Add to collection(s) Add to saved
  1. Business
  2. Management

Insider Threat - Analysis and Countermeasures

advertisement 
Insider Threat – Analysis and
Countermeasures
Shambhu Upadhyaya
Department of Computer Science and Engineering
SUNY at Buffalo
DIMACS Workshop
February 6, 2014
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
1
Outline
• Introduction
– Problem Identification and Investigations
• The challenges of Insider threat
– Procedural
– Technical
• A new threat assessment methodology and a tool
– Research prototype
• Detecting privilege abuse attacks
• State of research down the road
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
2
Insider Attack in Financial Institutions
• A major bank in New York incurred a loss of $2.5 million
– Involved a home equity line of credit (HELOC) wire transfer fraud – by
social engineering TBC staff
• A trader based in the stock trading unit initiated thousands of
transactions without customer permission in order to drive up
his commissions
– Resulted in $650 million losses – greed and privilege abuse
• An insider ran HR database queries in an attempt to find out
how much everyone in the IT department was making, all the
way up to the CTO
– Snooping – no need to know, data harvesting attack
• 1st – abnormal activity, 2nd – abnormal volume of data
movement, 3rd – abuse of privilege
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
3
Insider Attack in Intel. Communities
•
•
•
•
NSA contractor Edward Snowden (June 2013)
Leaked classified info on NSA’s PRISM project
Privileged user, but no need to know this info.
Detection failed due to lack of enforcement of
monitoring tools
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
4
The Insider – Who are They?
•
•
•
•
Who is an insider?
– Those who work for the target organization or those having relationships with the
firm with some level of access
– Employees, contractors, business partners, customers, etc.
Recent CSI/FBI Survey key findings (2010)
– Insider attacks have now surpassed viruses as the most common cause of security
incidents in the enterprise
– 25% of respondents felt that over 40% of their financial losses were due to
malicious actions by insiders
Identity Theft Resource Center findings (2011)
– Data breach due to insider theft – 13% (other causes – card-skimming, data lost on
the move, etc.)
U.S. Secret Service/CERT/Microsoft E-Crime report (2010)
– 67% of the respondents reported that insider attacks are the most costly and
damaging type of attacks
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
5
Major Facts Findings Studies
• NSA/ARDA workshop in March 2004 (RAND Report, 2004)
– Robert Hanssen, Aldrich Ames case studies
– Developed some basic models based on these case studies
• U.S. Secret Service, CMU CERT/Microsoft eCrime Watch
Survey (2005)
– Illicit Cyber Activity in the Banking and Finance Sector (Aug. 2004)
– Computer System Sabotage in Critical Infrastructure Sectors (May
2005)
• CMU CyLab Study (2012)
– The CERT Guide to Insider Threats: How to Prevent, Detect, and
Respond to IT Crimes (Theft, Sabotage, Fraud), Addison-Wesley, 2012
(http://www.informit.com/store/product.aspx?isbn=9780321812575)
• DARPA SRS (2004) and CINDER (2010) programs
• ACM CCS Workshop, 2010, MIST Workshops, 2009-13, SEI
Training on demand
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
6
Outline
• Introduction
– Problem Identification and Investigations
• The challenges of Insider threat
– Procedural
– Technical
• A new threat assessment methodology and a tool
– Research prototype
• Detecting privilege abuse attacks
• State of research down the road
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
7
Procedural Solutions Challenges
• Examples of procedural solutions
– Prevention by
• Pre-hire screening of employees
• Training and education
– Establish good audit procedures
– Disable access at appropriate times
– Develop best practices for the prevention and detection
• Separation of duties and least privilege
• Strict password and account management policies
• Policy-based solutions are hard to enforce
– They involve the human factors
– Human is the weakest link in security
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
8
Technical Solutions Challenges
• A known problem since 1980s, still no good solution
• Getting good data to arrive at some consensus on
the definition
• Existing tools such as firewall, IDS, anti-virus not
effective
• State space explosion, NP-Hard problems
• Problem inherently complex – insiders are trusted –
ethical, legal issues
• Low and slow, stealthy attacks – stretched for long
periods – hard to detect by anomaly detectors
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
9
Recent Progress on Technical Front
• Insider threat detection tools exist in the market
– Tools can help answer the following questions
•
•
•
•
How secure is the existing setup?
Which points are most vulnerable?
What are likely attack strategies?
Where must security systems be placed?
• Challenges
– What you cannot model and detect
• Non-cyber events – disclosures, memory dumps, etc.
• What could help?
