1 / 32

Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defe

Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems Results of a Three-Day Workshop August 16-19, 1999. Background.

ojal
Download Presentation

Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Research and Development InitiativesFocused onPreventing, Detecting, and Responding to Insider Misuse ofCritical Defense Information Systems • Results of a Three-Day WorkshopAugust 16-19, 1999

  2. Background • Three-day workshop held at RAND Santa Monica, August 16-18, 1999; 35 invited participants • Sponsored by Army Research Lab, DARPA, NSA • Purpose: to recommend technical R&D initiatives addressing the insider threat to DoD info systems • ASD/C3I report DoD Insider Threat Mitigation Plan (June 1999) concentrated on near-term steps to be taken - • This workshop focused on longer-term technical R&D required • Workshop is expected to be first in a series

  3. Policy and Precursors to R&D • Technical initiatives must have a supportive environment. Required are: • Guidance from legal and law enforcement communities re. attribution,collection, maintenance, processing and storage of data • Clear definitions re. what are “critical assets” on a system • Clarity regarding who is an “insider” • Cost/benefit analysis of recommended measures • Plans for technology transfer • Support for multiple, diverse, concurrent approaches

  4. Incident Characterizing an Info System Security Incident(modified from JTF-CND document) Attack Event Sandia Labs Unauthorized Result Action Attackers Tool Vulnerability Target Response Increased Access Physical Attack Hackers Probe Design Repair Motivation Access = Opportunity Skill + tool Detection technology Restore Account Disclosure of Information Information Exchange Scan Record Spies Implementation Process Corruption of Information User Command Configuration Flood Terrorists Report Data Script or Program Denial of Service Corporate Raiders Authenticate Render Component Theft of Resources Autonomous Agent Professional Criminals Bypass Computer Spoof Toolkit Vandals Network Distributed Tool Voyeurs Read Internetwork Potentially legitimate actions Data Tap Copy Need to incorporate an understanding of the analytic process that initiates response activities Steal Modify Remedial Security Engineering Delete

  5. Workshop Developed Recommendationsin 4 Categories • 20 specific recommendations: • • Threat (4) • • Prevention (5) • • Detection (6) • • Response (5)

  6. R&D Recommendations Focused on Insider Threat - Overview • T1: Develop reactive configuration controls, in which an unauthorized result is mapped back to a specific type of threat • T2: Develop an insider trust model • T3: Develop means to map users to unauthorized results • T4: Identify signatures of unauthorized results

  7. T1: Develop reactive configuration controls -- an unauthorized result mapped back to specific type of threat • Research objective: Characterize the insider threat • Unique insider characteristic:Some routine insider activity might be interpreted as malicious behavior using “outsider” model • Research problems:1. ID insider misuse characteristics2. Compare and contrast insider vs. outside ability to achieve adverse, unauthorized results3. Demonstrate traceback of computer security events to specific insiders

  8. T2: Develop an insider trust model • Research objective: Develop a model of trust covering the full breadth of organizational roles authorizing degrees of technical configuration control privilege • Unique insider characteristic:The attributes of the trust relationship are the key distinguishing factors separating insider from outsider • Research problems:1. A characterization schema with insider roles and privileges, covering the full spectrum of military operations2. Develop parametric sensitivity criteria useful in recognizing attempted unauthorized escalation of privilege, before a security-breaching event

  9. T3: Develop means to map usersto unauthorized results • Research objective: Given a system anomaly, determine if an insider did it, and if so, which one • (Note: This recommendation is similar to D3;see it for details.)

  10. T4: Identify signatures of unauthorized results • Research objectives:1. Focus insider misuse detection on unique vulnerabilities presented by the insider threat2. Develop an understanding of insider patterns that can be detected by machine • Unique insider characteristic:The objective is to find insider-distinguishing patterns of misuse • Research problems:1. Prove that sensors can reliably alert to specific examples of signatures identified as representing insider misuse

  11. R&D Recommendations Focused on Insider Prevention - Overview • P1: Develop authentication components • P2: Develop access control components • P3: Develop system integrity components • P4: Develop a bidirectional trusted path to the security system • P5: Develop attribution components

  12. P1: Develop authentication components • Research objectives:1. Extend technologies to work in multi-tier transactional environments2. Ability to bind keys and tokens to users3. Strong authentication that can scale for increasing transaction rates4. Ability to include practical revocation and recovery • Unique insider characteristic:Insiders have superior knowledge of asset value, only they can abuse trust, and law enforcement is deterrent • Research problems:(Same as research objectives, above)

