- Email: [email protected]
Practical management of malicious insider threat – An enterprise CSIRT perspective
information security technical report 13 (2008) 225–234
available at www.sciencedirect.com
www.compseconline.com/publications/prodinf.htm
Practical management of malicious insider threat – An enterprise CSIRT perspective Terrence Walker Information Security Group, Royal Holloway, United Kingdom
abstract Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military and are crucial to command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Military sources say that the insider threat is their number one security concern. This paper presents a case study of the technical counter measures and processes used to deter, detect and mitigate malicious insider threats that the author has researched, using non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the ‘‘current state of play’’ of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and challenges encountered at one organisation. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is presented, followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users ‘‘cyber’’ behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the ‘‘Research on mitigating the insider threat to information systems #2’’ workgroup which took place in 2000 (Anderson et al., 2000.). In closing the author introduce the concept of Stateful Object Use Consequence Analysis as a way of managing the insider threat. ª 2008 Elsevier Ltd. All rights reserved.
1.
Introduction – the insider problem
Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military organisations and are crucial to effective
operational command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Whilst the number of published insider threat incidents has decreased this category of incident is only
E-mail address: [email protected] 1363-4127/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.istr.2008.10.013
226
information security technical report 13 (2008) 225–234
second in number and financial cost to [external] hacking incidents (Maybury, 2006). However it should be kept in mind that published statistics may be skewed as it is likely that many discovered insider incidents may go unreported. It is reported by IBM that 80% of insider threats are committed by the most technical and privileged users, with 50% of those events being committed accidentally (Gerber, 2008). However, the author puts forward the view that the ubiquitousness of today’s CIS in military environments and disappearing network boundaries means that it is easier for non-privileged users to access sensitive command and control information on a regular basis. This presents a challenge for the prevention, detection and mitigation of malicious insiders as out-ofthe-box detection applications often focus on privileged users and cater for the monitoring, audit and analysis of boundary access, mainstream and financial applications and devices and not on normal authorised access committed with malicious intent. Field observations by the author support the research by Maybury (Maybury, 2006; Maybury et al., 2005) that successful detection of the malicious insider often involves the correlation of multiple diverse events and analysis by incident handlers with niche domain knowledge. This paper describes the core components used successfully to meet the most basic of malicious insider management requirements.
1.1.
Definitions
In a military sense, the organisation under study defines an insider as someone who has a defined level of authorised access to a defined set of information assets and or services (physical and logical). This definition is important as it allows the determination of what an individual is authorised to do. Given the military focus of this paper, the author’s definition of a malicious insider is: ‘‘A current or former human or non-human actor who intentionally exceeded or misused an authorised level of access to CIS, networks, systems, services, resources or data in a manner that targeted a specific human or non-human actor or who affected the confidentiality, integrity or availability of the nation’s data, systems and/or daily operations’’ Whilst this is a modification of the CERT definition of a malicious insider (Cappelli et al., 2006) importantly it includes the addition of non-human actors – characteristics the author believes need to be incorporated into a practical definition of a malicious insider. This suggests that an existing system or application can be considered a malicious insider within a multi-national and or geographically dispersed environment. Albeit malicious insider human actors would be involved at some point in the attack, the malicious insider application supplied by hostile nations, installed on multinational networks and sharing multinational data is also a threat. In such cases the author suggests that the malicious, but trusted application or system, commits the incident.
2.
Approach
This paper presents a case study of the malicious insider threats and the evolution of technical counter measures and processes used to deter, detect and mitigate such threats that the author has researched, via non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the ‘‘current state of play’’ of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and the challenges to these processes encountered at one organisation when responding to the insider threat. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is given and is followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users ‘‘cyber’’ behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the ‘‘Research on mitigating the insider threat to information systems #2’’ workgroup which took place in 2000 (Anderson et al., 2000). Finally the challenges ahead will be discussed.
2.1.
CSIRT structure
In order to function correctly and meet objectives, any technological security solution requires extensive organisational and managerial ongoing support. This is in the form of governance, policy, process, communication, management and financing – a lot of financing. Such a structure needs careful definition and needs to be implemented and functioning prior to selection and implementation of any technical enterprise solution. The policy and procedures execute the required risk analysis which results in the security services and mechanisms required for mitigation. The structure defined for the CSIRT that has thus far been successful within the organisation under study is a three tier one such as that shown in Fig. 1. Tier One incorporates The CSIRT Coordination Centre and is responsible for organisational decision and policy processes, principals, intra and extra organisational communications (external agencies, security forums, Law Enforcement Agencies and other CSIRTs). Tier Two is the technical heart of the CSIRT and forms the technical support centre, implementing all the typical CSIRT functions (Killcrece et al., 2003) with the primary aim of performing incident prevention, detection, response, recovery and reporting activities. Additionally, it also provides technical security support and assistance to localised CIS operating authorities within Tier Three. Tier Two is responsible for the architectural
information security technical report 13 (2008) 225–234
227
Fig. 1 – The distributed three Tier CSIRT functional structure.
design, implementation and operation of security services and mechanisms to meet the higher (Tier One) policy and secure operating principals outlined below. Such security services and mechanisms are deployed deep into the CIS throughout Tier Three locations. It is within these security services and mechanisms that malicious insider prevention, detection and mitigations technologies are coupled with organisational methodologies deployed and utilised. Tier Three of the structure is the local CIS sites and associated CIS and information security staff. Their primary responsibilities, in respect of Tier Two, are to perform intrusion detection, report suspected and detected events, incidents and vulnerabilities. The security objectives in the CIS lifecycle relevant to managing insider threat within the military organisation under study (including commercial service providers) are defined within security policy at Tier One and as a minimum include: I. Confidentiality; II. Integrity; and, III. Availability. Such policy then produces the overarching CIS security principles that allow the organisation to the meet the objectives of confidentiality, integrity and availability. Again, relevant to the organisation under study, are the following security principles: I. II. III. IV. V. VI. VII.
Overarching Security Risk Management; Minimalism; Principal of Least Privilege; Self Protecting Nodes; Defence in Depth; Security Implementation; Verification of Security Services
The structure used to achieve and maintain this is a three tier structure as show in the Fig. 1.
2.2.
Types of malicious insider crime
Military and defence organisations (including commercial vendors) are subject to a variety of security threats. Such threats to CIS security aim to compromise the confidentiality, integrity and availability of CIS and associated data. This paper categorises insider threats into two general types: I. Malicious (i.e. Intentional and adversarial in nature) and II. Non-malicious (i.e. accidental and non-adversarial) incidents which is not in the scope of this paper. There are a multitude of insider crime types that may occur within a military environment including: espionage; sabotage; terrorism; misuse of classified data; unauthorised access; and communications interception (Maybury, 2006; Maybury et al., 2005). Malicious insider activities are undertaken by individuals, groups, organisations and nations with the intent, motivation, capabilities, and resources to exploit the vulnerabilities of CIS and associated data in an attempt to further their objectives. The management of malicious insiders, associated events and incidents are complex and require the analysis of information that is heterogeneous in nature, difficult to source and almost impossible to technologically or organisationally process. In order to evaluate malicious insiders, the following information is needed: capability, motivation, intention, and willingness to risk detection during information collection. Such event information and characteristics cannot be obtained from CIS events and logs – yet they are crucial for successful insider detection. Additionally, threats are time and situation dependent and generally increase between peacetime and times of conflict. Malicious insiders that deliberately target military and defence CIS can be categorised as belonging to the 5 following groups: I. Terrorists; II. Hackers; III. Targeting by foreign nations;
228
information security technical report 13 (2008) 225–234
IV. Criminals; and V. Other adversaries. Importantly, malicious insiders can be associated with all categories, and as such the motivation of a malicious insider can be multi-faceted. Although the number of individuals within the military and defence organisations that might potentially attack CIS is generally considered to be extremely low, the potential impact caused by an attack from this source could be life threateningly catastrophic (Anderson et al., 2000; Brackney and Anderson, 2004; and Maybury et al., 2005).
