1 Insider Threat – Analysis and Countermeasures Shambhu Upadhyaya Insider Threat – Analysis and Countermeasures Shambhu Upadhyaya Department of Computer

1Insider Threat – Analysis and Countermeasures Shambhu Upadhyaya

Insider Threat – Analysis and Countermeasures

Shambhu UpadhyayaDepartment of Computer Science and Engineering

SUNY at Buffalo

DIMACS Workshop

February 6, 2014Shambhu Upadhyaya


Outline• Introduction

– Problem Identification and Investigations

• The challenges of Insider threat– Procedural– Technical

• A new threat assessment methodology and a tool– Research prototype

• Detecting privilege abuse attacks• State of research down the road


Insider Attack in Financial Institutions• A major bank in New York incurred a loss of $2.5 million

– Involved a home equity line of credit (HELOC) wire transfer fraud – by social engineering TBC staff

• A trader based in the stock trading unit initiated thousands of transactions without customer permission in order to drive up his commissions – Resulted in $650 million losses – greed and privilege abuse

• An insider ran HR database queries in an attempt to find out how much everyone in the IT department was making, all the way up to the CTO – Snooping – no need to know, data harvesting attack

• 1st – abnormal activity, 2nd – abnormal volume of data movement, 3rd – abuse of privilege


Insider Attack in Intel. Communities

• NSA contractor Edward Snowden (June 2013)

• Leaked classified info on NSA’s PRISM project

• Privileged user, but no need to know this info.

• Detection failed due to lack of enforcement of monitoring tools


The Insider – Who are They?

• Who is an insider?– Those who work for the target organization or those having relationships with the firm

with some level of access– Employees, contractors, business partners, customers, etc.

• Recent CSI/FBI Survey key findings (2010)– Insider attacks have now surpassed viruses as the most common cause of security

incidents in the enterprise– 25% of respondents felt that over 40% of their financial losses were due to malicious

actions by insiders• Identity Theft Resource Center findings (2011)

– Data breach due to insider theft – 13% (other causes – card-skimming, data lost on the move, etc.)

• U.S. Secret Service/CERT/Microsoft E-Crime report (2010)– 67% of the respondents reported that insider attacks are the most costly and

damaging type of attacks


Major Facts Findings Studies• NSA/ARDA workshop in March 2004 (RAND Report, 2004)

– Robert Hanssen, Aldrich Ames case studies– Developed some basic models based on these case studies

• U.S. Secret Service, CMU CERT/Microsoft eCrime Watch Survey (2005)– Illicit Cyber Activity in the Banking and Finance Sector (Aug. 2004)– Computer System Sabotage in Critical Infrastructure Sectors (May

2005)

• CMU CyLab Study (2012)– The CERT Guide to Insider Threats: How to Prevent, Detect, and

Respond to IT Crimes (Theft, Sabotage, Fraud), Addison-Wesley, 2012 (http://www.informit.com/store/product.aspx?isbn=9780321812575)

• DARPA SRS (2004) and CINDER (2010) programs• ACM CCS Workshop, 2010, MIST Workshops, 2009-13, SEI

Training on demand








Procedural Solutions Challenges

• Examples of procedural solutions– Prevention by

• Pre-hire screening of employees• Training and education

– Establish good audit procedures– Disable access at appropriate times– Develop best practices for the prevention and detection

• Separation of duties and least privilege• Strict password and account management policies

• Policy-based solutions are hard to enforce– They involve the human factors– Human is the weakest link in security


Technical Solutions Challenges

• A known problem since 1980s, still no good solution• Getting good data to arrive at some consensus on

the definition• Existing tools such as firewall, IDS, anti-virus not

effective• State space explosion, NP-Hard problems• Problem inherently complex – insiders are trusted –

ethical, legal issues• Low and slow, stealthy attacks – stretched for long

periods – hard to detect by anomaly detectors


Recent Progress on Technical Front• Insider threat detection tools exist in the market

– Tools can help answer the following questions• How secure is the existing setup?• Which points are most vulnerable?• What are likely attack strategies?• Where must security systems be placed?