  13. P2: Develop access control components • Research objectives:1. Development of finer-grained access control that is affordable2. Inter-platform access control management3. Reducing mgmt. cost of implementation/maintenance of access controls4. New types of access control to reduce vulnerability to trusted insiders • Unique insider characteristic:Insiders have superior knowledge of asset value, only they can abuse trust, and law enforcement is deterrent • Research problems:1. Expert-system-based access control automation able to translate natural language policy statements into machine-level policy2. Meta-access control system for cross-platform access management3. Ability to prevent insider misuse by security administrators and other privileged users

  14. P3: Develop system integrity components • Research objectives:1. Malicious code detection2. Arbitrary corruption prevention3. Develop boot sequence integrity4. Total system configuration management, for both hardware and software • Unique insider characteristic:Insiders have superior knowledge of asset value, only they can abuse trust, and law enforcement is deterrent • Research problems:(Same as research objectives, above)

  15. P4: Develop a bidirectional trusted pathto the security system • Research objectives:1. Develop cross-platform trusted paths, both ways2. Develop two-way trusted paths in distributed systems3. Find ways to make trusted path concepts and techniques widely available in security architectures • Unique insider characteristic:Insiders have superior knowledge of asset value, only they can abuse trust, and law enforcement is deterrent • Research problems:(Same as research objectives, above)

  16. P5: Develop attribution components • Research objectives:1. Be able to attribute specific actions to individual users • Unique insider characteristic:Insiders may have access to the attribution mechanisms, so they must be hardened against insider misuse • Research problems:(Similar to D3, below)

  17. R&D Recommendations Focused on Insider Detection - Overview • D1: Develop profiling as a technique • D2: Detect misuse of applications • D3: Provide traceability for system-object usage • D4: Identify critical information automatically • D5: Design systems for detectability • D6: Determine unauthorized changes due to physical access

  18. D1: Develop profiling as a technique • Research objectives:1. To discriminate between normal and anomalous behavior for a given user2. To be able to discriminate among users3. To create technology that can identify new insider-initiated misuse • Unique insider characteristic:Ability to collect user profile data is unique to the insider problem • Research problems:1. What are the best (sensor) sources of data?2. Feature extraction problems3. Best algorithms for detection4. Fusion/correlation of diverse information collected5. Scientific evaluation and comparison of techniques6. Design of contrastive experiments

  19. D2: Detect misuse of applications • Research objectives:1. Detect insider misuse of given resources and privileges2. Develop application-level sensors and detectors of misuse3. Go beyond access controls in user monitoring4. Generalize profiles to applications • Unique insider characteristic:This is a higher layer of detection that is specifically applicable to insiders, since system apps and processes are available to them • Research problems:1. Develop techniques for program profiling2. Apply this detection technique within commercial OSs3. Develop application-specific misuse detection4. Examine cases of insider misuse; develop a weighted threat model or matrix5. Develop auditability of object accesses

  20. D3: Provide traceability for system-object usage • Research objectives:1. Be able to determine who uses what, when, and how2. Detect suspicious exfiltration of data, programs, and intellectual property3. Provide object-centric traceability • Unique insider characteristic:This is quite specific to the insider problem, since the vast majority of uses of inside system resources is by insiders • Research problems:1. Mandatory watermarking of objects2. Embedding audit trails in objects3. Apply techniques to text, graphics, source and binary code4. Retrofit COTS software enabling watermarking of intellectual property5. Developing appropriate algorithms and infrastructure

  21. D4: Identify critical information automatically • Research objectives:1. Machine recognition of critical, possibly classified, information by its content2. Development of machine-processible classification guides (to be used by automated recognition procedures) • Unique insider characteristic:The description and protection of critical information is done “inside” an enterprise, and tailored to unique needs of insiders • Research problems:1. Develop expert systems and/or rule-based approaches for recognizing critical content2. Investigate statistical modeling approaches3. Develop means for reliable detection of critical content4. Identify ground truth in recognizing critical content

  22. D5: Design systems for detectability • Research objectives:1. Develop system architectures that channel insider misuse into enclaves2. Regulate passage among enclaves by “gates” that are instrumented for observation and response • Unique insider characteristic:The intent is to make an insider an “outsider” to enclaves for which access is not immediately needed or authorized • Research problems:1. Design of gateways internal to a system that partition it into enclaves with separately controllable permissions2. Resolution of the tension between system/data redundancy (for robustness) and concentration of critical assets within specific enclaves3. Strategic deployment of sensors or “tripwires” based on enclaves