2.2.1.
Malicious insiders motivation
The malicious insider’s motivation comes from personal gain, revenge, ideology or all of the above (Anderson et al., 2000; Brackney and Anderson, 2004). Malicious insiders may have been recruited by foreign intelligence services that, in turn, financially reward them for their treason. Others may be disgruntled employees who seek revenge against the nation, commercial, military or defence organisation. Still others, as shown by more recent events, may have ideological differences with the commercial, military or defence home nation and seek to undermine their military mission, command and control objectives. For example, recent press reports indicate that both Estonian and Georgian CIS came under targeted external cyber attacks (see: http://news.bbc.co.uk/2/hi/europe/6665145.stm, http://news.bbc.co.uk/2/hi/europe/7401260.stm and http:// news.bbc.co.uk/2/hi/europe/7559850.stm). In such scenarios if specific internal CIS asset information was leaked by a malicious insider it could perceivably make the targeting by malicious outsiders both easier and service takedown more effective and sustained. In addition, accidental incidents committed by non-malicious insiders can be capitalised upon by the astute malicious insiders ‘‘in the know’’.
2.2.2.
Access to CIS assets and resources
The malicious insider does not necessarily need significant resources or have privileged system access to inflict significant damage to military or defence CIS and undermine operational [command and control] objectives. Even the most physically or logically isolated military networks have to extend enough trust to users in order to perform the duties they are assigned. Therefore, some degree of access is usually available for exploitation by a malicious insider. Note that such isolation and compartmentalisation of CIS is increasingly disappearing – even in military networks. Whilst skilled malicious insiders may possess the ability to defeat many of the security prevention and detections mechanisms in place such skills are no longer a prerequisite. Malicious insiders do not need to penetrate a system by defeating boundary security services. Rather they are given access to the total or defined portion of the various CIS systems, which is akin to giving someone the keys to the kingdom (or at least part there of). Additionally, effective CIS exploitation and evasion techniques are now easily available, automated and can be utilised by the skilled or unskilled insider. The release of free virtualisation platforms allows them to hone their skills away from their workplace with little fear of detection. For these reasons, insiders do not require sophisticated CIS knowledge or attack skills. Indeed the
author suggests that due to such factors the percentage of malicious insider attacks committed by non-privileged users is likely to increase.
2.3.
The impact
Military sources put forward that malicious insiders pose the greatest threat to CIS since insiders are authorised users who may perform authorised or unauthorised activities with the intent to damage or steal sensitive military or defence information (Shaw et al., 2000). Insider attacks are particularly difficult to prepare for, detect and defend against as the modus operandi, motivation, resources, skill and psychology varies from perpetrator to perpetrator. Within the military organisation under study there are a significant number of CIS assets storing, processing or transmitting large volumes of, often sensitive, information. Such CIS assets range from portable computing devices, workstations, Local Area Networks (LANs) to large and complex Wide Area Networks (WANs) and are obvious targets for intelligence gathering operations. If inadequately secured they can enable significant amounts of sensitive data to be obtained quickly and often covertly; information to be modified such that it loses its correct operational meaning, and supporting system services and resources to be disrupted or made unavailable (denial of service) such that it undermines command and control operations and objectives. Any such operation carried out by enemy intelligence services targeting military or defence CIS are likely to be well planned and executed and the results can be devastating - while the root cause goes undetected. Whilst the commercial impact of malicious insiders on the confidentiality, integrity and availability of sensitive information can be devastating, within a military and defence environment it can, and has lead, to the death of personnel (Maybury et al., 2005). Additionally, analysis of espionage cases by Maybury and others (Maybury et al., 2005) has shown this lead to severe breaches of confidentiality, loss of the integrity of information intelligence; disclosure of sources (moles and spies) and death of agents. Critically, and relevant to emerging detection technologies, the post incident analysis demonstrated that in all cases, the malicious insider had left digital forensic evidence while performing data access, extraction and communication (Maybury et al., 2005). One has to ask if the security applications of today had been available would such evidence have been detected correlated and investigators alerted sooner? The insider threat and crimes are now becoming harder to detect and control due to the integration of CIS and the collaboration between commercial and military. Because of the complexity of CIS there is a need for military, national, commercial organisations and contractors to reach far into the depths of the military organisation. In effect boundaries are disappearing as firewalls become a Swiss-cheese of service access holes through border protection devices. This creates a critical CIS dependency and impacts the ability to develop effective and timely CSIRT security processes, services and mechanisms for the prevention, detection and mitigation of malicious insider threat. Thus, the malicious insider could cause considerable operational impact by taking down
information security technical report 13 (2008) 225–234
229
Fig. 2 – Incident management technology timeline.
a critical time sensitive service using their normal authorised system access. Although beyond the scope of this paper, the same conclusion applies to military vendors and infrastructure service providers.
3.
Managing the insider threat
3.1. Prevention detection and mitigation in the enterprise
Posters; Social Engineering; Random Inspection of Users and Work Areas; and User Profiling. The results of such organisational based methods may be input into computer based analysis applications but all too often such applications are standalone and may miss other crucial alert events, and rarely make it into enterprise security management systems. This is symptomatic of the current technical limitations associated with the integration and analysis of complex heterogeneous data.
3.1.2. The prevention, detection and mitigation of malicious insider activities within the organisation under study utilises both technical and organisational methodologies. However, at the highest level the internal approach is the same: I. Detection. Identifying that you are under attack; II. Localisation. Determining where the attack is coming from. III. Identification. Determining who the attacker is and where they are working from. IV. Assessment. Understanding the attacker, their purpose, strategy, tactics, capabilities, and vulnerabilities. Identifying what information has been compromised.
3.1.1.
Organisational methods
The more traditional organisational methods are utilised by the organisation under study to prevent, detect and mitigate malicious insiders. This includes: Security Vetting; Security Awareness Training; User Reporting; Rotation; Need to know;
Technical methods
There are now a variety of security technologies that can be utilised to prevent, detect and mitigate insider threat. The author has identified that in the organisation that forms the case study for this article such technologies can be grouped into three generation of technologies that represent the past (first), present (second) and emerging (third) technologies utilised by the CSIRT, as shown in Fig. 2. The more traditional technology based mechanisms are listed in Table 1. Although First Generation technologies, such as device access controls and firewalls, still form the foundations of security they were aimed at prevention and did little for automated enterprise detection and mitigation and did little to assist with insider detection. The implementation of Second Generation technologies such as early information security management systems, forensic, intrusion detection systems (IDS) intrusion prevention systems (IPS) and data gateway inspection at the application layer greatly enhanced detection capabilities but still did little for mitigation (see Table 1). In particular the practical success of early information security management systems within the enterprise was found to be expensive, complicated and failed to deliver. With the emergence of Third Generation technologies the organisation is well on the way to meeting the needs of prevention, detection and
230
information security technical report 13 (2008) 225–234
mitigation of insider threat, albeit at extreme costs in terms of technology and resourcing. However, the majority of the technologies still flagged possible incidents due to CIS events being interpreted as unusual activity. The problem is that it is possible for a user to extract sensitive information without violating CIS security rules. That is, using their assigned and authorised CIS privileges, but using them for malicious intent. This is the technological challenge, and is being addressed by the incorporation of bespoke application event and log analysis, digital behavioural base lining and visualisation, such as mentioned by Marty (Marty, 2009) into the CSIRT. Whilst the last two examples are emerging technologies they promise great rewards but in order to obtain usable results, are the most complex and difficult to realistically implement.
