic algorithm outputs k-best (in this example k=3) walks for each target • From these walks the mmost frequently occurring nodes are selected as the likely locations for sensor placement • The next figure shows 3-walks for the target Taos_jewel and 1 walk for the target Beijing jewel • The most frequently occurring nodes are underlined and then also printed in the sensor placement nodes section

  29. Sensor Placement Recommendation Source: rd_ooty, rd_shimla Target: taos_jewel, beijing_jewel Target: Taos_jewel Walk: 1 : rd_ooty => Ooty => Civil Affairs Network => MS Router => Logistics Network => rd_crete => Crete => SSHV.1 => Crete => rd_crete => Logistics Network => MS Router => Security Network => rd_taos => Taos => root_taos => Taos => Taos_jewel Cost: 0.0 Walk: 2 : rd_shimla => Shimla => Civil Affairs Network => MS Router => Security Network => rd_taos => Taos => SSHV.1 => Taos => root_taos => Taos => Taos_jewel Cost: 0.0 Walk: 3 : rd_ooty => Ooty => Civil Affairs Network => MS Router => Security Network => rd_taos => Taos => SSHV.1 => Taos => root_taos => Taos => Taos_jewel Cost: 0.0 Target: Beijing_jewel Walk: 1 : rd_ooty => Ooty => Civil Affairs Network => MS Router => Procurement Network => rd_hk => HongKong => ApacheV.1 => HongKong => root_hk => HongKong => ApacheV.1 => HongKong => rd_hk => Procurement Network => root_beijing => stan_beijing => root_beijing => Beijing => Beijing_jewel Cost: 0.0 …. (other walks) Sensor Placement Nodes: HongKong, Procurement Network, Taos, MS Router, rd_hk, root_beijing, ApacheV.1, Civil Affairs Network, rd_ooty, Ooty

  30. Outline • Introduction • Problem Identification and Investigations • The challenges of Insider threat • Procedural • Technical • A new threat assessment methodology and a tool • Research prototype • Detecting privilege abuse attacks • State of research down the road

  31. Detecting Privilege Abuse Attacks • Main Idea • Evaluate user intent by temporal CAG analysis • Procedure • Monitor workflow activity that results in high value assets being accessible to unauthorized users • Event sensors – Snort, Dragon, etc. can be used • Periodic construction and analysis of CAGs at CAG checkpoints • Identify paths of low-cost to “jewels” – indicative of insider attack

  32. Privilege Abuse Detection By CAG Checkpoints Network Configuration IDS /Other Sensor Events ICMAP Event Log Feedback/Model Refinement Event 1 Initial CAG Event 2 Event 3 -- -- Analysis, Attack Detection and Attribution Event k Event k+1 CAG at Time Tm

  33. Outline • Introduction • Problem Identification and Investigations • The challenges of Insider threat • Procedural • Technical • A new threat assessment methodology and a tool • Research prototype • Detecting privilege abuse attacks • State of research down the road

  34. Insider Threat Vision – Down the Road • Security audit in organizations critical • U.S. Sarbanes-Oxley of 2002 • Companies must pledge that their security mechanisms are adequate • Notice of Security Breach State Laws • Majority of states (46) enacted the legislation • Requires companies and other entities (often, state agencies) that have lost data to notify affected consumers • Could provide as a central clearinghouse – a wealth of data • Situation awareness – prediction of attack progress • Recovery techniques from breaches, Forensics • Building secure systems from insecure components (NSF CT Vision) • Layered security, Usable security • Good threat models, access control and audit procedures • Address the insider threat problem in a domain-specific manner, e.g., Relational Databases

  35. Q&A

  36. Backup Slides

  37. Insider Attack in Intel. Communities - 1 • Aldrich Ames (Notorious Insider), a former CIA counterintelligence officer and analyst, sold-out his colleagues to the Russians for more than $4.6 million, was convicted of spying for the Soviet Union and Russia in 1994 • Robert Hanssen (Notorious Insider), Caught selling American secrets to Moscow for $1.4 million in cash and diamonds over a 15-year period, Sentenced for life in prison without the ability for parole in 2002, Photo Courtesy: USA Today • Have you watched the movie – Breach? • Try this link: http://www.rottentomatoes.com/m/breach/trailers.php

  38. ICMAP Framework Details • Network entity rules and Cost rules are pre-defined, whereas the other two inputs are taken from the organization • Vulnerabilities tell us the currently known vulnerabilities in services, authentication mechanism is the type of authentication used (e.g., password vs. smartcards) • Sensitivity analysis is then performed to come up with the best cost function • Can also do defense-centric analysis to identify the most likely locations for sensor placement

  39. Cost Tree Remote Services Vulnerability knowledge Social Engineering System Patch-up Rate Resource Authn. Mech. Resource Backup ignorant empl. public cleartext IA aware source code hashed strict policies keys, records encrypted published paswd in disk never patched hash is saved usr responsible to be discovered paswd checker auto patching create one biometric Cost Inference

  40. Min-Hack (Decision Version) is NP-Complete • Decision version: Is there an attack whose cost is at most some given C? • A reduction from 3-SAT to Min-Hack by constructing an instance of Min-Hack corresponding to formula  consisting of clauses of size 3 • Exists an attack of cost  2n iff is satisfiable • It follows Min-Hack is NP-Hard

  41. Threat Analysis Algorithms • Optimal solution - Brute-force • Showed that Min-Hack is NP-hard to approximate within for any c < ½, where  = 1 – 1 / log logc n • Heuristic solution – Greedy solution • Polynomial-time heuristic based on Dijkstra's shortest path

  42. How Does the Heuristic Work?

  43. Insider Threat Modeling • Privilege escalation by impersonation √ • Priv. escalation by exploiting vulnerabilities √ • Own privilege abuse (we will come back to this later) • Social engineering attacks √ • Colluding attacks √

  44. Features and Limitations • Features • Implemented in Java • Can be used by admins to check open vulnerabilities • Red teams can use the tool to determine attack paths for testing security properties • Sensor placement and network hardening • The tool has inherent forensic properties • Limitations • Scalability? • Many unresolved theoretical issues, including attack attribution • Abstraction techniques to cope with large scenarios

  45. Collusion Detected by CAG Evaluation–1 ATTACK STAGE 1 ATTACK STAGE 2

  46. Collusion Detected by CAG Evaluation–2 • Evaluation of attack path costs takes place at periodic CAG checkpoints • Useful both for attack mitigation (based on threshold) or forensics (based on post-facto CAG reconstruction) ATTACK STAGE 3

  47. UB’s CAE – CEISARE CSE Dept. 30 faculty members, world class researchers Ranked 21st in the nation in research funding 350 UGs and 300 Grad students We are designated as a National Center of Excellence in 2002 Based on a competitive process

  48. Research & Other Synergistic Activities Funding Over $7M from NSF, DARPA, NSA/ARDA, AFRL, DoD (since 2002) Research, education, infrastructure Curriculum Cyber security at PhD level Advanced Certificate in IA IASP scholarships (DoD and NSF) Workshops SKM 2004, SKM 2006, SKM 2008, SKM 2010, SKM2012 Local Joint IA Awareness Workshops with FBI, Local colleges, industries, 2006, 2008, 2010 Outreach Activities High school workshops, since 2008 Minority training http://www.cse.buffalo.edu/caeiae/

More Related