Resilient Computing Lab
A methodology and supporting
techniques for the assessment of
insider threats
Nicola Nostro
Tutors
Bondavalli Andrea, Di Giandomenico Felicita
Università degli Studi di Firenze
Meeting TENACE
PhD Session
Fai della Paganella, 11 febbraio 2014
Subject of the research
• Nowadays the life of each of us is highly dependent on
critical infrastructures.
• Characterized by heterogeneity, and dynamicity
• They may be prone to failures, intrusions, and
attacks from outside and inside.
• It is crucial to design systems ensuring resilience
and security.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 2
Context
• Security is a major challenge for today’s
companies.
• Security measures are attentively selected and
maintained to protect organizations from
external threats.
• Several tools and solutions are available for
this scope
firewalls, antivirus, intrusion detection systems,…
• What happens inside the system?
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 3
Motivations
• Amongst the multitude of attacks and threats to which a
system is potentially exposed, there are insider attackers.
• They are difficult to detect and mitigate due to the nature
of the attackers.
• How to detect data theft or sabotage by malicious insiders?
• These activities can be difficult to differentiate from legitimate uses.
• Protecting from insider threats requires a deep study on the socioeconomical profiles, possible actions, and the impact of these actions
on the system.
• Insider attackers constitute an actual threat for ICT
organizations.
• This calls for a tailored insider threats assessment
activity
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 4
Objectives
• Define a methodology and supporting libraries for
insider threats assessment and mitigation.
• Evaluate the possibility that a user will perform an
attack, the severity of potential violations, the
costs.
• Identify proper countermeasures.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 5
The methodology in 6 steps
System under analysis
◊ Identification of components
◊ Interactions
◊ Functional description
Profiling potential Insiders
◊ All users are identified
◊ Definition of attributes
◊ Reference to a predefined library
◊ Identification
Insider Threats
◊ Description
◊ Potential consequences
◊ Identify exploitable paths
Attack paths
◊ Set up the modeling approach
◊ Evaluation
Countermeasures selection
◊ Selection proper countermeasures
◊ Reference to a predefined library
Iteration and Update
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 6
Methodology - System description
• A system is characterized by
• a number of resources: services, computers,
removable drives, etc.
• more communication networks
• users, which can use the system or in general interact
with it
• new features can be integrated over time, due to the
evolution of technologies, and the update of system
specification or requirements.
• Providing a formal description of the overall
system, may be expensive in terms of time.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 7
Methodology - System description
• A semi-formal description limited to the aspects of
interest of the system and the interactions that users
may have with it, is appropriate.
• Through a semi-formal notation, it is possible to
immediately understand the description of the system
• by using graphical notations along with natural language
descriptions.
• UML use case diagrams allow to describe the
system's functionalities and use case scenarios, from
the point of view of the users/insiders, and the use
case descriptions are shown in tables.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 8
Methodology – Insiders’ profile
• Identify a taxonomy of system users and
potential attributes
• A predefined library of insiders to consider
• which constitute a consistent reference library
describing the human agents involved in IT systems
and that could pose threats to such kind of systems
• eight attributes defined:
• Intent, Access, Outcome, Limits, Resource, Skill Level,
Objective, Visibility
T. Casey, “Threat Agent Library Helps Identify Information Security Risks,” Intel
White Paper, September 2007
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 9
Methodology – Insider threats
• We can identify a number of threats of different
type of severity, related to the actions performed
by the insiders
• install malicious software/code, create backdoors, disable
system logs and anti-virus, create new users, plant logic
bombs, perform operation on data base.
• The idea is to list the possible threats and try to
associate them to the previously identified
insiders
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 10
Methodology – Attack Paths
• Identify the path(s) exploitable by the insider(s) to
realize the threat(s) and achieve the goal(s).
• A critical step, especially if we think of unknown paths
• Many insiders are able to set up unexpected attack paths, that
are unknown
• Several techniques exist and are very useful for
determining what threats exist in a system and how to
deal with them
attack trees, attack graphs, privilege graphs, ADVISE
• Evaluate success rate and effects of the attack is of
paramount importance, allowing to get information on
the probability of occurrence of an attack.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 11
Methodology – Countermeasures
• Selection of the proper countermeasure(s), to
avoid or mitigate the identified threat(s).