  23. D6: Determine unauthorized changesdue to physical access • Research objectives:1. Investigate and mitigate the risks of physical access afforded to insiders2. Map physical network changes dynamically3. Audit physical changes to detect unauthorized changes4. Determine unauthorized physical changes in real time • Unique insider characteristic:Insiders are unique in having physical access to many aspects of a system • Research problems:1. Develop effective, automated techniques for network mapping2. Real-time dynamic change detection3. Automatic recognition and notification of changes4. System profiling and modeling to handle dynamic conditions of systems5. Scalability of proposed solution to tens of thousands of nodes or links

  24. R&D Recommendations Focused on Insider Response - Overview • R1: Develop a capability for monitoring privacy-enhanced systems, such as those using encryption • R2: Incorporate practical autonomic system response into production systems • R3: Develop data correlation tools, including data reduction for forensics, and visualization tools focused on internal misuse • R4: Develop a capability for surveillance of non-networked components • R5: Consider deception technologies specifically applicable to the insider threat

  25. R1: Develop capability for monitoring privacy-enhanced systems • Research objectives:1. Give analysts and investigators the ability to inspect encrypted information content during an insider incident • Unique insider characteristic:Insider use of overtly-covert techniques (e.g., encryption) disables auditing of potentially unauthorized information flows • Research problems:1. Develop universal decryption tools to aid in forensic analysis of insider misuse incidents

  26. R2: Incorporate practical autonomic* system response into production systems • Research objectives:1. Create environmentally aware management technology that can dynamically modify privilege authorizations and exposure to risk2. Ensure that the technology cannot be spoofed by an insider3. Develop threat response mechanisms that are resistant to misuse4. Improve the general survivability of software products • Unique insider characteristic:Insiders have distinguished signatures/patterns of misuse • Research problems:1. Identify insider misuse characteristics2. Automatic recognition and notification of changes3. System profiling and modeling that can handle dynamic conditions4. Watermark and digital signature technologies to tag artifacts as evidence in insider misuse investigations *Autonomic: Due to internal causes or influences; spontaneous

  27. R3: Develop data correlation tools, including data reduction for forensics, and for visualization • Research objectives:1. Create multi-medium repositories to store data related to insider misuse characteristics, incident data, personnel records, etc. • Unique insider characteristic:Apprehension of insiders requires the rapid accumulation and analysis of locally available data from all sources • Research problems:1. Develop insider misuse characterization schema encompassing all relevant aspects of the DoD information environment2. Create info systems that correlate and fuse various data sets related to insider phenomena and threats to system survivability3. Demonstrate capability to correlate event-specific information

  28. R4: Develop capability for surveillance ofnon-networked components • Research objectives:1. Incorporate multi-dimensional analysis capability in insider-misuse-oriented information assurance technology • Unique insider characteristic:Insider “footprint” spans several technology mediums that are not normally accessible in local investigative processes • Research problems:1. Analyze the insider footprint and map sources of insider misuse evidence to the characterization schema recommended in R3, above

  29. R5: Consider deception technologies specifically applicable to the insider threat • Research objectives:1. Develop deception techniques for information systems tailored to discovering malicious activities by insiders2. Develop policies and procedures guiding use of these techniques • Unique insider characteristic:Use of deception is believed to be a powerful way of discovering malicious insider activities, and determining their interests and intent • Research problems:1. Discover what system aspects are amenable to the introduction of deceptive techniques2. How can such techniques be introduced without negative impacts?3. Can these techniques be used to discover misuse by highly trusted individuals, such as sysadmins?4. Can they be installed in a manner that prevents their misuse?5. What are legal implications of using deception in info systems?

  30. DIO Organizations and Activities Study35 Organizations Assessed Protection CERTs Network Operations Support • Joint Task Force - Computer Network Defense • US Space Command • National Infrastructure Protection Center • Joint Command and Control Warfare Center • Joint Spectrum Center • DoD Computer Forensics Laboratory • Defense Advanced Research Projects Agency • Joint C4ISR Battle Center • Army Research Lab • Air Force Computer Emergency Response Team • Army Computer Emergency Response Team • Navy Computer Incident Response Team • Defense Logistics Agency CERT • National Security Agency (X Group) • Carnegie Mellon University CERT/CC • Air Force Network Operations Center • Army Network Systems Operations Center • Naval Computer and Telecommunications Command • Global Network Operations Security Center IW LE/CI Intelligence Other • Air Force Information Warfare Center • Land Information Warfare Activity • Naval Information Warfare Activity • Fleet Information Warfare Center • Information Operations Technology Center • Air Force Office of Special Investigations • US Army Criminal Investigation Directorate • US Army Military Intelligence • Naval Criminal Investigation Service • Defense Criminal Investigative Service • Joint Staff - J2 • Defense Intelligence Agency • Air Intelligence Agency • National Aeronautics and Space Administration • Joint Warfare Analysis Center [Source: U.S. Department of Defense]

