In this paper an

In this paper an insider

E. Eugene Schultz University of CaliforniaBerkeley Lab Paperto be presented at Compsec 2002, London, 30 October 2002 Abstract In this paper an insider attack is considered to be deliberate misuse by those who are authorized to use computers and networks. Applying this definition in real-life settings to determine whether or not an attack was caused by an insider is often, however, anything but straightforward. We know very little about insider attacks, and misconceptions concerning insider attacks abound. The belief that most attacks come from inside is held by many information security professionals, for example, even though empirical statistics and firewall logs indicate otherwise. This paper presents a framework based on previous studies and models of insider behavior as well as firsthand experience in dealing with insider attacks. This framework defines relevant types of insider attack-related behaviors and symptomsindicators that include deliberate markers, meaningful errors, preparatory behaviors, correlated usage patterns, verbal behavior and personality traits. From these sets of indicators, clues can be pieced together to predict and detect an attack. The presence of numerous small clues necessitates the use of quantitative methods; multiple regression equations appear to be a particularly promising approach for quantifying prediction. Key words: insider, insider attacks, insider attack prediction, insider attack detection, insider threat, attack indicators Introduction Of all the issues that confront information security professionals, none is more elusive and perplexing than insider attacks. Substantial advances in perimeter security, intrusion detection, encryption, access control mechanisms, and so forth, have substantially helped repel externally-initiated attacks, yet little progress in dealing the insider threat has occurred. Why? It is safe to say that a major reason for lack of progress in dealing with the insider threat is that although much discussion and thinking on this subject occurs, there is still little bona fide understanding of the nature of this threat. A framework for understanding and predicting insider attacks would be a valuable next step in achieving insight into the insider threat. This paper starts with a definition of insider attack, and then covers myths that have clouded this issue, and then reviews previous research and ideas relevant to the insider threat, and finally presents a new framework for understanding and predicting insider attacks. Defining Insider Attack Numerous definitions for the term insider attack have been proposed. Tugular and Spafford (TUGU97) assert that inside attackers are those who are able to use a given computer system with a level of authority granted to them and who in so doing violate their organizations security policy. According to Schultz and Shumway (SCHU01), an insider attack can be defined as the intentional misuse of computer systems by users who are authorized to access those systems and networks (p. 189). Einwechter (EINW02) defines an internal attacker as someone entrusted with authorized access who instead of fulfilling assigned responsibilities, manipulates access to a system 526 0167-4048/02US$22.00 2002 Elsevier Science Ltd A framework for understanding and predicting insider attacks to exploit it (e.g., to damage it or steal sensitive information). According to each of these definitions, insiders would usually be employees, contractors and consultants, temporary helpers, and even personnel from third-party business partners and their contractors, consultants, and so forth. But with all the outsourcing that is occurring, it is becoming increasingly difficult to maintain a hard and fast distinction between insiders and outsiders. When an attack by someone such as a former consultant occurs, for example, should the attack be considered an internally- or externally- initiated attack? Additionally, many so-called insider jobs have turned out to be the result of complicity between an insider and an outsider. So although each of the previous definitions of insider attacks is to some degree true, applying these definitions to the real world is often tenuous. Myths and misconceptions The many myths and misconceptions about insider attacks that abound serve to add considerable confusion to an already nebulous issue. Consider each of the following: Myth 1 More attacks come from the inside than from anywhere else. This myth traces back to old FBI statistics when indeed more attacks came from the inside. Why? Most of the computers 20 years ago were clunky mainframes, minicomputers, and so on that had only a fraction of the networking capabilities that todays machines have. Additionally, the number of people capable of attacking systems 20 years ago was small. The Internet as we know it did not exist. The Arpanet of that time was miniscule and used by relatively few users compared to the Internet today. Every year for the last four years respondents to the FBI/CSI Annual Computer Crime Survey have reported more externallyinitiated attacks than internal ones (FBI02). Anyone who thinks that most attacks come from the inside very desperately needs to inspect the logs from that persons organizations firewall to learn just how many externallyinitiated attacks occur. Firewalls stop an incredible number of attacks from outside. At the same time, however, to say both that more successful attacks come from the inside (especially considering that so many organizations network security amounts to a hard outer coating, but a soft-chewy middle) is more likely to be true. Additionally, there is no debate that insider