3.1.3. Technical and organisational insider threat triggers: e-discovery In this case study it was observed that there are millions of heterogeneous events that the various technical CSIRT components detects and then attempts to determine if they are malicious via automated and manual methods. Obviously there is a need to filter out the false positives which form the bulk of the detected events. The CIS activities that in the case study most often result in an event trigger are those defined in Army Regulation 25-2 Information Assurance (Army Regulation, 2003) and are listed in Table 2. Analysis of the event triggers allows for the identification of malicious insider activity indicators such as those identified by NIST s best practice (NIST, 2000) and are listed in Table 3. The emergence and implementation of what the author terms ‘‘Third Generation Technologies’’ that can be used to manage insider threat is allowing the organisation to undertake real-time or near real-time processing of events occurring on or against assets within the CIS managed by the CSIRT and is becoming known as e-Discovery. The aim is to manage [data mine] unstructured and diverse information repositories (Nicolett et al., 2006) such that you identify, collect, preserve, process and review trigger event instances against asset objects and object use rules. An example of a third generation technology is one that actively scans the network to collect all data related to network topology, address space and device fingerprinting. This gives an internal enterprise view of the CIS and allows for the identification of information leakage via misconfigured or un-authorised assets. This in not new in itself, but linking it to object use and organisational rules is a new departure. Another third generation example is enterprise e-Forensic technologies. First and second generation forensic tools, although powerful, catered more for single post incident investigation. They were missing the functionality and more importantly the scalability required for distributed enterprise e-forensics. The third generation tools have now largely resolved these problems and integrate into enterprise CSIRT applications allowing the correlation of forensic discovery information with other events that are under investigation across the enterprise – in near real-time. However, challenges remain in terms of reliability across the enterprise.
3.1.3.1. Bringing it all together. In the case study used for this article it was observed that the various inputs are analysed in
Table 1 – Primary technology capability. Detection technology
Preventative Detective Mitigation
Usable IT Services (so that people don’t need to break policy); Cyber Security Surveys and Audit; Strong Configuration Control; Penetration Testing (Internal and external); Security Architecture (from the start) End Point Security; Full Disk Encryption; Electronic Device Detection; Mandatory Access Control; and, Air-gapped networks of different classifications. Compliance checking (audit) e.g. MS Spider; NAC SIM
U
U
#
U
#
#
U
#
#
U
#
#
U
#
#
U U U
U # U
# #
U
#
#
U
#
#
U
#
#
U U
U U
U U
the following way: malicious insider trigger events are input into the CSIRT correlation system where they are filtered, discarded and then correlated with other events using defined object use and organisational rules. When events are aggregated, further defined incident rules will process the input identifying events that indicate deviation from known and defined ‘‘authorised’’ baselines and alert the incident handler that a possible incident has occurred. Furthermore, the incident handler or the correlation system itself can trigger the collection of additional information, such as a forensic snapshot of the memory and processes of the machine being used by the suspected malicious insider. The process is iterative until the event or incident is discarded as a false positive or the incident is mitigated. This allows the incident handler or CSIRT correlation system to pinpoint the incidents by user,
Table 2 – Event triggers fed into correlation system (Adapted from Army Regulation 25-2). Detected event triggers Known or suspected intrusion or access by an unauthorised individual. Authorised user attempting to circumvent security procedures or elevate access privileges. Unexplained modifications of files, software, or programs. Unexplained or erratic system responses. Presence of suspicious files, shortcuts, or programs. Malware infection (for example, virus, worm, Trojan). Receipt of suspicious e-mail attachments, files, or links. Spillage incidents (for example processing or storage of information classified at a higher level than the system the file resides on, or the transmission or attempted transmission of classified information across the public Internet). Violations of published system secure operating procedures.
information security technical report 13 (2008) 225–234
231
Table 3 – Indicators that flag the event as possibly malicious (Adapted from Incident Handling at BMDO; NIST). Indicators that flag the event as possibly malicious A system alarm or similar indication from an intrusion detection tool Suspicious entries in system or network accounting (e.g. A UNIX user obtains root access without going through the normal sequence) Accounting discrepancies Unsuccessful logon attempts Unexplained new user accounts Unexplained new files or unfamiliar file names Unexplained modifications to file lengths and/or dates, especially in system executable files Unexplained attempts to write to system files or changes in system files Unexplained modification or deletion of data Denial/disruption of service or inability of one or more users to login to an account Unexplained system crashes Poor system performance Operation of a program or sniffer device to capture network traffic ‘‘Door knob rattling’’ (e.g. Use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts) Unusual time of usage (remember, more computer security incidents occur during non-working hours than any other time) An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user Unusual usage patterns (e.g. programs are being compiled in the account of a user who does not know how to program)
asset, protocol, application, service or a combination of all. Most importantly it strives to identify the perpetrator and the exposure of the attack. The workflow for this process involves close iterative cooperation between all three CSIRT functional
tiers and is shown in Fig. 3 which is an adaptation of that given by Custers (Custers, 2008). In the case study it was noted that the CSIRT correlation system is fed over 2 million time stamped events per day that
Fig. 3 – Insider incident handling workflow (Adapted from Custers (2008)).
232
information security technical report 13 (2008) 225–234
Fig. 4 – From event to incident.
are heterogeneous in nature including network sensors (e.g. IDS/IPS triggered signatures) host sensors (e.g. forensic applets) physical sensors (e.g. physical access barriers) and application triggers (e.g. transactions, firewall logs and, email server logs) that are aimed at detecting malicious insider activity. In the case study it was observed that by the application of object use and organisational rules and incident handler knowledge the 2 million events are reduced to approximately 1200 possible incidents that require closer inspection by incident handlers with domain knowledge of both the technology and operations as shown in Fig. 4. The malicious events detected by CIS sensors and triggers are shown in Table 4. In order to facilitate the use of emerging technologies such as behaviour baselining and visualisation particular event characteristics must be stored and reanalysed for extended periods of time (see Table 5).
3.1.3.2. Meeting the challenges. In terms of meeting the insider threat technical challenges tabled at the RAND Workshop held in September 2000 (Anderson et al., 2000) and then the similar workshop in 2004 (Brackney and Anderson, 2004) how does the case study’s overall CSIRT rate? The technical research challenges for the next 5 years were tabled in 2000 workshop (Anderson et al., 2000) were: I. II. III. IV. V.
Secure and Survivable [CIS] Architecture Frameworks; Differential Access Controls; Provenance [Archived End-to-End Accountability]; Threat from and defences against Mobile Code; and Developing Insider Threat Models.