– Audit, video recording may help
– Example: ObserveIT (http://www.observeit-sys.com/)
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
10
Examples of Insider Threat Mitigation Tools
• Skybox View (generic tool) http://www.skyboxsecurity.com/
– Threat modeling and risk analysis tool
– Uses dictionary-based vulnerability scanning
• Sureview from Oakley Networks http://www.raytheon.com/
– Now it is Raytheon Oakley tool (since 2007)
– Endpoint monitoring for transmission of sensitive data
• iGuard from Reconnex http://www.mcafee.com/us/
– Now it is McAfee Reconnex iGuard Monitor (since 2008)
– A rule-based system to monitor information leak
• Content Alarm from Tablus http://www.rsa.com
– Now it is RSA Tablus Content Alarm (since 2007)
– Policy violation based system
• Vontu from Vontu, Inc. http://www.symantec.com
– Now it is Symantec Vontu Network Discover (since 2007)
• All these have made market penetration ($20K – $100K)
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
11
Outline
• Introduction
– Problem Identification and Investigations
• The challenges of Insider threat
– Procedural
– Technical
• A new threat assessment methodology and a tool
– Research prototype
• Detecting privilege abuse attacks
• State of research down the road
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
12
ICMAP (Info-Centric Modeler and Auditor)
• At University at Buffalo
– Information-centric modeling concept
– A Capability Acquisition Graph (CAG) generation
for insider threat assessment
– Part of a DARPA initiative
– Ideas published in ACSAC 2004, IEEE DSN 2005,
JCO 2005, IEEE ICC 2006, IFIP 11.9 Digital
Forensics Conference 2007, Springer 2010, RAID
2010
– DOE SBIR (technology transfer in 2010-11)
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
13
Types of Insider Threat
•
•
•
•
•
Privilege escalation by impersonation
Privilege escalation by exploiting vulnerabilities
Own privilege abuse
Social engineering attacks
Colluding attacks
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
14
Basic CAG Model
Focus on an insider's view of an organization such as Hosts,
Reachability, and Access Control
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
15
ICMAP Overview
Network entity
rules
Network topology
ICMAP Engine
Cap. acquisition graph
vulnerabilities
Authentication
mechanism
Social Eng.
Awareness
Insider Threat – Analysis and Countermeasures
Cost Rules
Defense
centric
approach
Perform
sensitivity
analysis
feedback
Shambhu Upadhyaya
16
A Financial Institution Example
• Scenario
– Every teller performs sundry personal accounting tasks
– Manager endorses large transactions and also performs business
transactions
– The two databases are separated
– All transactions to the DB are encrypted
– Teller to personal accounts DB uses lower strength encryption
– Business transactions require the manager to refer to a PKI server and
get a session key
– Both DBs are protected behind a firewall
• Attack
– Teller knows the manager doesn’t apply security patches regularly
– Rogue teller exploits some vulnerability to compromise manager’s
account
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
17
Modeling the Attack (Physical Graph)
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
18
A Simple Example: Physical to Logical
Conversion
user
root
sshd
x-user
user
firewall
root
ssh_allowed
ftpd
Physical Topology
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
19
Physical to Logical Conversion…
exec_key
sshd
ssh_key
0
0
ssh-vuln ssh_key
0
root_pd
user_pd
0
user
root
firewall
0
0 fw_key
fw-root
root_pd
user_pd
user
root
0
0
0
ftp_key
ftpd
exec_key
0
host
0
x-user
fw_pd
root_pd && fw_key
user_pd && fw_key
ftp-vuln ftp_key
Logical graph
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
20
Practical Considerations
• How is a model instance generated?
– Define the scope of the threat
– A step-by-step bottom up approach starting with
potential targets
• Who constructs the model instance?
– A knowledgeable security analyst
• How are costs defined?