attacks pose a far greater level of risk than do outsider attacks. Myth 2 Insider attack patterns are generally similar to externally-initiated attacks. People who have expertise with hacking tools and techniques are in effect specialists in outsider-initiated attack methods. But insiders do not generally demonstrate the same attack signatures that external attackers do. For one thing, insiders can potentially obtain physical access to victim systems. Physical access obviates the need for more specialized attack methods. Additionally, unless they intend to launch a denial of service attack or an attack that produces damage to systems and/or data, insiders are typically careful to not trigger any alarms, so to speak. Intrusion detection systems (IDSs) are able to detect many externallyinitiated attack patterns; other, more subtle methods are not likely to be noticed by IDSs. Myth 3 Responding to insider attacks is just like responding to outsider attacks. Responding to insider attacks is substantially different from responding to externally-initiated attacks. For one thing, the former often involves working in close cooperation with other organizational functions such as human relations and the legal staff. Additionally, clues concerning what exactly an internal attacker has done and the identity of the attacker itself are available through sources other than computers per se. According to Schultz and Shumway (SCHU01), profiling suspected A framework for understanding and predicting insider attacks 527 E. Eugene Schultz insiders is proving to be one of the best ways of reverse engineering an insider attack, for example. Profiling suspected external attacks would in contrast almost always be a futile exercise. A review of previous work One of the chief obstacles in researching detection and prevention of insider attacks is that relatively few studies on this subject have ever been done. Of the studies that have been done, most have been proprietary, designed to solve specific problems within specific organizations. The unfortunate result is that few empirical studies of insider attacks are publicly available to guide approaches to this problem. Several models of insider attacks exist, however. A generic set of models generically referred to here as the CMO Model postulates that to commit an attack, the perpetrator must first have the: Capability to commit the attack Motive to do so Opportunity to commit the attack. Parker (PARK98), for example, presents a model based on similar but not identical factors-skills, knowledge, resources, authority, and motives-and applies it to all computer crime, insider and outsider attacks. In another variation of CMO Wood (WOOD02) proposes that insider attackers must have the motivation to attack, must identify a target, and must be able to launch an attack. Tuglular and Spafford (TUGL97) have proposed a little known but nevertheless intriguing model of insider attacks. This model assumes that insider misuse is a function of factors such as personal characteristics, motivation, knowledge, abilities, rights and obligations, authority and responsibility within the organization, and factors related to group support. The creators of this model have pointed out that insider attacks are more likely to occur under conditions such as breakdown of lines of authority within an organization. Sulers (SULE98) study of anonymity and deviance on-line yields some important insights into the nature of certain types of attacks. Results of this study indicate that attackers often engage in undesirable on-line behaviors out of a desire to make a statement. Perpetrators produce behavioral markers that serve as key indicators. Someone who, for example, is angry with his supervisor may flood his supervisors mail queue with messages from an anonymous source that threaten the supervisor in some manner. This may give the attacker some measure of satisfaction, but at the same time may serve as a clue concerning the identity of the perpetrator. Yet another model of perpetrators of computer crime and computer attacks is a psychodynamic driven model by Shaw, Ruby, and Post (SHAW98). Based on research concerning the psychological make-up of convicted perpetrators of computer crime, Shaw et al. describe computer criminals in terms of traits such as introversion and depression. Unfortunately, however, Shaw et als study focused exclusively on external attackers. This model is nevertheless to some degree corroborated by a study conducted by psychologists at Political Psychology Associates Ltd. (POLI01), who discovered that the majority of insider abuse is linked to people who are introverted, poor at handling stress or conflict, and frustrated with work The 3DP (three dimensional profiling) model is a criminological or profiling model developed by Gudaitis (GUDA99). This model examines and applies the methodology of conventional criminal profiling to computer crime. Specifically, the model focuses on insider attacks and prescribes an organizationally-based method for prevention. The utility of this model is two-fold in that it: 1) allows assessing an incident or attack using profiling in addition to the usual technical tools, and, 2) provides 528 A framework for understanding and predicting insider attacks E. Eugene Schultz organizations a way to evaluate/enhance their security processes and procedures from a human perspective as a preventative measure. A model by Collins (COL92) focuses on the relationship between social context cues and uninhibited verbal/written behavior in computer-based communication. This model establishes a predictive connection between the absence of social context cues and the presence of