110 likes | 122 Views
This study explores the use of anomaly detection to identify potential insider threats by analyzing deviations from normal operational patterns in nuclear facilities. Defined observables, such as unusual access times and attempts to alter digital information, can help flag suspicious behavior. Gathering data from real facilities and considering organizational culture can enhance the effectiveness of these observables. A quantitative approach can aid in identifying individuals at risk of becoming insiders.
E N D
Identifying Observables for Measuring the Insider Threat Shannon Abbott SAND2019-2724 C
Insider Threat • Insider: Any individual with authorized access to nuclear facilities or transport who might attempt unauthorized removal or sabotage, or who could aid outsiders to do so • (from IAEA Insider Protection Guidance Document)
Insider Threat Access Authority Insider Opportunity Knowledge Insider Attempt Political Insider Motivations Ideological Financial Personal
Insider Concerns • Time • Can select optimum time to implement plan • Can extend actions over long periods of time • Tools • Has knowledge of and capability to use tools already at work location • Tests • Can test the system with normal “mistakes” • Collusion (teamwork) • May recruit/collude with others, either insiders or outsiders
Preventative and Protective Measures IAEA NSS08, Preventive and Protective Measures against Insider Threats
A New Approach: Deviation from the Norm • Observation: • People working in nuclear facilities settle into “operational rhythms” • Such “operational rhythms” can be described with data/signals already being collected at nuclear facilities • Preventive & protective insider threat mitigations seek to “bound” the behaviors related to these operational rhythms • Assumption: • Insider threat attempts represent a deviation from these “operational rhythms” • Conclusion: • Advances in anomaly detection may represent a new way to identify the potential for an insider threat opportunity to manifest as an insider threat action/attack • People are creatures of habit, but they are also unpredictable – how can you tell when a deviation from normal patterns is serious enough to be flagged?
Defined Observables • Defined observables are NOT a sign of an insider attempt, but do show the potential for one • From the “operational rhythms” perspective, defined observables are: • Signals being measured already • Not behavioral (need to be monitored by technology, not people) For example: • A malicious insider may “test” the security of a facility before making any attempt on the system. • By using already monitored access control systems facilities can determine the average number of “abnormal” access attempts—including access after hours or attempts to access IT resources without the appropriate need-to-know and closely monitor people with significantly more abnormal access attempts than normal
Defined Observables • An preliminary list of defined observables: • Unusual access times as monitored by access control points like badge readers • Attempts to access physical areas beyond one’s current access level as monitored by access control points • Attempts to alter digital information or controls as monitored by configuration management systems • Unusually large downloads or outgoing email attachments • Attempts to obtain unneeded accounts as monitored by an account management system and manager approvals • Increased or routine alarms from personnel radiation portal monitors
Next Steps • Better describe/define “operational rhythms” • Identify specific candidate “defined observables” • Each must have ability to distinguish between “expected/allowable” and “unusual/abnormal” • This can also help understand how far above average someone should be to require additional monitoring • Gather data from real nuclear facilities • Incorporate the role of organizational culture on these “defined observables” • For example, organization science indicates that organizational behavior shifts as humans drift towards convenience • Apply quantitative data to better illustrate these “defined observables” • Such a quantitative approach with not immediately catch insiders—ideally it will make it easier to identify who is at risk of becoming an insider so they can be more closely monitored
Deviation from the Norm • Most facilities employ access controls and other technologies to ensure that entry to the facility is limited to those people who require access • This means most facilities are already monitoring and logging information that they use or could use to better determine when an insider may be attempting a malicious act • People are creatures of habit, but they are also unpredictable – how can you tell when a deviation from normal patterns is serious enough to be flagged? A malicious insider is likely to “test” the security of a facility before making any attempt on the system. • By using already monitored access control systems facilities can determine the average number of “abnormal” access attempts—including access after hours or attempts to access IT resources without the appropriate need-to-know and closely monitor people with significantly more abnormal access attempts than normal