Resilient Computing Lab A methodology and supporting techniques for the assessment of insider threats Nicola Nostro Tutors Bondavalli Andrea, Di Giandomenico Felicita Università degli Studi di Firenze Meeting TENACE PhD Session Fai della Paganella, 11 febbraio 2014 Subject of the research • Nowadays the life of each of us is highly dependent on critical infrastructures. • Characterized by heterogeneity, and dynamicity • They may be prone to failures, intrusions, and attacks from outside and inside. • It is crucial to design systems ensuring resilience and security. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 2 Context • Security is a major challenge for today’s companies. • Security measures are attentively selected and maintained to protect organizations from external threats. • Several tools and solutions are available for this scope firewalls, antivirus, intrusion detection systems,… • What happens inside the system? Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 3 Motivations • Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers. • They are difficult to detect and mitigate due to the nature of the attackers. • How to detect data theft or sabotage by malicious insiders? • These activities can be difficult to differentiate from legitimate uses. • Protecting from insider threats requires a deep study on the socioeconomical profiles, possible actions, and the impact of these actions on the system. • Insider attackers constitute an actual threat for ICT organizations. • This calls for a tailored insider threats assessment activity Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 4 Objectives • Define a methodology and supporting libraries for insider threats assessment and mitigation. • Evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs. • Identify proper countermeasures. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 5 The methodology in 6 steps System under analysis ◊ Identification of components ◊ Interactions ◊ Functional description Profiling potential Insiders ◊ All users are identified ◊ Definition of attributes ◊ Reference to a predefined library ◊ Identification Insider Threats ◊ Description ◊ Potential consequences ◊ Identify exploitable paths Attack paths ◊ Set up the modeling approach ◊ Evaluation Countermeasures selection ◊ Selection proper countermeasures ◊ Reference to a predefined library Iteration and Update Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 6 Methodology - System description • A system is characterized by • a number of resources: services, computers, removable drives, etc. • more communication networks • users, which can use the system or in general interact with it • new features can be integrated over time, due to the evolution of technologies, and the update of system specification or requirements. • Providing a formal description of the overall system, may be expensive in terms of time. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 7 Methodology - System description • A semi-formal description limited to the aspects of interest of the system and the interactions that users may have with it, is appropriate. • Through a semi-formal notation, it is possible to immediately understand the description of the system • by using graphical notations along with natural language descriptions. • UML use case diagrams allow to describe the system's functionalities and use case scenarios, from the point of view of the users/insiders, and the use case descriptions are shown in tables. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 8 Methodology – Insiders’ profile • Identify a taxonomy of system users and potential attributes • A predefined library of insiders to consider • which constitute a consistent reference library describing the human agents involved in IT systems and that could pose threats to such kind of systems • eight attributes defined: • Intent, Access, Outcome, Limits, Resource, Skill Level, Objective, Visibility T. Casey, “Threat Agent Library Helps Identify Information Security Risks,” Intel White Paper, September 2007 Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 9 Methodology – Insider threats • We can identify a number of threats of different type of severity, related to the actions performed by the insiders • install malicious software/code, create backdoors, disable system logs and anti-virus, create new users, plant logic bombs, perform operation on data base. • The idea is to list the possible threats and try to associate them to the previously identified insiders Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 10 Methodology – Attack Paths • Identify the path(s) exploitable by the insider(s) to realize the threat(s) and achieve the goal(s). • A critical step, especially if we think of unknown paths • Many insiders are able to set up unexpected attack paths, that are unknown • Several techniques exist and are very useful for determining what threats exist in a system and how to deal with them attack trees, attack graphs, privilege graphs, ADVISE • Evaluate success rate and effects of the attack is of paramount importance, allowing to get information on the probability of occurrence of an attack. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 11 Methodology – Countermeasures • Selection of the proper countermeasure(s), to avoid or mitigate the identified threat(s). • A defined library which lists the countermeasures can be used. • Introduction of such countermeasures may require to re-assess the system. • In case a model of the system and of the countermeasure is available, these can be integrated with the attack path. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 12 Methodology application – System & Insider Profiling • Insiders: Operator, Domain expert, Unknown user, System Expert, System Administrator (SA) System Maintenance Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system. Description: Apply OS patches and upgrades on a regular basis the system, and the administrative tools and utilities. Configure/add new services as necessary. Upgrade and configure system software or Asset Management applications. Maintain operational, configuration, or other procedures. Perform periodic performance reporting. Perform ongoing performance tuning, hardware upgrades, and resource optimization. Data Management Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the data. Description: Perform daily backup operations, ensuring the integrity and availability of data. Profile Management Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system data. Description: Create, change, and delete user accounts. Crisis Management Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system data. Description: Repair and recover from hardware or software failures or from cyber attacks. Coordinate and communicate any recovery actions. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 13 Methodology application – Insider Threats Mapping Insiders to Threats 1 2 3 4 5 6 Insider Disabl Corrup View Add Impro Impro e t data confid not per per system ential require config user logs data d uration manag service ement s SA SE YES NO YES YES YES NO YES NO YES NO YES NO Threats 7 8 9 10 Elevat Install Install Use of e users vulner vulner defecti privile able able ve hw ges suppor Secure ting sw ! service s YES YES YES YES NO NO YES NO 11 Transf er confid ential files YES YES 12 13 14 15 Access Putting Disabli Alterin to Trojan ng g audit crypto horses protect trails keys ion of and compo logs nents YES NO YES YES YES YES YES NO Matching attributes-values Attribute Intent Access Value - SA Hostile Internal, External Damage, Outcome/Goal Acquisition/Theft Code of Conduct, Limits Legal, Extra-legal Resources Attack goals: - degradation of the performance of the system, - theft of sensitive data Individual Minimum Skills Adept Objective Copy, Destroy, Take Visibility Clandestine Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 14 Methodology application – Attack Paths • ADVISE attack execution graph for Data Theft • Rectangular boxes represent the attack steps; • Squares are the access domain; • Circles are the knowledge items; • Ovals represent the attack goal. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 15 Methodology application - Countermeasures • Countermeasures: • Identify the sensitive data and set up a detection system that prevents all queries on such data • Keep track of accesses (username, timestamp, event description (computer system, devices, utilized software, software installation, error condition, etc.). • Implement biometric system, which every predetermined time (minutes, hours), performs an identity check. • Avoid to log into the system during holiday days or outside the office hours. • Allow printing reports only in specific printers • Implement an e-mail system with an automatic cc forwarding to a higher-ranking person. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 16 Conclusions • Several techniques exists to avoid or detect the risk that a legitimate user abuses of its authority. • Technological protection from external threats is important, but • Defending against insider attacks is and will remain challenging. • Insider attacks are difficult to detect, either by human or technical means. • We identified a lack in the definition of a methodology and related supports for the systematic investigation and assessment of insider threats. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 17 Future works • Define a method which supports the creation, usage and maintenance of the threats library. • Identify an approach to support the selection of the input parameters that characterize the attack path to understand the costs and dangerousness of an attack. • Mapping between the Insider Library and ADVISE profiles must be provided, also assigning numerical values. Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 18 Thank You Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio 2014- 19