uninhibited (i.e., flaming, and inappropriate language) verbal behavior. Although promising in terms of ability to predict insider attacks, this model focuses only on verbal language and does not extend to computer-related behavior. The final model considered here by MorahanMartin (MORM98) describes the general use of computers and computer behaviors across demographics, specifically focusing on gender differences. This model describes the cultural and linguistic aspects of computer behavior as it correlates to computer competency and Internet competency. The model incorporates the proposition that computer competency and comfort not only predict computer experience and behavior, but also Internet competency, comfort, experience, and behavior. This model does not extend to deviant or unethical computer behavior, however, although it does at least describe adversarial and status-enhancing behaviors as demonstrated by language use. The few models of and studies about insider attacks and related issues that are available are a good start, but they are of little value in producing meaningful results that can help organizations reduce the frequency of and damage from insider attacks. Research into insider attacks is without question in its infancy. The current state of the art does not for all practical purposes allow detection, let alone prediction of insider attacks. Detection capability is desirable, but it is, unfortunately, post hoc in nature. Given the potential damage that can result from insider attacks, the state of the art for detecting insider attacks is not nearly as advanced as necessary to make a difference for most organizations. The most pressing need, therefore, is developing the ability to predict insider attacks. If we can predict attacks or even impending attacks, we can intervene sooner and more effectively. A new insider detection framework Einwechter (EINW02) has proposed that a combination of IDS systems network intrusion detection systems (NIDS), network node intrusion detection systems (NNIDS), host-based intrusion detection systems (HIDS), anomaly-based intrusion detection systems, and a distributed intrusion detection system (dIDS) be used to detect insider attacks. What Einwechter has proposed is a giant step in the right direction because it attempts to capitalize on multiple indicators of insider attacks. The previously discussed studies and models of insider attacks have shown just how diverse indicators of insider attacks can be. Collecting and analyzing data that are likely to yield multiple indicators are in fact the only viable direction given how subtle and different from conventional (external) attacks insider attack patterns often are. Although his ideas are intriguing, Einwechter has overlooked several critical considerations. First, insiders are in a much better position to disable, turn off, or otherwise interfere with IDSs than are outsiders. Although IDS output can be useful in detecting insider attacks, relying on IDS output alone for insider attack detection is fundamentally risky. Second, as mentioned previously in this paper, many insider attacks are quite different from outsider attacks and, as Einwechter himself concedes, todays IDSs are geared towards detecting externallyinitiated attacks anyway. Again, heavy reliance on IDSs to detect insider attacks is unwise. The previously discussed studies and models suggest an approach for predicting and A framework for understanding and predicting insider attacks 529 E. Eugene Schultz detecting insider attacks. They indicate, for example, that many different potential indicators of internal attacks exist and that no single indicator can normally provide conclusive indication of an insider attack. These potential indicators (shown in Figure 1 below) include: Deliberate markers. As the previously cited study by Suler indicates, attackers sometimes leave deliberate markers to make a statement. Markers can vary in magnitude and obviousness. Finding the smaller, less obvious markers earlierbefore the big attack occursshould be a major goal of those faced with the task of detecting insider attacks. Meaningful errors. This category of indicators does not come from the previously discussed studies and models, but rather from first-hand investigations of insider incidents. Perpetrators, like anyone else, make mistakes in the process of preparing for and carrying out attacks. Consider, for example, someone who wants to access and copy proprietary files. The perpetrator may first enter a copy command with one or more typos and then may try again and be successful. Perhaps, too, the perpetrator will then erase the relevant log files and the command history. The perpetrator may, however, forget to erase the error logs. By looking at the error logs, investigators may be able to infer what the perpetrator was trying to do as well as determine the identity of the perpetrator. Preparatory behavior. The previously cited work by Wood mentions behaviors that occur as part of the preparatory phase of an attack. The perpetrator may, for instance, attempt to gain as much information about the potential victim system as possible. In so doing, an attacker can expose intentions. Use of commands such as ping, nslookup, finger, whois, rwho, and others is only one of many potential types of preparatory behavior. Correlated usage patterns. Correlated usage patterns are patterns of computer usage that are consistent from one system to another. These patterns might not be noticeable on any one system, but the fact that they occur on multiple systems can reveal intention on the part of a potential perpetrator. A perpetrator may, for example, use a command such as grep