systematizing insider threat mitigation
play

Systematizing Insider Threat mitigation George Magklaras BSc Hons - PowerPoint PPT Presentation

Jun 14, 2023 •556 likes •1.07k views

Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security & Network Research Group University of Plymouth, UK http://www.network-research-group.org/ Agenda Basic definitions. Manifestation of

  1. Systematizing Insider Threat mitigation George Magklaras BSc Hons Mphil Information Security & Network Research Group University of Plymouth, UK http://www.network-research-group.org/

  2. Agenda ● Basic definitions. ● Manifestation of insider threats in the real world. ● Insider threat taxonomies and frameworks ● Insider threat modeling: A system oriented view approach coupled with human factors ● Towards a repository of encoded insider threats ● Fundamental questions on insider threat modeling

  3. Some (boring?) definitions ● Insider: a person that has been legitimately legitimately given the capability of accessing one or many components of an IT infrastructure (hardware, software and data) enjoying effortless login by interacting with one or more authentication mechanisms. ● IT usage policy:”set of laws, rules, practices, norms and fashions that regulate how an organisation manages, protects, and distributes the sensitive information and that regulates how an organisation protects system services” [1] ● Threat: a set of circumstances that has the potential to cause loss or harm. ● To systematize: To formulate into or reduce to a system: " The aim of science is surely to amass and systematize knowledge " V. Gordon Childe ● Model: an abstracted physical, mathematical, or logical representation of a system of entities, phenomena, or processes.

  4. Insider threat manifestation : source CSI 2007 survey [2]

  5. Insider Threat Manifestation (2): source CSI 2007 survey [2]

  6. Insider Threat manifestation (3): source PwC/DTI 2006 ISBS survey [3]

  7. Insider Threat manifestation (4): source PwC/DTI 2006 ISBS survey

  8. Insider Threat manifestation (5): source PwC/DTI ISBS 2006 survey

  9. Insider Threat manifestation(6): IWAR Insider misuse survey [4] ● 50 respondents from Europe (IT and Management practitioners) ● What really constitutes an insider IT misuse problem? What are the most frequent ways for a legitimate user to abuse an IT infrastructure? ● What are the most likely places in computer systems to reliably collect information about legitimate user misuse? ● Is there any indicative information about what kind of user is likely to initiate an insider IT misuse incident?

  10. Insider Threat manifestation(7): IWAR Insider misuse survey [4] Software and Hardware Vendors 8% 4% 6% Academ ia 8% 26% Financial Organisations Governm ent 10% Utilities 10% Transportation 14% 14% Defense Other

  11. Insider Threat manifestation(8):IWAR Insider Misuse Survey [4] email abuse 12% 6% pornography 10% 24% system administrators 4% 18% 46% system developers theft or alteration of info security specialists internal virus managers outbreaks 16% illegal software/hardware 40% 24% installation vandalism ● 46% of respondents considered extensive personal usage of computing resources (IM friends, browsing food recipies, printing your son's 200 page thesis, etc) as serious IT misuse.

  12. Insider Threat manifestation(9):IWAR Insider Misuse Survey [4] 32% Previous credit difficulties 40% Previous criminal activity Level of IT security skills Reasons for leaving previous 10% jobs 18% ● Respondents from the defense, hardware/software vendors and financial organizations were utilizing extensively strict pre- employment screening procedures.

  13. Insider Threat manifestion (10): IWAR Insider Misuse Survey [4] 17% 18% 34% Security tool log files Substantial revenue loss 30% 24% Pre-employment screening No substantial revenue loss Web page content No revenue loss E-mail content Don't know/answer 29% 2% Netw ork Traffic 26% 20% ● 86% of the respondents believe that knowledgeable users (IT-wise) are more likely to misuse a system than their less knowledgeable colleagues. ● 14% believe that less knowledgeable users can create more trouble 14% believe that less knowledgeable users can create more trouble than their more knowledgeable counterparts (accidental misuse accidental misuse). ). than their more knowledgeable counterparts ( ● 0% did not think that IT knowledge is a threat factor.