• Challenges– What you cannot model and detect

• Non-cyber events – disclosures, memory dumps, etc.

• What could help?– Audit, video recording may help– Example: ObserveIT (http://www.observeit-sys.com/)


Examples of Insider Threat Mitigation Tools• Skybox View (generic tool) http://www.skyboxsecurity.com/

– Threat modeling and risk analysis tool

– Uses dictionary-based vulnerability scanning

• Sureview from Oakley Networks http://www.raytheon.com/

– Now it is Raytheon Oakley tool (since 2007)

– Endpoint monitoring for transmission of sensitive data

• iGuard from Reconnex http://www.mcafee.com/us/

– Now it is McAfee Reconnex iGuard Monitor (since 2008)

– A rule-based system to monitor information leak

• Content Alarm from Tablus http://www.rsa.com

– Now it is RSA Tablus Content Alarm (since 2007)

– Policy violation based system

• Vontu from Vontu, Inc. http://www.symantec.com – Now it is Symantec Vontu Network Discover (since 2007)

• All these have made market penetration ($20K – $100K)








ICMAP (Info-Centric Modeler and Auditor)

• At University at Buffalo– Information-centric modeling concept– A Capability Acquisition Graph (CAG) generation

for insider threat assessment– Part of a DARPA initiative– Ideas published in ACSAC 2004, IEEE DSN 2005,

JCO 2005, IEEE ICC 2006, IFIP 11.9 Digital Forensics Conference 2007, Springer 2010, RAID 2010

– DOE SBIR (technology transfer in 2010-11)


Types of Insider Threat

• Privilege escalation by impersonation

• Privilege escalation by exploiting vulnerabilities

• Own privilege abuse

• Social engineering attacks

• Colluding attacks


Basic CAG ModelFocus on an insider's view of an organization such as Hosts, Reachability, and Access Control


ICMAP Overview

Network entity rules

Cost Rules

ICMAP EngineNetwork topology

Cap. acquisition graph

vulnerabilities

Authentication mechanism

Social Eng. Awareness

Defense centric

approach

feedback

Perform sensitivity analysis


A Financial Institution Example• Scenario

– Every teller performs sundry personal accounting tasks– Manager endorses large transactions and also performs business

transactions– The two databases are separated– All transactions to the DB are encrypted– Teller to personal accounts DB uses lower strength encryption– Business transactions require the manager to refer to a PKI server and

get a session key– Both DBs are protected behind a firewall

• Attack– Teller knows the manager doesn’t apply security patches regularly– Rogue teller exploits some vulnerability to compromise manager’s

account


Modeling the Attack (Physical Graph)


A Simple Example: Physical to Logical Conversion

user

root

sshd

ftpd

x-user

firewall

Physical Topology

user

root

ssh_allowed


Physical to Logical Conversion…

sshd

user firewallhost x-user

ssh-vuln

fw-root

root

ftpd

root

ftp-vuln

user

user_pd && fw_key

root_pd && fw_key

root_pduser_pd

00

00

00

0

0

ssh_key

ssh_key

fw_pd

ftp_keyexec_key

ftp_key

exec_key

0

0

root_pd

user_pd

fw_key0

Logical graph


• How is a model instance generated?– Define the scope of the threat

– A step-by-step bottom up approach starting with potential targets

• Who constructs the model instance?– A knowledgeable security analyst

• How are costs defined?– Cryptographic access control mechanisms have well-

defined costs

– Use attack templates, vulnerability reports, attacker’s privilege and the resources that need to be protected

– Low, Medium and High – relative cost assignment

Practical Considerations


Threat Analysis Illustration

• Interesting attack strategy – minimize attack cost• This problem is called Min-Hack


