1 / 42

Analysis and Detection of Insider Threats

Analysis and Detection of Insider Threats. DSS. 4 May 2005. MITRE. Workshop Goal. Design and develop a proof of concept system for early indication and warning of malicious insiders. Multidisciplinary Team. Hypotheses.

yehuda
Download Presentation

Analysis and Detection of Insider Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Analysis and Detection of Insider Threats DSS 4 May 2005 MITRE

  2. Workshop Goal Design and develop a proof of concept system for early indication and warning of malicious insiders

  3. Multidisciplinary Team

  4. Hypotheses • A heterogeneous approach to indications and warning will enhance MI detection • Fusing information results in more accurate and timely indications and warning of MIs • Observables together with domain knowledge (e.g., user role) can help detect inappropriate behavior (e.g., need to know violations)

  5. Methodology Insider Case Analysis Model Insiders and Observables Novel Sensors Design and Development Evaluation Live Network Experimentation

  6. Cases

  7. Observables Taxonomy Observables Polygraph Communications Violations MissingReporting(financial, travel, contact) Physical Access(e.g., card door logs) Cyber Actions Foreign Travel Finances, Wealth, Vices Materials Transfer to handlers Counter Intelligence Social Activity Internal External Physical Security Cyber Security Reconnaissance Access Entrenchment Exploitation Extraction& Exfiltration Communication Manipulation Counter Intelligence Other Cyber Activities Install Sensors Install unauthor. software Sensor Mgmt Bot Command & Control Net Scan Web Browsing DB Search Encrypted Email Coded Messages Covert Channels CI Case Files Disk Erasure Disk Wiping Printing Downloads Removable Media Copy machine Orphan account use Password cracking Account misuse Privilege escalation Terminals left logged on unattended, no time out File Permissions Misinformation Info suppression Pornography Gambling … Honeypot data Maintenance Schedule Trouble Tickets DATA and SENSORS Calling patterns Keyboard logs Network IDS Logs Email patterns File systems logs Syslog Travel/vacation

  8. Human Analyst Operator System Admin Network Admin Hardware Software Resources Physical Access Secretary $$ Server Web Server Manager … Router Mail Server … Badge … Guard DB Key Information Encryptor Application … Op. System Document/Briefing Phone … … Web Page Satellite … Log (web, DB, …) Removable Media (floppys, USB devices, CDROMs) … Network Structure Net Vulnerabilities CPU Sources & Methods Workstation Monitor Passwords Keyboard Counter Intelligence Asset Taxonomy Assets

  9. User Taxonomy Employees Executive Technical/Engineer Secretarial Prof. Support Misc. Non MITRE Summer tenant Software Analyst consultant subcontractor Physical InfoSec Electronics Data and Info InfoSec Facilities Financial Media/Comm Legal Transportation System & Network Admin HR Security and Safety

  10. Account Taxonomy Locations: Bedford, Washington, Sites User Accounts Professional Support Technical Secretarial Executive Others Co-op/Summer Financial / Purchasing / Admin Human Resources Technical Project Support Media / Communications System & Network Admin Facilities & Equipment Transportation Information Security Security & Safety Misc Expert Services Applications Engineering Electronics Engineering Analysts Physical Engineering Information Security Data & Information Multi Discipline Information Systems Groups Non-human entities Executive Secretary Clerks / Aides (46) Non-MITRE Employees Secretary (328) Co-op Summer Listservers Tenants Consultants Mail Forwarders Subcontract SysAdmin Accounts

  11. Malicious Insider Testbed • Real network - MITRE’s DMZ • A separate network for experimentation and sponsor community support established outside of the MITRE internal network • 300 – 400 hosts • Various services: Web, news, email, database, ... • Data sources on network for use in scenarios • Deploy additional sensors • 3 of 75 users active during period acted as malicious insiders based on historical and project scenarios of insider behavior Internet MITRE Internal Network MITRE DMZ

  12. Insider Scenarios • Three scenarios: • Aggregate Historical Insider • “Pal” • Projected Insiders • “Jill” News Admin • “Jack” • Drew upon historical examples for “Pal” • Intelligence analyst • News Admin and “Jack” developed their scenarios • Needed to be consistent with prior activity on systems • An application administrator • A system administrator • More realistic (“red teaming”)

  13. Multiple Data Sources sendmail sshd web_log web_notice web_warn web_error nnrpd innd Web Application User Role Taxonomy Service Framework Host HTTP su login yppasswdd last Support Snort IDS Stealthwatch Honeynet e-mail sensor Domain Knowledge Network Web Server badge reader Physical Network Server 18 (of 400) Hosts, 11+M records, 4000 users, 75 active on DMZ

  14. Collection and Anonymization Sendmail logs Authentication logs Badge reader logs Common Data Repository Web server logs News server logs Archive Database StealthWatch logs Scrubber Honeynet logs Other logs Flat Files ARDA NRRC Space Protected Computing Space