  14. Insider Threat Systematics: Taxonomies ● Taxonomies are vital tools that aid the conceptual understanding of a problem domain. ● Biologists and genomic researchers are trying to make sense of complex processes and large amounts of data by using taxonomies. ● Information security researchers have initially started classifying security faults: ● John Howard's security incident analysis [5] ● SRI Neumann-Parker taxonomy [6] ● Lindqvist- Jonssen's intrusion taxonomy [7] ● Furnell et al Intrusion Specification taxonomy [8]

  15. Insider threat systematics (2): Insider threat taxonomies ● Early literature references to types of legitimate users: Anderson's discussion [9] of 'masqueraders', 'misfeasors' and 'clandestine' users. ● Tuglular's Insider misuse taxonomy [10]: ● Incident, response, consequences ● 'target-type-of-threat' association ● Target ⇰ asset strategy ⇰ rule

  16. Typical threat realization scenario ● A disgruntled head system administrator who has just been fired and decides to take revenge by disrupting the IT infrastructure . As a knowledgeable insider, he/she bypasses the system authentication procedure and corrupts (and does not delete entirely) certain vital database files in order to disrupt important services. In addition, the fired system administrator also deletes the database backup copies and then covers up his actions by erasing system log files.

  17. Notable cases ● Norwich Union versus Western Provident Association: http://www.computerworld.com/news/2000/story/0,11280,45927,00.html ● Abdelkader Smires versus Internet Trading Systems: http://www.computerworld.com/news/2000/story/0,11280,45927,00.html ● University of Oslo account cracking incident: http://news.ists.dartmouth.edu/snms/1102.htm#30

  18. Observations: ● Insider misuse is a composite problem: ● Human resources issues: unhappy/unloyal employees ● Legal issues: (balancing privacy against user monitoring measures and considering when and if to litigate). ➔ Technical issue (detecting and responding to insider threats (IDS/IPS), preventing insider threats)

  19. Observations (2): ➔ Opportunity and motive are important factors. Many taxonomies and frameworks pay attention to these two factors: ➔ Inferring opportunity and motive is possible when someone focuses on how something is achieved. ➔ Automated processes work best on pointing out system level consequences. ➔ Insider threat prediction (IPT) is an important mitigation technique. ➔ IPT requires an ability to represent events at a more system-specific level, looking at the various individual actions that achieved the result ➔ Therefore, it makes sense to build a taxonomy of insider threats based on what can be easily detected at system level.

  20. Proposed Insider Threat prediction taxonomy [11]: System masters System role Advanced users O/S based misusers Reason of misuse Application users System consequences System consequences Network consequences Data theft Intentional Personal differences Deliberate ignorance Hardware of rules Reason of misuse Inadequate system Accidental knowledge Stress Genuine lack of knowledge of rules

  21. Insider Threat Prediction Taxonomy (2):OS consequences: proposed filesystem indicators [11] Content private/ Reading unauthorised metadata File and Directory operations Content private/ unauthorised Alteration metadata File-system manipulation diskspace Overutilising I/0 capacity MBR Filesystem Reading operations metadata partition table MBR Altering metadata partition table

  22. Insider Threat Prediction Taxonomy (3):OS consequences: proposed memory indicators [11] O/S based System Specific System calls Program Execution Authorised Application Specific Unauthorised O/S based System Specific System calls Memory Program Manipulation Installation Authorised Application Specific Unauthorised Overutilisation Irregular Memory Usage Access restricted areas

  23. Insider Threat Prediction Taxonomy (4): OS consequences:proposed network indicators likely to download Offensive material Suspicious URLs likely to download illegal software Based on UDP Network Vulnerable consequences network protocols Based on TCP Downloading over X Mbytes of data in a time period Y Using a network Network over- burst rate utilisation over X Mbits/ sec Using over a certain number of network endpoints Mail to suspicious addresses Suspicious SMTP traffic Suspicious attachments

  24. Insider Threat prediction modeling: Wood Wood [12] discusses a set of Insider Threat Qualifiers (ITQs) to model an insider adversary: ● Knowledge ● Privileges ● Skills ● Tactics ● Motivation ● Process Wood does not deal with the quantification of metrics due to its introductory scope.

  25. Insider Threat prediction modeling: Pauleo's Risk Predictor model [13] ● Human behavior based ● Incorporates risk management with elements of human behavioral science. ● Purpose: to identify employees with a higher risk of performing damage inside an organization. ● Method: Vector based modeling of events and influences that gives a numerical score for each employee. The higher the score, the higher the likelihood of threat realization by the individual.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Counterintelligence & Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence & Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence & Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations & Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director

#RSAC SESSION ID: HUM-R02 A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director Technical Solutions Team Lead CERT National Insider Threat Center CERT National Insider Threat Center Software

784 views • 35 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter, SHRM-SCP Novetta Inc. Vice President, Human Resources/Employee Care Ethics/Compliance Officer Insider Threat Group Member 25+ years in Human

520 views • 16 slides
Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense

Behavioral Indicators of Insider Threat: Looking Forward Dr. Robert Gallagher Guardian Defense Group NITSIG Board Member Insider Threat Indicator Lists Everybody loves a list If we had a single and comprehensive list of THE behavioral

