1 / 19

A methodology and supporting techniques for the assessment of insider threats

A methodology and supporting techniques for the assessment of insider threats. Nicola Nostro Tutors Bondavalli Andrea, Di Giandomenico Felicita Università degli Studi di Firenze. Subject of the research.

lyris
Download Presentation

A methodology and supporting techniques for the assessment of insider threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A methodology and supporting techniques for the assessment of insider threats Nicola Nostro TutorsBondavalli Andrea, Di GiandomenicoFelicita UniversitàdegliStudidi Firenze

  2. Subjectof the research • Nowadays the life of each of us is highly dependent on critical infrastructures. • Characterized by heterogeneity, and dynamicity • They may be prone to failures, intrusions, and attacks from outside and inside. • It is crucial to designsystems ensuring resilience and security.

  3. Context • Security is a major challenge for today’s companies. • Security measures are attentively selected and maintained to protect organizations from external threats. • Several tools and solutions are available for this scope • firewalls, antivirus, intrusion detection systems,… • What happens inside the system?

  4. Motivations • Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers. • They are difficult to detect and mitigate due to the nature of the attackers. • How to detect data theft or sabotage by malicious insiders? • These activities can be difficult to differentiate from legitimate uses. • Protecting from insider threats requires a deep study on the socio-economical profiles, possible actions, and the impact of these actions on the system. • Insider attackers constitute an actual threat for ICT organizations. • This calls for a tailored insider threats assessment activity

  5. Objectives • Define a methodology and supporting libraries for insider threats assessment and mitigation. • Evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs. • Identify proper countermeasures.

  6. The methodology in 6 steps System under analysis ProfilingpotentialInsiders Countermeasuresselection Insider Threats Attackpaths Iteration and Update • Identificationofcomponents • Interactions • Functional description • Allusers are identified • Definitionofattributes • Referenceto a predefinedlibrary • Identification • Description • Potentialconsequences • Identifyexploitablepaths • Set up the modelingapproach • Evaluation • Selectionpropercountermeasures • Referenceto a predefinedlibrary

  7. Methodology - System description • A system is characterized by • a number of resources: services, computers, removable drives, etc. • more communication networks • users, which can use the system or in general interact with it • new features can be integrated over time, due to the evolution of technologies, and the update of system specification or requirements. • Providing a formal description of the overall system, may be expensive in terms of time.

  8. Methodology - System description • A semi-formal description limited to the aspects of interest of the system and the interactions that users may have with it, is appropriate. • Through a semi-formalnotation, itispossibletoimmediatelyunderstand the descriptionof the system • byusinggraphicalnotationsalongwithnaturallanguagedescriptions. • UML use case diagrams allow to describe the system's functionalities and use case scenarios, from the point of view of the users/insiders, and the use case descriptions are shown in tables.

  9. Methodology – Insiders’ profile • Identify a taxonomy of system users and potential attributes • A predefined library of insiders to consider • which constitute a consistent reference library describing the human agents involved in IT systems and that could pose threats to such kind of systems • eightattributesdefined: • Intent, Access, Outcome, Limits, Resource, Skill Level, Objective, Visibility T. Casey, “Threat Agent Library Helps Identify Information Security Risks,” Intel White Paper, September 2007

  10. Methodology – Insider threats • We can identify a number of threats of different type of severity, related to the actions performed by the insiders • install malicious software/code, create backdoors, disable system logs and anti-virus, create new users, plant logic bombs, perform operation on data base. • The idea is to list the possible threats and try to associate them to the previously identified insiders

  11. Methodology – AttackPaths • Identify the path(s) exploitableby the insider(s) to realize the threat(s) and achieve the goal(s). • A critical step, especially if we think of unknown paths • Many insiders are able to set up unexpected attack paths, that are unknown • Several techniques exist and are very useful for determining what threats exist in a system and how to deal with them • attack trees, attack graphs, privilege graphs, ADVISE • Evaluate success rate and effects of the attack is of paramount importance, allowing to get information on the probability of occurrence of an attack.

  12. Methodology – Countermeasures • Selection of the proper countermeasure(s), to avoid or mitigate the identified threat(s). • A defined library which lists the countermeasures can be used. • Introduction of such countermeasures may require to re-assess the system. • In case a model of the system and of the countermeasure is available, these can be integrated with the attack path.

  13. Methodologyapplication – System & Insider Profiling • Insiders: Operator, Domain expert, Unknown user, System Expert, System Administrator (SA)

  14. Methodologyapplication – Insider Threats Mapping Insiders to Threats Matching attributes-values • Attack goals: • degradation of the performance of the system, • theft of sensitive data

  15. Methodologyapplication – AttackPaths • ADVISE attack execution graph for Data Theft • Rectangular boxes represent the attack steps; • Squares are the access domain; • Circles are the knowledge items; • Ovals represent the attack goal.

  16. Methodologyapplication - Countermeasures • Countermeasures: • Identify the sensitive data and set up a detection system that prevents all queries on such data • Keep track of accesses (username, timestamp, event description (computer system, devices, utilized software, software installation, error condition, etc.). • Implement biometric system, which every predetermined time (minutes, hours), performs an identity check. • Avoid to log into the system during holiday days or outside the office hours. • Allow printing reports only in specific printers • Implement an e-mail system with an automatic cc forwarding to a higher-ranking person.

  17. Conclusions • Several techniques exists to avoid or detect the risk that a legitimate user abuses of its authority. • Technological protection from external threats is important, but • Defending against insider attacks is and will remain challenging. • Insider attacks are difficult to detect, either by human or technical means. • We identified a lack in the definition of a methodology and related supports for the systematic investigation and assessment of insider threats.

  18. Future works • Define a method which supports the creation, usage and maintenance of the threats library. • Identify an approach to support the selection of the input parameters that characterize the attack path • to understand the costs and dangerousness of an attack. • Mapping between the Insider Library and ADVISE profiles must be provided, also assigning numerical values.

  19. Thank You

More Related