  15. Evaluation Activity Insider Activity with Journal Available During Test Insider Activity with Journal Revealed After Test PAL(Analyst) Normal Activity Jill(News Admin) Normal Activity Jack(Sys Admin) Normal Activity . . . December January February

  16. Heterogeneous I&W Approaches • StealthWatch • Multilevel network flow analysis • Honeynets • Simulated targets to elicit knowledge of attacker • Structured Analysis Group (SAG) • Top-down, real-time model based detection of MI • Data Fusion • Bottom-up analysis of traditional and novel indicators

  17. Decision Analysis Data Fusion Structured Analysis Adversary Models Honeynet Anomaly Detection(StealthWatch+) Big file, scanning, zone alert Common Data Sensor Sensor Sensor Integrated Framework • COMMON DATA • - Authentication, Mail, DMZ Servers, IDS, Honeynet, BadgeData • Application Logs (e.g., web, DB, mail) • Nessus Scans (vulnerability analysis) • Switch logs, Stealth Watch logs

  18. Performance Evaluation Metrics • Timeliness, e.g., time from defection to detection • years, months, weeks, minutes • Accuracy • Precision = # correctly detected insiders / # reported • Recall = # reported insiders / total # actual insiders • False positives = 1-precision • False negatives = total # actual insiders - # correctly detected

  19. StealthWatch:Multilevel network flow analysis LANCOPE

  20. Scanning Activity by “Jack” Alarm Level, 20 Approved Scanning Activity by “info-scan”

  21. Hypothesis (Brad Wood-BBN) OK, Common Data Repository “Jack” downloaded more than 4 gigabytes on Feb. 12 Jack - Known SSH

  22. Jack “Jack” did not increase the number of inside connections, normally 8, maximum was 10 on Feb. 11. CDR Jack

  23. Structured Analysis Group:Top-down, real-time model based detection

  24. Structured Analysis GroupObservables Taxonomy Addressed at Workshop Observables Polygraph Communications Violations MissingReporting(financial, travel, contact) Physical Access(e.g., card door logs) Cyber Actions Foreign Travel Finances, Wealth, Vices Materials Transfer to handlers Counter Intelligence Social Activity Internal External Physical Security Cyber Security Reconnaissance Access Entrenchment Exploitation Extraction& Exfiltration Communication Manipulation Counter Intelligence Other Cyber Activities Sensors Install unauthor soft. Web Browsing DB Searches Net Scan Encrypted Email Coded Messages Covert Channels CI Case Files Disk Erasure Disk Wiping Orphan Account use Password Cracking Account misuse Privilege escalation Unattended terminals Printing Downloads Removable Media Copy machine File Permissions … Pornography Gambling … Honeypot data Maintenance Schedule Trouble Tickets DATA and SENSORS Calling patterns Keyboard logs Network IDS Logs Email patterns File systems logs Syslog Travel/vacation

  25. Adversary Models

  26. Accuracy of Structured Analysis

  27. Data Fusion:Bottom-up analysis of traditional and novel indicators

  28. Data Fusion Observables Taxonomy Observables Polygraph Communications Violations MissingReporting Physical Access Cyber Actions Foreign Travel Finances, Wealth, Vices Materials Transfer to handlers Counter Intelligence Social Activity Internal External Physical Security Cyber Security Reconnaissance Access Entrenchment Exploitation Extraction& Exfiltration Communication Manipulation Counter Intelligence Other Cyber Activities News/Web Browsing need-to-know Bulk news/web search Net Scan in IDS logs Authentication logs - root access for non-admin - su from one normal user to another IDS logs- http, tp, telnet from non-standard ports Unusual recipient & encryptedhidden or masqueraded content type Lack of required digital watermark on images Uploads (fttp, http) in IDS logs Printing Implemented at Workshop Implemented elsewhere Not Implemented Sensors

  29. Data Fusion Cyber-Access, user324, weight 1, at 2003-12-10 11:14:38, from news.mitre.orgsu to user9676 failed for non-admin user user324 on /dev/pts/0-----------------------------------------------------------------------------------------------------Physical-Access, user295, weight 5, at 2003-12-15 19:19:37,After hours badge access for user295----------------------------------------------------------------------------------------------------- Cyber-Extraction-Exfiltration, user2649, weight 5, at 2004-01-06 15:37:28, from nrrc-springfield.mitre.org, Data was uploaded to an external server via FTP protocol----------------------------------------------------------------------------------------------------- Cyber-Reconnaissance, user295, weight 10, at 2004-01-09 20:57:18, from nrrc-springfield.mitre.org, User user295 searching in non-need-to-know country korea ----------------------------------------------------------------------------------------------------- Cyber-Communication, user9, weight 15, at 2004-02-10 22:14:48, from cvw.mitre.org,User user9 received email with masqueraded content from user11649@yahoo.com -----------------------------------------------------------------------------------------------------Cyber-Reconnaissance, user1, weight 5, at 2004-02-10 13:54:15, from nrrc-plymouth.mitre.org, Ongoing CI violation -- 066.170.227.074 has 49613 alerts of this type… -----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user295, weight 8, at 2004-02-12 23:54:58, from dmzsrv1.mitre.org, User user295 sent encrypted email user9983@comcast.net-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user1, weight 15, at 2004-02-20 12:25:03, from nrrc-erie.mitre.org, user1 sent email with masqueraded content user1@mitre.org