Illustration on Telcordia Testbed


Telcordia Network – Physical


Telcordia Network – Logical


Scenario: Exploiting a Vulnerability (CAG)

• Source is the “red-team” account on Ooty• Target is the “taos-jewel” on Taos• Access control – only root on Taos has access to

the jewel• The attack sequence is:

(i) rd_ooty logs into Taos

(ii) rd_taos exploits the ssh vulnerability in Taos to become root_taos

(iii) Using root_taos the insider can access the jewel


Scenario: Exploiting a Vulnerability (CAG)


Sensor Placement Recommendation

• Recommend sensor placement for multiple target nodes:– The heuristic algorithm outputs k-best (in this

example k=3) walks for each target – From these walks the m most frequently

occurring nodes are selected as the likely locations for sensor placement

• The next figure shows 3-walks for the target Taos_jewel and 1 walk for the target Beijing jewel

• The most frequently occurring nodes are underlined and then also printed in the sensor placement nodes section


Sensor Placement Recommendation

Target: Taos_jewelWalk: 1 : rd_ooty => Ooty => Civil Affairs Network => MS Router => Logistics Network => rd_crete => Crete => SSHV.1 => Crete => rd_crete => Logistics Network => MS Router => Security Network => rd_taos => Taos => root_taos => Taos => Taos_jewelCost: 0.0Walk: 2 : rd_shimla => Shimla => Civil Affairs Network => MS Router => Security Network => rd_taos => Taos => SSHV.1 => Taos => root_taos => Taos => Taos_jewelCost: 0.0Walk: 3 : rd_ooty => Ooty => Civil Affairs Network => MS Router => Security Network => rd_taos => Taos => SSHV.1 => Taos => root_taos => Taos => Taos_jewelCost: 0.0Target: Beijing_jewelWalk: 1 : rd_ooty => Ooty => Civil Affairs Network => MS Router => Procurement Network => rd_hk => HongKong => ApacheV.1 => HongKong => root_hk => HongKong => ApacheV.1 => HongKong => rd_hk => Procurement Network => root_beijing => stan_beijing => root_beijing => Beijing => Beijing_jewelCost: 0.0…. (other walks)

Source: rd_ooty, rd_shimla Target: taos_jewel, beijing_jewel

Sensor Placement Nodes: HongKong, Procurement Network, Taos, MS Router, rd_hk, root_beijing, ApacheV.1, Civil Affairs Network, rd_ooty, Ooty








Detecting Privilege Abuse Attacks• Main Idea

– Evaluate user intent by temporal CAG analysis

• Procedure – Monitor workflow activity that results in high value

assets being accessible to unauthorized users– Event sensors – Snort, Dragon, etc. can be used– Periodic construction and analysis of CAGs at

CAG checkpoints– Identify paths of low-cost to “jewels” – indicative of

insider attack


Privilege Abuse Detection By CAG Checkpoints

Network Configuration

ICMAPEvent Log

Event 1

Event 2

Event 3

Event k+1

Event k

IDS /Other Sensor Events

Initial CAG

CAG at Time Tm

--

--

Feedback/Model Refinement

Analysis, Attack Detection and Attribution








Insider Threat Vision – Down the Road• Security audit in organizations critical

– U.S. Sarbanes-Oxley of 2002 • Companies must pledge that their security mechanisms are adequate

– Notice of Security Breach State Laws • Majority of states (46) enacted the legislation• Requires companies and other entities (often, state agencies) that have lost data to

notify affected consumers• Could provide as a central clearinghouse – a wealth of data

• Situation awareness – prediction of attack progress• Recovery techniques from breaches, Forensics• Building secure systems from insecure components (NSF CT

Vision)• Layered security, Usable security

– Good threat models, access control and audit procedures• Address the insider threat problem in a domain-specific

manner, e.g., Relational Databases


Q&A


Backup Slides


Insider Attack in Intel. Communities - 1

• Aldrich Ames (Notorious Insider), a former CIA counterintelligence officer and analyst, sold-out his colleagues to the Russians for more than $4.6 million, was convicted of spying for the Soviet Union and Russia in 1994