Table 5 – Long term storage of event characteristics needed for behaviour baselining. Malicious insider event characteristics
Table 4 – Sensors and trigger detected malicious events. Sensors and trigger detected malicious events Network, system, service and information reconnaissance (Profiling) Access to assets (Profiling) Illicit Data extraction (e.g. printing, write to removable media) Installation and control of data loggers or malicious software Communications Usage (e.g. P2P, VOIP, encrypted messaging, steganography) Changing file permissions Altering file content Erasing files/data
Enterprise management system events Operating system events Entire data stream for critical assets and services COTS Application transaction logs Event logs Detected vulnerabilities Forensic evidence IDS/IPS signature triggers Gateway inspection and filtering logs Anti-Malware logs Bespoke application logs CIS policy violations Access control logs
information security technical report 13 (2008) 225–234
Table 6 – Technology challenges success. Critical Components of insider treat models from workshop 2000
Component available in 3rd generation security technologies of the case study CSIRT Now
People (Behaviour, Knowledge, Motivation) Tools (hardware, software, network) Environment (Domain Knowledge) Model Elements Observable (Measurable parameters) Profiles (of environment, people, tools, applications etc.) Behaviour
Emerging
#
U
U
U
Partial
U
Now U
Emerging U
U
U
Partial
U
The workshops near-term technical recommendations align with the technologies available as part of First and Second generation security technologies shown in Fig. 2. Of their longer term challenges the requirements for ‘‘Provenance’’ and the characteristic requirements of ‘‘Developing Insider Threat Models’’ most closely reflect the functionality of the Third Generation technologies that sit within Tier Two of the CSIRT structure as shown in Table 2. Examples of this functionality are the recommended use of object tagging (e.g. Documents) tamper proof audit trails and the ability to automatically identify critical CIS information (Anderson et al., 2000). The requirements for an effective insider threat model specified in Table 6 have resonance with the practical CSIRT processes that the author has worked within practice. Four years on from the 2000 workshop (Anderson et al., 2000) the RAND workshop of 2004 (Brackney and Anderson,
233
2004) emphasised the need for detection and highlighted the then missing or newly emerging technologies in Third Generation Technologies such as heterogeneous event and observation correlation, user behaviour analysis, behaviour baselining and identification of triggers to indicate malicious insider activity. The author interprets such emphasis as evidence of the technical complications associated with preventing malicious insider activity within CIS with disappearing boundaries. The 2004 workshop highlighted that in order to resolve current technical limitations and to hone existing techniques databases containing examples of specific attacks, the characterization of normal behaviour for users in different roles (including that of a system administrator) and artificial or real sensor data that include a mix of legitimate and malicious activity were needed (Brackney and Anderson, 2004). One of the significant findings of the workshop were that existing case history of malicious insider espionage ignored cyberspace; there are fewer controls within CIS than thought, and there are no practical ways to stop information extraction (Brackney and Anderson, 2004).
3.1.3.3. Analysis. It is the author’s belief that if the organisation that forms the case study for this article is to continue to meet the challenges of managing insider threat the Three Tier CSIRT structure needs to be modified to more tightly couple Organisational Process (Tier One) and CSIRT Technologies (Tier Two). Specifically, the CSIRT functionality would benefit if Tier One and Two were merged into one tier yet retain the two sub-tiers defined within it. This new CSIRT structure is shown in Fig. 5. It is suggested that this would allow the CSIRT to adapt to both organisational and technical challenges in a more timely and integrated manner, especially in the promising areas of behaviour based malicious insider management. There is much research into behaviour based analysis and one additional avenue of research is that of Stateful Object
Fig. 5 – A two Tier CSIRT structure aimed at more tightly coupling organisational and technology processes.
234
information security technical report 13 (2008) 225–234
Use Consequence Analysis (SOUCA). SOUCA is based on the premise that every action has a consequential reaction and utilises object watermarks, state tables, business rules and mathematical theory to determine if an action on an object is authorised or not. Organisational business rules will define what action/reaction couplings are allowed with all other couplings tagged as malicious. It is suggested that SOUCA may allow for improvements in the establishment of behavioural based CIS baselining and visualisation. A simplistic example of SOUCA follows. Given a user object and a Command and Control application object it is possible to surreptitiously tag each object with various attributes that describe the object type, location, classification, authorisation, relational and other contextual organisational information. If the user object then accesses the Command and Control application object it is possible, at least conceptually, to statefully track access and make decisions, based on the interplay of the watermarked attributes of each object, as to whether the access is in accordance with organisational rules.
4.
Conclusion
Major challenges still exist as exiting security technologies alone do not allow for the practical incorporation and analysis of four critical components of malicious insider detection: I. Automatic trigger input from traditional organisational detection methods; II. Automated trigger input from the multitude of bespoke applications that are used for military command and control; III. Human and Non-Human Cyber Behaviour Analysis; and IV. Object Watermarking and analysis. Review of research literature by (Shaw et al., 2000) shows that there are [organisational] risk factors that an insider may display to indicate that they are likely malicious insiders – they are exhibiting malicious insider behaviour. However, these social and psychological indicators whilst perhaps collected, stored and even processed electronically have not been successfully incorporated into enterprise CSIRT processes in a practical useable manner. Although some commercial vendors are trialling behaviour based detection applications (in cyber behaviour) with defence agencies. Practical enterprise solutions, that meld both technical and organisational methods, for the above challenges are paramount if detection is to occur as near to or prior to information extraction from the secure environment. Behaviour based trigger feeds utilising object use rules and watermarking are needed for bespoke applications as the use of CIS is becoming more ubiquitous with network boundaries disappearing and the bespoke applications hold and process the majority of information. Solutions to the challenge of managing insider threat are crucial as the West moves to a reliance on military alliances where there is a mix of alliance and national
systems. This, together with associated cultural and social factors also makes prevention, detection, investigation and prosecution of malicious insiders much more difficult.
references
Anderson Robert H., Bozek Thomas, Longstaff Tom, Meitzler Wayne, Skroch Michael, Wyk Ken Van. Research on mitigating the insider threat to information systems - #2, RAND Conference Proceedings; 2000. Army Regulation 25–2 Information Assurance. Available from: https://ia.gordon.army.mil/docs/AR25_2.asp; 2003 (accessed October 2008). Brackney Richard C., Anderson Robert H. Understanding the insider threat. In: Proceedings of a March 2004 Workshop, RAND; 2004. Cappelli Dawn M, Trzeciak Randall F, Moore Andrew P. Insider threats in the SDLC, lessons learned from actual incidents of fraud, theft of sensitive information, and IT sabotage. Software Engineering Institute, Carnegie Mellon University; 2006. Custers Keith. C-Bits bvba, 2008. Killcrece Georgia, Kossakowski Klaus-Peter, Ruefle Robin, Zajicek Mark. Organizational models for computer security incident response teams (CSIRTs), CMU/SEI-2003-HB-001; 2003. Gerber Cheryl. Plugs for Data Leaks, Published in the Military Information Technology. Online Edition Available from: http:// www.military-information-technology.com/article. cfm?DocID¼2323; 2008. Marty Raffael. Applied security visualization. Upper Saddle River, NJ, USA: Addison Wesley; 2009. Maybury Mark. Detecting malicious insiders in military networks; 2006. Maybury M., Chase P., Cheiker B., Brackney D., Matzner S., Hetherington T., et al. Analysis and detection of malicious insiders; 2005. Nicolett Mark, Williams Amrit T., Proctor Paul E., Magic quadrant for security information and event management, 1H06 Gartner RAS Core Research Note G00139431, 12 May, 2006. NIST. Incident handling at BMDO. Available from: http://csrc.nist. gov/groups/SMA/fasp/documents/incident_response/ BMDOIncHandling.htm; 2000 (accessed October 2008). Shaw Eric D., Ruby Keven G., Post Jerrold M. The Insider threat to information, Appendix E in 2000, Research on mitigating the insider threat to information systems - #2, RAND Conference Proceedings; 2000.