– Cryptographic access control mechanisms have welldefined costs
– Use attack templates, vulnerability reports, attacker’s
privilege and the resources that need to be protected
– Low, Medium and High – relative cost assignment
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
21
Threat Analysis Illustration
• Interesting attack strategy – minimize attack cost
• This problem is called Min-Hack
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
22
Illustration on Telcordia Testbed
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
23
Telcordia Network – Physical
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
24
Telcordia Network – Logical
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
25
Scenario: Exploiting a Vulnerability (CAG)
•
•
•
Source is the “red-team” account on Ooty
Target is the “taos-jewel” on Taos
Access control – only root on Taos has access to
the jewel
•
The attack sequence is:
(i) rd_ooty logs into Taos
(ii) rd_taos exploits the ssh vulnerability in Taos to
become root_taos
(iii) Using root_taos the insider can access the jewel
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
26
Scenario: Exploiting a Vulnerability (CAG)
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
27
Sensor Placement Recommendation
• Recommend sensor placement for multiple target
nodes:
– The heuristic algorithm outputs k-best (in this
example k=3) walks for each target
– From these walks the m most frequently
occurring nodes are selected as the likely
locations for sensor placement
• The next figure shows 3-walks for the target
Taos_jewel and 1 walk for the target Beijing jewel
• The most frequently occurring nodes are underlined
and then also printed in the sensor placement nodes
section
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
28
Sensor Placement Recommendation
Source: rd_ooty, rd_shimla
Target: taos_jewel, beijing_jewel
Target: Taos_jewel
Walk: 1 :
rd_ooty => Ooty => Civil Affairs Network => MS Router => Logistics Network => rd_crete => Crete => SSHV.1 =>
Crete => rd_crete => Logistics Network => MS Router => Security Network => rd_taos => Taos => root_taos =>
Taos => Taos_jewel
Cost: 0.0
Walk: 2 :
rd_shimla => Shimla => Civil Affairs Network => MS Router => Security Network => rd_taos => Taos => SSHV.1
=> Taos => root_taos => Taos => Taos_jewel
Cost: 0.0
Walk: 3 :
rd_ooty => Ooty => Civil Affairs Network => MS Router => Security Network => rd_taos => Taos => SSHV.1 =>
Taos => root_taos => Taos => Taos_jewel
Cost: 0.0
Target: Beijing_jewel
Walk: 1 :
rd_ooty => Ooty => Civil Affairs Network => MS Router => Procurement Network => rd_hk => HongKong =>
ApacheV.1 => HongKong => root_hk => HongKong => ApacheV.1 => HongKong => rd_hk => Procurement
Network => root_beijing => stan_beijing => root_beijing => Beijing => Beijing_jewel
Cost: 0.0
…. (other walks)
Sensor Placement Nodes: HongKong, Procurement Network, Taos, MS Router,
rd_hk, root_beijing, ApacheV.1, Civil Affairs Network, rd_ooty, Ooty
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
29
Outline
• Introduction
– Problem Identification and Investigations
• The challenges of Insider threat
– Procedural
– Technical
• A new threat assessment methodology and a tool
– Research prototype
• Detecting privilege abuse attacks
• State of research down the road
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
30
Detecting Privilege Abuse Attacks
• Main Idea
– Evaluate user intent by temporal CAG analysis
• Procedure
– Monitor workflow activity that results in high value
assets being accessible to unauthorized users
– Event sensors – Snort, Dragon, etc. can be used
– Periodic construction and analysis of CAGs at
CAG checkpoints
– Identify paths of low-cost to “jewels” – indicative of
insider attack
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
31
Privilege Abuse Detection By CAG Checkpoints
Network Configuration
IDS /Other Sensor Events
ICMAP
Event Log
Event 1
Feedback/Model Refinement
Initial CAG
Event 2
Event 3
-Analysis, Attack Detection and Attribution
-Event k
Event k+1
Insider Threat – Analysis and Countermeasures
CAG at Time Tm
Shambhu Upadhyaya
32
Outline
• Introduction
– Problem Identification and Investigations
• The challenges of Insider threat
– Procedural
– Technical
• A new threat assessment methodology and a tool
– Research prototype
• Detecting privilege abuse attacks
• State of research down the road
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
33
Insider Threat Vision – Down the Road
• Security audit in organizations critical
– U.S. Sarbanes-Oxley of 2002
• Companies must pledge that their security mechanisms are adequate
– Notice of Security Breach State Laws
• Majority of states (46) enacted the legislation
• Requires companies and other entities (often, state agencies) that have lost data to
notify affected consumers
• Could provide as a central clearinghouse – a wealth of data
• Situation awareness – prediction of attack progress
• Recovery techniques from breaches, Forensics
• Building secure systems from insecure components (NSF CT
Vision)
• Layered security, Usable security
– Good threat models, access control and audit procedures
• Address the insider threat problem in a domain-specific
manner, e.g., Relational Databases
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
34
Q&A
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
35
Backup Slides
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
36
Insider Attack in Intel. Communities - 1
•
Aldrich Ames (Notorious Insider), a former CIA counterintelligence officer and analyst, soldout his colleagues to the Russians for more than $4.6 million, was convicted of spying for the
Soviet Union and Russia in 1994
•
Robert Hanssen (Notorious Insider), Caught selling American secrets to Moscow for $1.4
million in cash and diamonds over a 15-year period, Sentenced for life in prison without the
ability for parole in 2002, Photo Courtesy: USA Today
Have you watched the movie – Breach?