• A defined library which lists the
countermeasures can be used.
• Introduction of such countermeasures may
require to re-assess the system.
• In case a model of the system and of the
countermeasure is available, these can be
integrated with the attack path.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 12
Methodology application – System & Insider Profiling
• Insiders: Operator, Domain expert, Unknown user, System
Expert, System Administrator (SA)
System Maintenance Use Case
Actor/s: SA
Pre-condition: The actor must be authenticated.
Post-condition: The SA has full access to the system.
Description: Apply OS patches and upgrades on a regular basis the system,
and the administrative tools and utilities. Configure/add new services as
necessary. Upgrade and configure system software or Asset Management
applications. Maintain operational, configuration, or other procedures.
Perform periodic performance reporting. Perform ongoing performance
tuning, hardware upgrades, and resource optimization.
Data Management
Actor/s: SA
Pre-condition: The actor must be authenticated.
Post-condition: The SA has full access to the data.
Description: Perform daily backup operations, ensuring the integrity and
availability of data.
Profile Management Use Case
Actor/s: SA
Pre-condition: The actor must be authenticated.
Post-condition: The SA has full access to the system data.
Description: Create, change, and delete user accounts.
Crisis Management Use Case
Actor/s: SA
Pre-condition: The actor must be authenticated.
Post-condition: The SA has full access to the system data.
Description: Repair and recover from hardware or software failures or from
cyber attacks. Coordinate and communicate any recovery actions.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 13
Methodology application – Insider Threats
Mapping Insiders to Threats
1
2
3
4
5
6
Insider Disabl Corrup View Add Impro Impro
e
t data confid not
per
per
system
ential require config user
logs
data d
uration manag
service
ement
s
SA
SE
YES
NO
YES
YES
YES
NO
YES
NO
YES
NO
YES
NO
Threats
7
8
9
10
Elevat Install Install Use of
e users vulner vulner defecti
privile able able ve hw
ges
suppor Secure
ting sw !
service
s
YES YES YES YES
NO
NO YES NO
11
Transf
er
confid
ential
files
YES
YES
12
13
14
15
Access Putting Disabli Alterin
to
Trojan ng
g audit
crypto horses protect trails
keys
ion of and
compo logs
nents
YES
NO
YES
YES
YES
YES
YES
NO
Matching attributes-values
Attribute
Intent
Access
Value - SA
Hostile
Internal, External
Damage,
Outcome/Goal
Acquisition/Theft
Code of Conduct,
Limits
Legal, Extra-legal
Resources
Attack goals:
- degradation of the performance
of the system,
- theft of sensitive data
Individual
Minimum Skills Adept
Objective
Copy, Destroy, Take
Visibility
Clandestine
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 14
Methodology application – Attack Paths
• ADVISE attack execution
graph for Data Theft
• Rectangular boxes represent
the attack steps;
• Squares are the access
domain;
• Circles are the knowledge
items;
• Ovals represent the attack
goal.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 15
Methodology application - Countermeasures
• Countermeasures:
• Identify the sensitive data and set up a detection system that
prevents all queries on such data
• Keep track of accesses (username, timestamp, event
description (computer system, devices, utilized software,
software installation, error condition, etc.).
• Implement biometric system, which every predetermined time
(minutes, hours), performs an identity check.
• Avoid to log into the system during holiday days or outside the
office hours.
• Allow printing reports only in specific printers
• Implement an e-mail system with an automatic cc forwarding to
a higher-ranking person.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 16
Conclusions
• Several techniques exists to avoid or detect the risk that a
legitimate user abuses of its authority.
• Technological protection from external threats is important,
but
• Defending against insider attacks is and will remain challenging.
• Insider attacks are difficult to detect, either by human or technical
means.
• We identified a lack in the definition of a methodology and
related supports for the systematic investigation and
assessment of insider threats.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 17
Future works
• Define a method which supports the creation,
usage and maintenance of the threats library.
• Identify an approach to support the selection of
the input parameters that characterize the attack
path
to understand the costs and dangerousness of an attack.
• Mapping between the Insider Library and ADVISE
profiles must be provided, also assigning
numerical values.
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 18
Thank You
Nicola Nostro
Meeting TENACE – Fai della Paganella
11 febbraio 2014- 19
Scarica

Methodology – Insider threats