Terrence Walker, CISSP, CISA, EnCE is an information security specialist with over 10 years of experience in the industry. His areas of specialisation include risk analysis, vulnerability assessment, penetration testing and forensics within organisational incident management and response teams. Currently, he works with a European CSIRT and is a PhD student with the Information Security Group at Royal Holloway, University of London and his research interests include resource dynamics of security systems, security system modelling and insider threat. He has an MSc. in Information Security from Royal Holloway, University of London. Contact him at [email protected].
available at www.sciencedirect.com
www.compseconline.com/publications/prodinf.htm
Practical management of malicious insider threat – An enterprise CSIRT perspective Terrence Walker Information Security Group, Royal Holloway, United Kingdom
abstract Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military and are crucial to command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Military sources say that the insider threat is their number one security concern. This paper presents a case study of the technical counter measures and processes used to deter, detect and mitigate malicious insider threats that the author has researched, using non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the ‘‘current state of play’’ of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and challenges encountered at one organisation. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is presented, followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users ‘‘cyber’’ behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the ‘‘Research on mitigating the insider threat to information systems #2’’ workgroup which took place in 2000 (Anderson et al., 2000.). In closing the author introduce the concept of Stateful Object Use Consequence Analysis as a way of managing the insider threat. ª 2008 Elsevier Ltd. All rights reserved.
1.
Introduction – the insider problem
Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military organisations and are crucial to effective
operational command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Whilst the number of published insider threat incidents has decreased this category of incident is only
E-mail address: [email protected] 1363-4127/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.istr.2008.10.013
226
information security technical report 13 (2008) 225–234
second in number and financial cost to [external] hacking incidents (Maybury, 2006). However it should be kept in mind that published statistics may be skewed as it is likely that many discovered insider incidents may go unreported. It is reported by IBM that 80% of insider threats are committed by the most technical and privileged users, with 50% of those events being committed accidentally (Gerber, 2008). However, the author puts forward the view that the ubiquitousness of today’s CIS in military environments and disappearing network boundaries means that it is easier for non-privileged users to access sensitive command and control information on a regular basis. This presents a challenge for the prevention, detection and mitigation of malicious insiders as out-ofthe-box detection applications often focus on privileged users and cater for the monitoring, audit and analysis of boundary access, mainstream and financial applications and devices and not on normal authorised access committed with malicious intent. Field observations by the author support the research by Maybury (Maybury, 2006; Maybury et al., 2005) that successful detection of the malicious insider often involves the correlation of multiple diverse events and analysis by incident handlers with niche domain knowledge. This paper describes the core components used successfully to meet the most basic of malicious insider management requirements.
1.1.
Definitions
In a military sense, the organisation under study defines an insider as someone who has a defined level of authorised access to a defined set of information assets and or services (physical and logical). This definition is important as it allows the determination of what an individual is authorised to do. Given the military focus of this paper, the author’s definition of a malicious insider is: ‘‘A current or former human or non-human actor who intentionally exceeded or misused an authorised level of access to CIS, networks, systems, services, resources or data in a manner that targeted a specific human or non-human actor or who affected the confidentiality, integrity or availability of the nation’s data, systems and/or daily operations’’ Whilst this is a modification of the CERT definition of a malicious insider (Cappelli et al., 2006) importantly it includes the addition of non-human actors – characteristics the author believes need to be incorporated into a practical definition of a malicious insider. This suggests that an existing system or application can be considered a malicious insider within a multi-national and or geographically dispersed environment. Albeit malicious insider human actors would be involved at some point in the attack, the malicious insider application supplied by hostile nations, installed on multinational networks and sharing multinational data is also a threat. In such cases the author suggests that the malicious, but trusted application or system, commits the incident.
2.
Approach
This paper presents a case study of the malicious insider threats and the evolution of technical counter measures and processes used to deter, detect and mitigate such threats that the author has researched, via non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the ‘‘current state of play’’ of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and the challenges to these processes encountered at one organisation when responding to the insider threat. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is given and is followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users ‘‘cyber’’ behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the ‘‘Research on mitigating the insider threat to information systems #2’’ workgroup which took place in 2000 (Anderson et al., 2000). Finally the challenges ahead will be discussed.
2.1.
CSIRT structure
In order to function correctly and meet objectives, any technological security solution requires extensive organisational and managerial ongoing support. This is in the form of governance, policy, process, communication, management and financing – a lot of financing. Such a structure needs careful definition and needs to be implemented and functioning prior to selection and implementation of any technical enterprise solution. The policy and procedures execute the required risk analysis which results in the security services and mechanisms required for mitigation. The structure defined for the CSIRT that has thus far been successful within the organisation under study is a three tier one such as that shown in Fig. 1. Tier One incorporates The CSIRT Coordination Centre and is responsible for organisational decision and policy processes, principals, intra and extra organisational communications (external agencies, security forums, Law Enforcement Agencies and other CSIRTs). Tier Two is the technical heart of the CSIRT and forms the technical support centre, implementing all the typical CSIRT functions (Killcrece et al., 2003) with the primary aim of performing incident prevention, detection, response, recovery and reporting activities. Additionally, it also provides technical security support and assistance to localised CIS operating authorities within Tier Three. Tier Two is responsible for the architectural
information security technical report 13 (2008) 225–234
227
Fig. 1 – The distributed three Tier CSIRT functional structure.
design, implementation and operation of security services and mechanisms to meet the higher (Tier One) policy and secure operating principals outlined below. Such security services and mechanisms are deployed deep into the CIS throughout Tier Three locations. It is within these security services and mechanisms that malicious insider prevention, detection and mitigations technologies are coupled with organisational methodologies deployed and utilised. Tier Three of the structure is the local CIS sites and associated CIS and information security staff. Their primary responsibilities, in respect of Tier Two, are to perform intrusion detection, report suspected and detected events, incidents and vulnerabilities. The security objectives in the CIS lifecycle relevant to managing insider threat within the military organisation under study (including commercial service providers) are defined within security policy at Tier One and as a minimum include: I. Confidentiality; II. Integrity; and, III. Availability. Such policy then produces the overarching CIS security principles that allow the organisation to the meet the objectives of confidentiality, integrity and availability. Again, relevant to the organisation under study, are the following security principles: I. II. III. IV. V. VI. VII.
Overarching Security Risk Management; Minimalism; Principal of Least Privilege; Self Protecting Nodes; Defence in Depth; Security Implementation; Verification of Security Services
The structure used to achieve and maintain this is a three tier structure as show in the Fig. 1.
2.2.
Types of malicious insider crime
Military and defence organisations (including commercial vendors) are subject to a variety of security threats. Such threats to CIS security aim to compromise the confidentiality, integrity and availability of CIS and associated data. This paper categorises insider threats into two general types: I. Malicious (i.e. Intentional and adversarial in nature) and II. Non-malicious (i.e. accidental and non-adversarial) incidents which is not in the scope of this paper. There are a multitude of insider crime types that may occur within a military environment including: espionage; sabotage; terrorism; misuse of classified data; unauthorised access; and communications interception (Maybury, 2006; Maybury et al., 2005). Malicious insider activities are undertaken by individuals, groups, organisations and nations with the intent, motivation, capabilities, and resources to exploit the vulnerabilities of CIS and associated data in an attempt to further their objectives. The management of malicious insiders, associated events and incidents are complex and require the analysis of information that is heterogeneous in nature, difficult to source and almost impossible to technologically or organisationally process. In order to evaluate malicious insiders, the following information is needed: capability, motivation, intention, and willingness to risk detection during information collection. Such event information and characteristics cannot be obtained from CIS events and logs – yet they are crucial for successful insider detection. Additionally, threats are time and situation dependent and generally increase between peacetime and times of conflict. Malicious insiders that deliberately target military and defence CIS can be categorised as belonging to the 5 following groups: I. Terrorists; II. Hackers; III. Targeting by foreign nations;
228
information security technical report 13 (2008) 225–234
IV. Criminals; and V. Other adversaries. Importantly, malicious insiders can be associated with all categories, and as such the motivation of a malicious insider can be multi-faceted. Although the number of individuals within the military and defence organisations that might potentially attack CIS is generally considered to be extremely low, the potential impact caused by an attack from this source could be life threateningly catastrophic (Anderson et al., 2000; Brackney and Anderson, 2004; and Maybury et al., 2005).