  30. Experimental Results Breadth 5 1 3 2 2 Breadth of 1: Not on Watch • DATA REDUCTION • 7.4 M records examined for 75 users • 259 indicators for 24 users

  31. Data Fusion Accuracy Across approaches, correctly identified 3 out of 3 insiders

  32. KEY StealthWatch Structured Analysis Data Fusion Watch list Alert 12/17/03 2/6/04 12/11/03 1/24/04 2/11/04 1/9/04 2/6/04 12/9/04 2/15/04 PAL Jill (News Admin) 2/11/04 2/16/04 2/15/04 2/12/04 2/17/04 2/20/04 Jack 2/11/04 2/20/04 Dec Jan Feb Performance: Timeliness

  33. Summary • Malicious insiders are a serious threat • Malicious insider behavior is distinct and cannot be readily detected using classic, external intruder detection • Results from the challenge workshop show that an integration of multiple approaches promises early and effective warning and detection • Workshop insider cases and dataset leave behinds • Inspiration of new sensor development

  34. Malicious Insider Evaluation Select Insider Case Simulate on network Participants Sign Data NDA Data Sent to Participants Participants Submit Runs

  35. Our Insider Knowledge and Focus O C C U R R E N C E Occurred Not yet Occurred MI who attacks the network Robert Philip Hanssen Detectable Hard to Detect Not yetDetectable ? X S T E A L T H Ana Belen Montes No cyber component ? - Unaddressed by workshop X – Unobservable in cyberspace Focus: “Indications and warnings not conviction and sentencing”

  36. “Pal” Scenario Web Search News Honeytoken Retrieves “interesting” data for which has no need to know Changes news subscriptions Email Makes new (inappropriate) queries Exfiltration and communication with handler

  37. “Jill” or News Admin Scenario Covert Access Account Manipulation Web Search Creates news account and uses this account to read news Accesses news through hidden newsgroups Makes new (inappropriate) queries

  38. Jack Scenario Searches for data Create backdoor Stealthy exfiltration Searches news.mitre.org data at file system level Masquerades compressed data as image Maps network Builds a reverse ssh tunnel between news server and admin workstation Maps network using nmap

  39. Heterogeneous Data (1 of 3) • Badge reader: • “0M151_Telephone_Room 12/06/2003 02:43:26 Admitted user2930 at 0M151 Telephone Room” • “0M422_Rear_Door_[In]_ 12/06/2003 05:20:24 Admitted user2930 at 0M422 Rear Door [In]” • Login: • “nrrc-plymouth.mitre.org ROOT LOGIN /dev/console” • Su: • “nrrc-plymouth.mitre.org 'su root' succeeded for user1 on /dev/pts/1”

  40. Heterogeneous Data (2 of 3) • Sshd: • “Accepted publickey for root from 129.83.10.17 port 52893” • “Accepted password for user1265 from 66.189.44.167 port 61007” • “Failed password for user1265 from 66.189.44.167 port 61011” • Last-a: • “nrrc-boston.mitre.org user2645 pts/0 Wed Jan 7 21:06 - 23:18 (02:11) 128.230.14.115” • “nrrc-boston.mitre.org user2643 pts/0 Fri Dec 12 16:54 - 17:25 (00:30) sgdykes.datasys.swri.edu”

  41. Heterogeneous Data (3 of 3) • Web_log: • “GET /cvw/licenses/source/license.html HTTP/1.0” • “GET /basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=user2311&password=xxxxx HTTP/1.1” • Web_error: • “Invalid method in request get /scripts/...” • “File does not exist: /news_1/.../etc/passwd” • Sendmail: • “cvw.mitre.org 14436 i0J507Lb014436: from=<user10368@digito.com>, size=2789, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp-bedford-x.mitre.org [192.160.51.76]” • “cvw.mitre.org 14645 i0J7ErLb014644: to=user8, ctladdr=<user9@cvw.mitre.org> (1/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=41013, dsn=2.0.0, stat=Sent”

  42. Data [# of records and % of total] Not shown: StealthWatch = 7.5MB or 68%

More Related