323 views • 9 slides
Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA International Conference on Physical Protection, 13-17 November 2017, Vienna, Austria Overview Insider threat and the role of Nuclear Security

552 views • 15 slides
Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu

<Your Name> Conversations Around Insider and Organizational Threat Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ What is an Insider

256 views • 21 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides
Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat The Framework Social science is

Social Science Perspectives and Countering Insider Threat Overview What is a Social Scientist? Why M ethods M atter The Application of Social Science Questions? 1 Social Science Perspectives and Countering Insider Threat The

294 views • 11 slides
DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special

MD InfraGard Insider Threat MD InfraGard Insider Threat Special Interest Group Special Interest Group DATA LOSS PREVENTION AND PROTECTION Last Revised: 4-20-14 MD InfraGard Insider Threat Special Interest Group MD InfraGard Insider Threat

689 views • 49 slides
Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and

Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and

FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and Introduction The views expressed in this presentation are those of the

931 views • 43 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Vajra Cyber Threat Mitigation Service (Vajra CTMS) A Military Grade Cyber Threat Mitigation

Vajra Cyber Threat Mitigation Service (Vajra CTMS) A Military Grade Cyber Threat Mitigation

Vajra Cyber Threat Mitigation Service (Vajra CTMS) A Military Grade Cyber Threat Mitigation Service for Businesses and Governments Cyber Security & Privacy Foundation Pte. Ltd., Singapore Cyber Security & Privacy Foundation (CSPF)

369 views • 21 slides
Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats Aron

Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats Aron

Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats Aron Laszka 1 , 2 Benjamin Johnson 3 ottle 4 Pascal Sch Jens Grossklags 1 ohme 4 Rainer B 1 Pennsylvania State University 2 Budapest University of

456 views • 44 slides
How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme

Insider Threat Programs: How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due to size constraints 3 Theme Insider Threat is NOT ONLY about protecting data on your network Risk: Tolerance/Avoidance/Acceptance

799 views • 54 slides
and Compliance Management for Dynamic EDS Carlos Rubio-Medrano , Josephine Lamp , Ziming Zhao and

and Compliance Management for Dynamic EDS Carlos Rubio-Medrano , Josephine Lamp , Ziming Zhao and

A RIZONA S TATE U NIVERSITY Fall 2016 Robust and Scalable Security Monitoring and Compliance Management for Dynamic EDS Carlos Rubio-Medrano , Josephine Lamp , Ziming Zhao and Gail-Joon Ahn 11/18/2016 1 A RIZONA S TATE U NIVERSITY Background

893 views • 40 slides
Towards Recoverable Hybrid Byzantine Consensus Hans P. Reiser 1 , R udiger Kapitza 2 1 University

Towards Recoverable Hybrid Byzantine Consensus Hans P. Reiser 1 , R udiger Kapitza 2 1 University

Towards Recoverable Hybrid Byzantine Consensus Hans P. Reiser 1 , R udiger Kapitza 2 1 University of Lisboa, Portugal 2 University of Erlangen-N urnberg, Germany September 22, 2009 Overview Background 1 Why? When? Where? Towards

603 views • 34 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L.

Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L.

Air Force Institute of Technology Develop America's Airmen Today ... for Tomorrow Developing Systems for Cyber Situational Awareness* James Okolica, J. Todd McDonald, Gilbert L. Peterson, Robert F. Mills, and Michael W. Haas Center for

355 views • 19 slides
CCW Workshop Technical Session on Mobile Cloud Compu<ng

CCW Workshop Technical Session on Mobile Cloud Compu<ng

CCW Workshop Technical Session on Mobile Cloud Compu<ng Panelists: Dijiang Huang (ASU, Moderator) Mario Gerla (UCLA) Huan

626 views • 30 slides
Evaluation of training Learning objectives Design a possible evaluation procedure for

Evaluation of training Learning objectives Design a possible evaluation procedure for

INF3280, 25 March 2020 Evaluation of training Learning objectives Design a possible evaluation procedure for Assignment 3 Core literature Chapter 9 Auxiliary literature Holton III (1996) The flawed four-level

212 views • 10 slides
networks research Bob Briscoe & Ben Bappu Dec 2004 networks research centre - themes

networks research Bob Briscoe & Ben Bappu Dec 2004 networks research centre - themes

networks research Bob Briscoe & Ben Bappu Dec 2004 networks research centre - themes networks of x x: computers, devices, people, physical phenomena new science framework for reasoning, proof, architecture, language,

620 views • 14 slides
Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet? Active measurement vs. passive

771 views • 31 slides

More recommend