2.2.1.
Malicious insiders motivation
The malicious insider’s motivation comes from personal gain, revenge, ideology or all of the above (Anderson et al., 2000; Brackney and Anderson, 2004). Malicious insiders may have been recruited by foreign intelligence services that, in turn, financially reward them for their treason. Others may be disgruntled employees who seek revenge against the nation, commercial, military or defence organisation. Still others, as shown by more recent events, may have ideological differences with the commercial, military or defence home nation and seek to undermine their military mission, command and control objectives. For example, recent press reports indicate that both Estonian and Georgian CIS came under targeted external cyber attacks (see: http://news.bbc.co.uk/2/hi/europe/6665145.stm, http://news.bbc.co.uk/2/hi/europe/7401260.stm and http:// news.bbc.co.uk/2/hi/europe/7559850.stm). In such scenarios if specific internal CIS asset information was leaked by a malicious insider it could perceivably make the targeting by malicious outsiders both easier and service takedown more effective and sustained. In addition, accidental incidents committed by non-malicious insiders can be capitalised upon by the astute malicious insiders ‘‘in the know’’.
2.2.2.
Access to CIS assets and resources
The malicious insider does not necessarily need significant resources or have privileged system access to inflict significant damage to military or defence CIS and undermine operational [command and control] objectives. Even the most physically or logically isolated military networks have to extend enough trust to users in order to perform the duties they are assigned. Therefore, some degree of access is usually available for exploitation by a malicious insider. Note that such isolation and compartmentalisation of CIS is increasingly disappearing – even in military networks. Whilst skilled malicious insiders may possess the ability to defeat many of the security prevention and detections mechanisms in place such skills are no longer a prerequisite. Malicious insiders do not need to penetrate a system by defeating boundary security services. Rather they are given access to the total or defined portion of the various CIS systems, which is akin to giving someone the keys to the kingdom (or at least part there of). Additionally, effective CIS exploitation and evasion techniques are now easily available, automated and can be utilised by the skilled or unskilled insider. The release of free virtualisation platforms allows them to hone their skills away from their workplace with little fear of detection. For these reasons, insiders do not require sophisticated CIS knowledge or attack skills. Indeed the
author suggests that due to such factors the percentage of malicious insider attacks committed by non-privileged users is likely to increase.
2.3.
The impact
Military sources put forward that malicious insiders pose the greatest threat to CIS since insiders are authorised users who may perform authorised or unauthorised activities with the intent to damage or steal sensitive military or defence information (Shaw et al., 2000). Insider attacks are particularly difficult to prepare for, detect and defend against as the modus operandi, motivation, resources, skill and psychology varies from perpetrator to perpetrator. Within the military organisation under study there are a significant number of CIS assets storing, processing or transmitting large volumes of, often sensitive, information. Such CIS assets range from portable computing devices, workstations, Local Area Networks (LANs) to large and complex Wide Area Networks (WANs) and are obvious targets for intelligence gathering operations. If inadequately secured they can enable significant amounts of sensitive data to be obtained quickly and often covertly; information to be modified such that it loses its correct operational meaning, and supporting system services and resources to be disrupted or made unavailable (denial of service) such that it undermines command and control operations and objectives. Any such operation carried out by enemy intelligence services targeting military or defence CIS are likely to be well planned and executed and the results can be devastating - while the root cause goes undetected. Whilst the commercial impact of malicious insiders on the confidentiality, integrity and availability of sensitive information can be devastating, within a military and defence environment it can, and has lead, to the death of personnel (Maybury et al., 2005). Additionally, analysis of espionage cases by Maybury and others (Maybury et al., 2005) has shown this lead to severe breaches of confidentiality, loss of the integrity of information intelligence; disclosure of sources (moles and spies) and death of agents. Critically, and relevant to emerging detection technologies, the post incident analysis demonstrated that in all cases, the malicious insider had left digital forensic evidence while performing data access, extraction and communication (Maybury et al., 2005). One has to ask if the security applications of today had been available would such evidence have been detected correlated and investigators alerted sooner? The insider threat and crimes are now becoming harder to detect and control due to the integration of CIS and the collaboration between commercial and military. Because of the complexity of CIS there is a need for military, national, commercial organisations and contractors to reach far into the depths of the military organisation. In effect boundaries are disappearing as firewalls become a Swiss-cheese of service access holes through border protection devices. This creates a critical CIS dependency and impacts the ability to develop effective and timely CSIRT security processes, services and mechanisms for the prevention, detection and mitigation of malicious insider threat. Thus, the malicious insider could cause considerable operational impact by taking down
information security technical report 13 (2008) 225–234
229
Fig. 2 – Incident management technology timeline.
a critical time sensitive service using their normal authorised system access. Although beyond the scope of this paper, the same conclusion applies to military vendors and infrastructure service providers.
3.
Managing the insider threat
3.1. Prevention detection and mitigation in the enterprise
Posters; Social Engineering; Random Inspection of Users and Work Areas; and User Profiling. The results of such organisational based methods may be input into computer based analysis applications but all too often such applications are standalone and may miss other crucial alert events, and rarely make it into enterprise security management systems. This is symptomatic of the current technical limitations associated with the integration and analysis of complex heterogeneous data.
3.1.2. The prevention, detection and mitigation of malicious insider activities within the organisation under study utilises both technical and organisational methodologies. However, at the highest level the internal approach is the same: I. Detection. Identifying that you are under attack; II. Localisation. Determining where the attack is coming from. III. Identification. Determining who the attacker is and where they are working from. IV. Assessment. Understanding the attacker, their purpose, strategy, tactics, capabilities, and vulnerabilities. Identifying what information has been compromised.
3.1.1.
Organisational methods
The more traditional organisational methods are utilised by the organisation under study to prevent, detect and mitigate malicious insiders. This includes: Security Vetting; Security Awareness Training; User Reporting; Rotation; Need to know;
Technical methods
There are now a variety of security technologies that can be utilised to prevent, detect and mitigate insider threat. The author has identified that in the organisation that forms the case study for this article such technologies can be grouped into three generation of technologies that represent the past (first), present (second) and emerging (third) technologies utilised by the CSIRT, as shown in Fig. 2. The more traditional technology based mechanisms are listed in Table 1. Although First Generation technologies, such as device access controls and firewalls, still form the foundations of security they were aimed at prevention and did little for automated enterprise detection and mitigation and did little to assist with insider detection. The implementation of Second Generation technologies such as early information security management systems, forensic, intrusion detection systems (IDS) intrusion prevention systems (IPS) and data gateway inspection at the application layer greatly enhanced detection capabilities but still did little for mitigation (see Table 1). In particular the practical success of early information security management systems within the enterprise was found to be expensive, complicated and failed to deliver. With the emergence of Third Generation technologies the organisation is well on the way to meeting the needs of prevention, detection and
230
information security technical report 13 (2008) 225–234
mitigation of insider threat, albeit at extreme costs in terms of technology and resourcing. However, the majority of the technologies still flagged possible incidents due to CIS events being interpreted as unusual activity. The problem is that it is possible for a user to extract sensitive information without violating CIS security rules. That is, using their assigned and authorised CIS privileges, but using them for malicious intent. This is the technological challenge, and is being addressed by the incorporation of bespoke application event and log analysis, digital behavioural base lining and visualisation, such as mentioned by Marty (Marty, 2009) into the CSIRT. Whilst the last two examples are emerging technologies they promise great rewards but in order to obtain usable results, are the most complex and difficult to realistically implement.