on dozens of systems to search for files with particular words in them. Verbal behavior. The previously cited pieces by Morahan-Martin and Collins showed how in the technical arena verbal behavior is linked to aggression, dominance and other factors. Verbal behavior (either spoken or written) can, of course, also provide an indication that an attack is imminent. The most obvious example is email messages in which someone describes hatred and hostility towards an employer, boss, or others. In particular, recording and analyzing requests for elevated privileges and for accessing computers or files to which one currently does not have access seems particularly promising. Personality traits. The previously cited study by Shaw et al. and others suggest that personality factors (particularly introversion) can be used in predicting insider attacks. Although potentially very valuable, the measurement and use of personality traits in predicting insider attacks is beset with potential ethical and other problems. Still, personality traits promise to be a useful indicator. Assuming that it is possible to quantify each of the potential indicators (which it in all likelihood is), a mathematical equation such as a multiple regression equation that consists of a number of variables and their weightings can be formulated. Consider, for example, the following equation: Xe = 1.034X1i .588X2i + .331X3i + .094X4i . 1.12 Xe is the predictive value in this examplethe larger its absolute value, the greater the likelihood of an attack. X1i, X2i and X3i are three of the indicators and the numbers in front of each would be their weighting in the regress- 530 A framework for understanding and predicting insider attacks E. Eugene Schultz ion equation. 1.12 is the constant. Although the numbers here are purely hypothetical, real values can be determined. How? By carefully scrutinizing a large number of insider attacks that have occurred for the presence of deliberate markers, meaningful errors, and so on, the weightings for each indicator can be calculated. So, for example, after a large number of insider attacks have been analyzed, perhaps the deliberate markers factor would have a value of +2.13 and the meaningful errors factor would have a value of +1.79. Use of other mathematical techniques such as calculation of least squares is also feasible. Conclusion This paper has proposed a novel approach for predicting and detecting insider attacks. The basic premise underlying this framework is that, unlike detection of externally-initiated attacks, no single clue is sufficient for predicting and detecting insider attacks. With multiple indicators and a mathematical representation of each indicators contribution, it may now indeed be possible to predict and detect insider attacks. The need for better prediction and detection of insider attacks is great given the magnitude of the insider threat. The framework presented here is promising in that it synthesizes and builds upon critical models and findings concerning insider attacks; unfortunately, however, this framework is also unproven. A logical next step is to perform validation testing of the model by collecting a large number of case studies and analyzing each for the presence and quantity of each of the indicators (and possibly others, too) discussed in this paper. References COLL92 Collins, Mauri (1992). Flaming: The relationship between social context cues and uninhibited verbal behavior in computer-mediated communication. On-line document, http://star.ucc.nau.edu/~mauri/ papers/flames.html EINW02 Einwechter, N. (2002) Preventing and detecting insider attacks using IDS. On-line document, http://online.securityfocus.com/infocus/1558 FBI02 Annual FBI and Computer Security Institute survey on computer crime (2002). On-line document, http://www.gocsi.com/press/20020407.html GUDI99 Gudaitis, T.M. (1999). The missing link in information security: Three dimensional profiling. CyberPsychology and Behavior, Vol 1, 4. MORA98 Morahan-Martin, Janet. (1998). Women and girls last: Females and the Internet. Paper presented at IRISS conference, 25-27 March, Bristol, UK. PARK98 Parker, D.B. (1998). Fighting computer crime: A new framework for protecting information. New York: John Wiley and Sons, 1998. POLI01 Political Psychology Associates on-line document (2001), http://www.pol-psych.com/pubs.html SCHU01 Schultz, E.E. & Shumway, R. (2001) Incident response: A strategic guide for system and network security breaches. Indianapolis: New Riders. SHAW98 Shaw, E.D., Ruby, K.G., & Post, J. M. (1998). The insider threat to information systems. Security Awareness Bulletin, 2-98, 27-46. SULE98 Suler, J. (1998). The bad boys of cyberspace: Deviant behavior in on-line multimedia communities and strategies for managing it. On-line document, http://www.rider.edu.users.suler.psycyber TUGU97 Tuglular, T., & Spafford, E.H. (1997). A framework for characterization of insider computer misuse. Unpublished paper, Purdue University, 1997. WOOD02 Wood, B.J. (2002). An insider threat model for adversary simulation. On-line document, http://www.rand.org/publications/CF/CF163/CF163.a ppb.pdf A framework for understanding and predicting insider attacks 531 E. Eugene Schultz Deliberate Markers Preparatory Behavior Correlated Usage Patterns Verbal Behavior Personality Traits Prediction and Detection Meaningful Errors Potential indicators of insider attacks

Pssst…Are you looking for assignment help?

We have experienced native experts to complete any assignment you may have. Plagiarism Free & Great Quality. (Full Refund Provided)

<< SAVE15 >>

Place your first order with code to get 15% discount right away!

Impressive sample results