• Robert Hanssen (Notorious Insider), Caught selling American secrets to Moscow for $1.4 million in cash and diamonds over a 15-year period, Sentenced for life in prison without the ability for parole in 2002, Photo Courtesy: USA Today

• Have you watched the movie – Breach?• Try this link: http://www.rottentomatoes.com/m/breach/trailers.php


• Network entity rules and Cost rules are pre-defined, whereas the other two inputs are taken from the organization

• Vulnerabilities tell us the currently known vulnerabilities in services, authentication mechanism is the type of authentication used (e.g., password vs. smartcards)

• Sensitivity analysis is then performed to come up with the best cost function

• Can also do defense-centric analysis to identify the most likely locations for sensor placement

ICMAP Framework Details


Cost InferenceCost Tree

Remote Services

Vulnerability knowledge

Social Engineering

ResourceBackup

SystemPatch-up Rate

ResourceAuthn.Mech.

cleartext

hashed

encrypted

published

to be discovered

create one

ignorant empl.

IA aware

strict policies

never patched

usr responsible

auto patching

public

source code

keys, records

paswd in disk

hash is saved

paswd checker

biometric


Min-Hack (Decision Version) is NP-Complete

• Decision version: Is there an attack whose cost is at most some given C?

• A reduction from 3-SAT to Min-Hack by constructing an instance of Min-Hack corresponding to formula consisting of clauses of size 3

• Exists an attack of cost 2n iff is satisfiable• It follows Min-Hack is NP-Hard


Threat Analysis Algorithms• Optimal solution - Brute-force• Showed that Min-Hack is NP-hard to approximate within

for any c < ½, where = 1 – 1 / log logc n• Heuristic solution – Greedy solution

– Polynomial-time heuristic based on Dijkstra's shortest path


How Does the Heuristic Work?


Insider Threat Modeling

• Privilege escalation by impersonation √

• Priv. escalation by exploiting vulnerabilities √

• Own privilege abuse (we will come back to this later)

• Social engineering attacks √

• Colluding attacks √


Features and Limitations• Features

– Implemented in Java– Can be used by admins to check open vulnerabilities– Red teams can use the tool to determine attack paths for

testing security properties– Sensor placement and network hardening– The tool has inherent forensic properties

• Limitations– Scalability?– Many unresolved theoretical issues, including attack

attribution– Abstraction techniques to cope with large scenarios


Collusion Detected by CAG Evaluation–1

ATTACK STAGE 1

ATTACK STAGE 2


Collusion Detected by CAG Evaluation–2

ATTACK STAGE 3

• Evaluation of attack path costs takes place at periodic CAG checkpoints

• Useful both for attack mitigation (based on threshold) or forensics (based on post-facto CAG reconstruction)


UB’s CAE – CEISARE• CSE Dept.

– 30 faculty members, world class researchers– Ranked 21st in the nation in research funding– 350 UGs and 300 Grad students

• We are designated as a National Center of Excellence in 2002– Based on a competitive process


Research & Other Synergistic Activities• Funding

– Over $7M from NSF, DARPA, NSA/ARDA, AFRL, DoD (since 2002)

– Research, education, infrastructure

• Curriculum– Cyber security at PhD level

– Advanced Certificate in IA

– IASP scholarships (DoD and NSF)

• Workshops– SKM 2004, SKM 2006, SKM 2008, SKM 2010, SKM2012

– Local Joint IA Awareness Workshops with FBI, Local colleges, industries, 2006, 2008, 2010

• Outreach Activities– High school workshops, since 2008

– Minority training

• http://www.cse.buffalo.edu/caeiae/

Documents

1 Insider Threat – Analysis and Countermeasures Shambhu Upadhyaya Insider Threat – Analysis and Countermeasures Shambhu Upadhyaya Department of Computer