3.1.3. Technical and organisational insider threat triggers: e-discovery In this case study it was observed that there are millions of heterogeneous events that the various technical CSIRT components detects and then attempts to determine if they are malicious via automated and manual methods. Obviously there is a need to filter out the false positives which form the bulk of the detected events. The CIS activities that in the case study most often result in an event trigger are those defined in Army Regulation 25-2 Information Assurance (Army Regulation, 2003) and are listed in Table 2. Analysis of the event triggers allows for the identification of malicious insider activity indicators such as those identified by NIST s best practice (NIST, 2000) and are listed in Table 3. The emergence and implementation of what the author terms ‘‘Third Generation Technologies’’ that can be used to manage insider threat is allowing the organisation to undertake real-time or near real-time processing of events occurring on or against assets within the CIS managed by the CSIRT and is becoming known as e-Discovery. The aim is to manage [data mine] unstructured and diverse information repositories (Nicolett et al., 2006) such that you identify, collect, preserve, process and review trigger event instances against asset objects and object use rules. An example of a third generation technology is one that actively scans the network to collect all data related to network topology, address space and device fingerprinting. This gives an internal enterprise view of the CIS and allows for the identification of information leakage via misconfigured or un-authorised assets. This in not new in itself, but linking it to object use and organisational rules is a new departure. Another third generation example is enterprise e-Forensic technologies. First and second generation forensic tools, although powerful, catered more for single post incident investigation. They were missing the functionality and more importantly the scalability required for distributed enterprise e-forensics. The third generation tools have now largely resolved these problems and integrate into enterprise CSIRT applications allowing the correlation of forensic discovery information with other events that are under investigation across the enterprise – in near real-time. However, challenges remain in terms of reliability across the enterprise.
3.1.3.1. Bringing it all together. In the case study used for this article it was observed that the various inputs are analysed in
Table 1 – Primary technology capability. Detection technology
Preventative Detective Mitigation
Usable IT Services (so that people don’t need to break policy); Cyber Security Surveys and Audit; Strong Configuration Control; Penetration Testing (Internal and external); Security Architecture (from the start) End Point Security; Full Disk Encryption; Electronic Device Detection; Mandatory Access Control; and, Air-gapped networks of different classifications. Compliance checking (audit) e.g. MS Spider; NAC SIM
U
U
#
U
#
#
U
#
#
U
#
#
U
#
#
U U U
U # U
# #
U
#
#
U
#
#
U
#
#
U U
U U
U U
the following way: malicious insider trigger events are input into the CSIRT correlation system where they are filtered, discarded and then correlated with other events using defined object use and organisational rules. When events are aggregated, further defined incident rules will process the input identifying events that indicate deviation from known and defined ‘‘authorised’’ baselines and alert the incident handler that a possible incident has occurred. Furthermore, the incident handler or the correlation system itself can trigger the collection of additional information, such as a forensic snapshot of the memory and processes of the machine being used by the suspected malicious insider. The process is iterative until the event or incident is discarded as a false positive or the incident is mitigated. This allows the incident handler or CSIRT correlation system to pinpoint the incidents by user,
Table 2 – Event triggers fed into correlation system (Adapted from Army Regulation 25-2). Detected event triggers Known or suspected intrusion or access by an unauthorised individual. Authorised user attempting to circumvent security procedures or elevate access privileges. Unexplained modifications of files, software, or programs. Unexplained or erratic system responses. Presence of suspicious files, shortcuts, or programs. Malware infection (for example, virus, worm, Trojan). Receipt of suspicious e-mail attachments, files, or links. Spillage incidents (for example processing or storage of information classified at a higher level than the system the file resides on, or the transmission or attempted transmission of classified information across the public Internet). Violations of published system secure operating procedures.
information security technical report 13 (2008) 225–234
231
Table 3 – Indicators that flag the event as possibly malicious (Adapted from Incident Handling at BMDO; NIST). Indicators that flag the event as possibly malicious A system alarm or similar indication from an intrusion detection tool Suspicious entries in system or network accounting (e.g. A UNIX user obtains root access without going through the normal sequence) Accounting discrepancies Unsuccessful logon attempts Unexplained new user accounts Unexplained new files or unfamiliar file names Unexplained modifications to file lengths and/or dates, especially in system executable files Unexplained attempts to write to system files or changes in system files Unexplained modification or deletion of data Denial/disruption of service or inability of one or more users to login to an account Unexplained system crashes Poor system performance Operation of a program or sniffer device to capture network traffic ‘‘Door knob rattling’’ (e.g. Use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts) Unusual time of usage (remember, more computer security incidents occur during non-working hours than any other time) An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user Unusual usage patterns (e.g. programs are being compiled in the account of a user who does not know how to program)
asset, protocol, application, service or a combination of all. Most importantly it strives to identify the perpetrator and the exposure of the attack. The workflow for this process involves close iterative cooperation between all three CSIRT functional
tiers and is shown in Fig. 3 which is an adaptation of that given by Custers (Custers, 2008). In the case study it was noted that the CSIRT correlation system is fed over 2 million time stamped events per day that
Fig. 3 – Insider incident handling workflow (Adapted from Custers (2008)).
232
information security technical report 13 (2008) 225–234
Fig. 4 – From event to incident.
are heterogeneous in nature including network sensors (e.g. IDS/IPS triggered signatures) host sensors (e.g. forensic applets) physical sensors (e.g. physical access barriers) and application triggers (e.g. transactions, firewall logs and, email server logs) that are aimed at detecting malicious insider activity. In the case study it was observed that by the application of object use and organisational rules and incident handler knowledge the 2 million events are reduced to approximately 1200 possible incidents that require closer inspection by incident handlers with domain knowledge of both the technology and operations as shown in Fig. 4. The malicious events detected by CIS sensors and triggers are shown in Table 4. In order to facilitate the use of emerging technologies such as behaviour baselining and visualisation particular event characteristics must be stored and reanalysed for extended periods of time (see Table 5).
3.1.3.2. Meeting the challenges. In terms of meeting the insider threat technical challenges tabled at the RAND Workshop held in September 2000 (Anderson et al., 2000) and then the similar workshop in 2004 (Brackney and Anderson, 2004) how does the case study’s overall CSIRT rate? The technical research challenges for the next 5 years were tabled in 2000 workshop (Anderson et al., 2000) were: I. II. III. IV. V.
Secure and Survivable [CIS] Architecture Frameworks; Differential Access Controls; Provenance [Archived End-to-End Accountability]; Threat from and defences against Mobile Code; and Developing Insider Threat Models.