Try this link: http://www.rottentomatoes.com/m/breach/trailers.php
•
•
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
37
ICMAP Framework Details
•
•
•
•
Network entity rules and Cost rules are predefined, whereas the other two inputs are taken
from the organization
Vulnerabilities tell us the currently known
vulnerabilities in services, authentication
mechanism is the type of authentication used
(e.g., password vs. smartcards)
Sensitivity analysis is then performed to come up
with the best cost function
Can also do defense-centric analysis to identify
the most likely locations for sensor placement
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
38
Cost Inference
Cost Tree
Remote Vulnerability
Social
System
Resource
Services knowledge Engineering Patch-up Rate
cleartext
hashed
Authn.
Mech.
ignorant empl.
public
IA aware
source code
strict policies
keys, records
Resource
Backup
encrypted
published
never patched
paswd in disk
to be discovered
usr responsible
hash is saved
auto patching
paswd checker
create one
biometric
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
39
Min-Hack (Decision Version) is NP-Complete
• Decision version: Is there an attack whose cost is at
most some given C?
• A reduction from 3-SAT to Min-Hack by constructing
an instance of Min-Hack corresponding to formula 
consisting of clauses of size 3
• Exists an attack of cost  2n iff is satisfiable
• It follows Min-Hack is NP-Hard
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
40
Threat Analysis Algorithms
• Optimal solution - Brute-force
• Showed that Min-Hack is NP-hard to approximate within
for any c < ½, where  = 1 – 1 / log logc n
• Heuristic solution – Greedy solution
– Polynomial-time heuristic based on Dijkstra's shortest path
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
41
How Does the Heuristic Work?
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
42
Insider Threat Modeling
• Privilege escalation by impersonation √
• Priv. escalation by exploiting vulnerabilities √
• Own privilege abuse (we will come back to this
later)
• Social engineering attacks √
• Colluding attacks √
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
43
Features and Limitations
• Features
– Implemented in Java
– Can be used by admins to check open vulnerabilities
– Red teams can use the tool to determine attack paths for
testing security properties
– Sensor placement and network hardening
– The tool has inherent forensic properties
• Limitations
– Scalability?
– Many unresolved theoretical issues, including attack
attribution
– Abstraction techniques to cope with large scenarios
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
44
Collusion Detected by CAG Evaluation–1
ATTACK STAGE 1
ATTACK STAGE 2
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
47
Collusion Detected by CAG Evaluation–2
ATTACK STAGE 3
• Evaluation of attack path costs takes place at periodic
CAG checkpoints
• Useful both for attack mitigation (based on threshold)
or forensics (based on post-facto CAG reconstruction)
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
48
UB’s CAE – CEISARE
• CSE Dept.
– 30 faculty members, world class researchers
– Ranked 21st in the nation in research funding
– 350 UGs and 300 Grad students
• We are designated as a National Center of
Excellence in 2002
– Based on a competitive process
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
49
Research & Other Synergistic Activities
• Funding
– Over $7M from NSF, DARPA, NSA/ARDA, AFRL, DoD (since 2002)
– Research, education, infrastructure
• Curriculum
– Cyber security at PhD level
– Advanced Certificate in IA
– IASP scholarships (DoD and NSF)
• Workshops
– SKM 2004, SKM 2006, SKM 2008, SKM 2010, SKM2012
– Local Joint IA Awareness Workshops with FBI, Local colleges, industries, 2006,
2008, 2010
• Outreach Activities
– High school workshops, since 2008
– Minority training
• http://www.cse.buffalo.edu/caeiae/
Insider Threat – Analysis and Countermeasures
Shambhu Upadhyaya
50
Related documents
What makes Pressure Group successful?
What makes Pressure Group successful?
The Threat
The Threat
Topics - tri
Topics - tri
Promotional Powerpoint
Promotional Powerpoint
Green - Security Management
Green - Security Management
Enabling Technologies to Detect/Deter Insider Threats
Enabling Technologies to Detect/Deter Insider Threats
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
Pressure Groups
Pressure Groups
ADVANCED TOPICS Shambhu Upadhyaya Computer Science & Eng. University at Buffalo
ADVANCED TOPICS Shambhu Upadhyaya Computer Science & Eng. University at Buffalo
Mesh Networks and Security ADVANCED TOPICS Shambhu Upadhyaya
Mesh Networks and Security ADVANCED TOPICS Shambhu Upadhyaya
Download
advertisement