  31. Workshop Attendees Adams, RobertAir Force Information Warfare Center250 Hall Rd #139San Antonio, TX 78243 Alvarez, JorgeSpace and Naval Warfare Systems Center53560 Hull StreetSan Diego, CA 92152 Anderson, RobertRAND CorporationP.O. Box 2138Santa Monica, CA 90407 Anderson, KarlNSA R29800 Savage RoadFt. Meade, MD 20755 Arnold, RichardGTE GSC1000 Wilson Blvd. Ste 810Arlington, VA 22209 Barnes, AnthonyArmy Research LabC41 Systems Branch, AMSRL-SL-EIFt. Monmouth, NJ 07703-5602 Bencivenga, AngeloArmy Research Lab2800 Powder Mill RoadAdelphi, MD 20783 Bozek, ThomasOffice of the Secretary of Defense / C3I6000 Defense, Rm 3E194Pentagon Brackney, RichardNSA R2, R&E Bldg9800 Savage RoadFt. Meade, MD 20755 Christy, JamesASDC3I/DIAPSte. 1101, 1215 Jefferson Davis Highway,Arlington, Va 22202 Cowan, CrispinOregon Graduate InstituteP.O. Box 91000Portland, OR 97291 Dunn, TimothyArmy Research Lab2800 Powder Mill RoadAdelphi, MD 20783 Dunphy, BrianDefense Information Systems Agency701 S.Courthouse Rd D333Arlington VA Ghosh, Anup K.Reliable Software Technologies21351 Ridgetop Circle, Ste 400Dulles, VA 20166 Gligor, VirgilUniversity of MarylandElectrical/Computer Engineering, AVW 1333,College Park, MD 20742 Gilliom, LauraSandia National LabsP. O. Box 5800-0455Albuquerque NM Goldring, TomNSA R239800 Savage RoadFt. Meade, MD 20755 Hotes, ScottNSA R225 R&E Bldg9800 Savage RoadFt. Meade, MD 20755 Hunker, JeffreyNational Security CouncilWhite House #303Washington DC 20504 Jaeger, JimLucent TechnologiesBox 186, Columbia, MD 21045 Longstaff, ThomasCERT/CC4500 Fifth AvenuePittsburgh, PA 15213 Lunt, TeresaXerox PARC3333 Coyote Hill RoadPalo Alto, CA 94304 Matzner, SaraU. Texas at Austin Applied Research LabsInformation Systems Laboratory, P.O. Box 8029,Austin Texas 78713 Maxion, RoyCarnegie Mellon University5000 Forbes AvenuePittsburgh, PA 15213 McGovern, OwenDISALetterkenny Army DepotChambersburg, PA 17201-4122 Merritt, Larry D.NSA9800 Savage RoadFt. George G. Meade, MD 20755 Neumann, Peter GSRI International333 Ravenswood Ave.Menlo Park, CA 94025 Skolochenko, StevenOffice of Information Systems Security1500 Penn. Ave. NW, Annex, Rm. 3090,Washington, DC 20220 Skroch, MichaelDARPA/ISO3701 N. Fairfax Dr.Arlington, VA 22203 Solo, DavidCitibank666 Fifth Ave., 3rd Floor/Zone 6New York, NY 10103 Teslich, RobyneLawrence Livermore National LaboratoryPO Box 808, Room L-52Livermore CA 94550 Tung, BrianUSC Information Sciences Institute4676 Admiralty Way Ste. 1001,Marina del Rey, CA 90292 van Wyk, KennethPara-Protect5600 General Washington Drive ste. B-212Alexandria, VA 22312 Walczak, PaulArmy Research Laboratory2800 Powder Mill RoadAdelphi, MD 20783 Zissman, MarcMit Lincoln Laboratory244 Wood StreetLexington, MA 20420

  32. Bibliography (partial) • NTISSIC draft, Advisory Memorandum on the Insider Threat to U.S. Government Information Systems (IS), in pdf and Word formats. This was deemed essential reading for participants before the workshop. • DoD Insider Threat Mitigation Plan: Final Report of the Insider Threat Integrated Process Team, June 1999 FOUO. Essential reading before the workshop. • NIST bulletin, Threats to Computer Systems, March 1994 • Neumann, Peter. The Challenges of Insider Misuse. August 1999

More Related