Table 5 – Long term storage of event characteristics needed for behaviour baselining. Malicious insider event characteristics
Table 4 – Sensors and trigger detected malicious events. Sensors and trigger detected malicious events Network, system, service and information reconnaissance (Profiling) Access to assets (Profiling) Illicit Data extraction (e.g. printing, write to removable media) Installation and control of data loggers or malicious software Communications Usage (e.g. P2P, VOIP, encrypted messaging, steganography) Changing file permissions Altering file content Erasing files/data
Enterprise management system events Operating system events Entire data stream for critical assets and services COTS Application transaction logs Event logs Detected vulnerabilities Forensic evidence IDS/IPS signature triggers Gateway inspection and filtering logs Anti-Malware logs Bespoke application logs CIS policy violations Access control logs
information security technical report 13 (2008) 225–234
Table 6 – Technology challenges success. Critical Components of insider treat models from workshop 2000
Component available in 3rd generation security technologies of the case study CSIRT Now
People (Behaviour, Knowledge, Motivation) Tools (hardware, software, network) Environment (Domain Knowledge) Model Elements Observable (Measurable parameters) Profiles (of environment, people, tools, applications etc.) Behaviour
Emerging
#
U
U
U
Partial
U
Now U
Emerging U
U
U
Partial
U
The workshops near-term technical recommendations align with the technologies available as part of First and Second generation security technologies shown in Fig. 2. Of their longer term challenges the requirements for ‘‘Provenance’’ and the characteristic requirements of ‘‘Developing Insider Threat Models’’ most closely reflect the functionality of the Third Generation technologies that sit within Tier Two of the CSIRT structure as shown in Table 2. Examples of this functionality are the recommended use of object tagging (e.g. Documents) tamper proof audit trails and the ability to automatically identify critical CIS information (Anderson et al., 2000). The requirements for an effective insider threat model specified in Table 6 have resonance with the practical CSIRT processes that the author has worked within practice. Four years on from the 2000 workshop (Anderson et al., 2000) the RAND workshop of 2004 (Brackney and Anderson,
233
2004) emphasised the need for detection and highlighted the then missing or newly emerging technologies in Third Generation Technologies such as heterogeneous event and observation correlation, user behaviour analysis, behaviour baselining and identification of triggers to indicate malicious insider activity. The author interprets such emphasis as evidence of the technical complications associated with preventing malicious insider activity within CIS with disappearing boundaries. The 2004 workshop highlighted that in order to resolve current technical limitations and to hone existing techniques databases containing examples of specific attacks, the characterization of normal behaviour for users in different roles (including that of a system administrator) and artificial or real sensor data that include a mix of legitimate and malicious activity were needed (Brackney and Anderson, 2004). One of the significant findings of the workshop were that existing case history of malicious insider espionage ignored cyberspace; there are fewer controls within CIS than thought, and there are no practical ways to stop information extraction (Brackney and Anderson, 2004).
3.1.3.3. Analysis. It is the author’s belief that if the organisation that forms the case study for this article is to continue to meet the challenges of managing insider threat the Three Tier CSIRT structure needs to be modified to more tightly couple Organisational Process (Tier One) and CSIRT Technologies (Tier Two). Specifically, the CSIRT functionality would benefit if Tier One and Two were merged into one tier yet retain the two sub-tiers defined within it. This new CSIRT structure is shown in Fig. 5. It is suggested that this would allow the CSIRT to adapt to both organisational and technical challenges in a more timely and integrated manner, especially in the promising areas of behaviour based malicious insider management. There is much research into behaviour based analysis and one additional avenue of research is that of Stateful Object
Fig. 5 – A two Tier CSIRT structure aimed at more tightly coupling organisational and technology processes.
234
information security technical report 13 (2008) 225–234
Use Consequence Analysis (SOUCA). SOUCA is based on the premise that every action has a consequential reaction and utilises object watermarks, state tables, business rules and mathematical theory to determine if an action on an object is authorised or not. Organisational business rules will define what action/reaction couplings are allowed with all other couplings tagged as malicious. It is suggested that SOUCA may allow for improvements in the establishment of behavioural based CIS baselining and visualisation. A simplistic example of SOUCA follows. Given a user object and a Command and Control application object it is possible to surreptitiously tag each object with various attributes that describe the object type, location, classification, authorisation, relational and other contextual organisational information. If the user object then accesses the Command and Control application object it is possible, at least conceptually, to statefully track access and make decisions, based on the interplay of the watermarked attributes of each object, as to whether the access is in accordance with organisational rules.
4.
Conclusion
Major challenges still exist as exiting security technologies alone do not allow for the practical incorporation and analysis of four critical components of malicious insider detection: I. Automatic trigger input from traditional organisational detection methods; II. Automated trigger input from the multitude of bespoke applications that are used for military command and control; III. Human and Non-Human Cyber Behaviour Analysis; and IV. Object Watermarking and analysis. Review of research literature by (Shaw et al., 2000) shows that there are [organisational] risk factors that an insider may display to indicate that they are likely malicious insiders – they are exhibiting malicious insider behaviour. However, these social and psychological indicators whilst perhaps collected, stored and even processed electronically have not been successfully incorporated into enterprise CSIRT processes in a practical useable manner. Although some commercial vendors are trialling behaviour based detection applications (in cyber behaviour) with defence agencies. Practical enterprise solutions, that meld both technical and organisational methods, for the above challenges are paramount if detection is to occur as near to or prior to information extraction from the secure environment. Behaviour based trigger feeds utilising object use rules and watermarking are needed for bespoke applications as the use of CIS is becoming more ubiquitous with network boundaries disappearing and the bespoke applications hold and process the majority of information. Solutions to the challenge of managing insider threat are crucial as the West moves to a reliance on military alliances where there is a mix of alliance and national
systems. This, together with associated cultural and social factors also makes prevention, detection, investigation and prosecution of malicious insiders much more difficult.
references
Anderson Robert H., Bozek Thomas, Longstaff Tom, Meitzler Wayne, Skroch Michael, Wyk Ken Van. Research on mitigating the insider threat to information systems - #2, RAND Conference Proceedings; 2000. Army Regulation 25–2 Information Assurance. Available from: https://ia.gordon.army.mil/docs/AR25_2.asp; 2003 (accessed October 2008). Brackney Richard C., Anderson Robert H. Understanding the insider threat. In: Proceedings of a March 2004 Workshop, RAND; 2004. Cappelli Dawn M, Trzeciak Randall F, Moore Andrew P. Insider threats in the SDLC, lessons learned from actual incidents of fraud, theft of sensitive information, and IT sabotage. Software Engineering Institute, Carnegie Mellon University; 2006. Custers Keith. C-Bits bvba, 2008. Killcrece Georgia, Kossakowski Klaus-Peter, Ruefle Robin, Zajicek Mark. Organizational models for computer security incident response teams (CSIRTs), CMU/SEI-2003-HB-001; 2003. Gerber Cheryl. Plugs for Data Leaks, Published in the Military Information Technology. Online Edition Available from: http:// www.military-information-technology.com/article. cfm?DocID¼2323; 2008. Marty Raffael. Applied security visualization. Upper Saddle River, NJ, USA: Addison Wesley; 2009. Maybury Mark. Detecting malicious insiders in military networks; 2006. Maybury M., Chase P., Cheiker B., Brackney D., Matzner S., Hetherington T., et al. Analysis and detection of malicious insiders; 2005. Nicolett Mark, Williams Amrit T., Proctor Paul E., Magic quadrant for security information and event management, 1H06 Gartner RAS Core Research Note G00139431, 12 May, 2006. NIST. Incident handling at BMDO. Available from: http://csrc.nist. gov/groups/SMA/fasp/documents/incident_response/ BMDOIncHandling.htm; 2000 (accessed October 2008). Shaw Eric D., Ruby Keven G., Post Jerrold M. The Insider threat to information, Appendix E in 2000, Research on mitigating the insider threat to information systems - #2, RAND Conference Proceedings; 2000.
Terrence Walker, CISSP, CISA, EnCE is an information security specialist with over 10 years of experience in the industry. His areas of specialisation include risk analysis, vulnerability assessment, penetration testing and forensics within organisational incident management and response teams. Currently, he works with a European CSIRT and is a PhD student with the Information Security Group at Royal Holloway, University of London and his research interests include resource dynamics of security systems, security system modelling and insider threat. He has an MSc. in Information Security from Royal Holloway, University of London. Contact him at [email protected].