Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis and Detection of Insider Threats 4 May 2005 MITRE DSS Mark Maybury, Penny Chase, Brant CheikesDick Brackney Information Technology Division Advanced.

Similar presentations


Presentation on theme: "Analysis and Detection of Insider Threats 4 May 2005 MITRE DSS Mark Maybury, Penny Chase, Brant CheikesDick Brackney Information Technology Division Advanced."— Presentation transcript:

1 Analysis and Detection of Insider Threats 4 May 2005 MITRE DSS Mark Maybury, Penny Chase, Brant CheikesDick Brackney Information Technology Division Advanced Research and Development Activity The MITRE Corporation in Information Technology 202 Burlington Road 9800 Savage Road Bedford, MA 01730, USA Fort George G. Meade, MD {maybury, pc, Sara MatznerBrad WoodTom Longstaff and Tom HetheringtonConner Sibley CERT Research and Analysis Centers and Jack Marin Software Engineering Institute Applied Research LaboratoriesBBN TechnologiesCarnegie Mellon University University of Texas9861 Broken Land Parkway, Suite Fifth Avenue Austin, TX 78713Columbia MD 21046Pittsburgh, PA {matzner, Lance SpitznerJohn CopelandScott Lewandowski and Jed Haile Electrical and Computer EngineeringMIT Lincoln Laboratory Honey Net ConsortiumGeorgia Institute of Technology244 Wood Street GA Lexington, MA

2 Page 2 Copyright © 2005 The MITRE Corporation. All rights reserved. Workshop Goal Design and develop a proof of concept system for early indication and warning of malicious insiders

3 Page 3 Copyright © 2005 The MITRE Corporation. All rights reserved. Multidisciplinary Team

4 Page 4 Copyright © 2005 The MITRE Corporation. All rights reserved. Hypotheses  A heterogeneous approach to indications and warning will enhance MI detection  Fusing information results in more accurate and timely indications and warning of MIs  Observables together with domain knowledge (e.g., user role) can help detect inappropriate behavior (e.g., need to know violations)

5 Page 5 Copyright © 2005 The MITRE Corporation. All rights reserved. Methodology Model Insiders and Observables Insider Case Analysis Live Network Experimentation Novel Sensors Design and Development Evaluation

6 Page 6 Copyright © 2005 The MITRE Corporation. All rights reserved. Cases

7 Page 7 Copyright © 2005 The MITRE Corporation. All rights reserved. Observables Taxonomy Missing Reporting (financial, travel, contact) Physical Security Cyber Security Counter Intelligence Physical Access (e.g., card door logs) Foreign Travel ReconnaissanceExploitationCommunicationManipulationOther Cyber Activities Materials Transfer to handlers ViolationsCyber Actions Observables Access Honeypot data Calling patterns patterns Travel/vacation Trouble Tickets Syslog Network IDS Logs Maintenance Schedule Keyboard logs File systems logs Entrenchment DATA and SENSORS Extraction & Exfiltration Finances, Wealth, Vices Counter Intelligence Polygraph InternalExternal Social Activity Communications Orphan account use Password cracking Account misuse Privilege escalation Terminals left logged on unattended, no time out Net Scan Web Browsing DB Search Encrypted Coded Messages Covert Channels CI Case Files Disk Erasure Disk Wiping Pornography Gambling … File Permissions Misinformation Info suppression Install Sensors Install unauthor. software Printing Downloads Removable Media Copy machine Sensor Mgmt Bot Command & Control

8 Page 8 Copyright © 2005 The MITRE Corporation. All rights reserved. Asset Taxonomy Assets System Admin Network Admin Human Analyst Operator Manager … Secretary Counter Intelligence Net Vulnerabilities Sources & Methods Information Log (web, DB, …) Network Structure Passwords Document/Briefing Web Page Resources $$ … … Software Web Server Mail Server DB Application … Op. System Key Physical Access Badge … … … … Hardware Server Router Guard Encryptor Satellite Phone WorkstationMonitor Keyboard CPU Removable Media (floppys, USB devices, CDROMs)

9 Page 9 Copyright © 2005 The MITRE Corporation. All rights reserved. User Taxonomy Prof. SupportSecretarialSummerMisc.Non MITRE Technical/ Engineer Executive Financial HR Media/Comm System & Network Admin Facilities Transportation Employees InfoSec Security and Safety Legal Data and Info Software Electronics Analyst Physical InfoSec subcontractor consultant tenant

10 Page 10 Copyright © 2005 The MITRE Corporation. All rights reserved. Account Taxonomy ExecutiveProfessional Support Co-op/ Summer Secretarial User Accounts Summer Technical Financial / Purchasing / Admin Human Resources Technical Project Support Media / Communications System & Network Admin Facilities & Equipment Transportation Information Security Security & Safety Misc Expert Services Executive Secretary Applications Engineering Electronics Engineering Analysts Physical Engineering Information Security Data & Information Multi Discipline Information Systems Others Subcontract Non-MITRE Employees Groups Non- human entities Locations: Bedford, Washington, Sites ConsultantsTenants Co-op Secretary (328) Clerks / Aides (46) Listservers Mail Forwarders SysAdmin Accounts

11 Page 11 Copyright © 2005 The MITRE Corporation. All rights reserved. Malicious Insider Testbed  Real network - MITRE’s DMZ -A separate network for experimentation and sponsor community support established outside of the MITRE internal network -300 – 400 hosts -Various services: Web, news, , database,... -Data sources on network for use in scenarios -Deploy additional sensors  3 of 75 users active during period acted as malicious insiders based on historical and project scenarios of insider behavior Internet MITRE Internal Network MITRE DMZ

12 Page 12 Copyright © 2005 The MITRE Corporation. All rights reserved. Insider Scenarios  Three scenarios: -Aggregate Historical Insider  “Pal” -Projected Insiders  “Jill” News Admin  “Jack”  Drew upon historical examples for “Pal” -Intelligence analyst  News Admin and “Jack” developed their scenarios -Needed to be consistent with prior activity on systems  An application administrator  A system administrator -More realistic (“red teaming”)

13 Page 13 Copyright © 2005 The MITRE Corporation. All rights reserved. Multiple Data Sources Network Server Web Server HTTP Support Web Service Framework su login yppasswdd last sendmail sshd web_log web_notice web_warn web_error nnrpd innd Application Network Physical Host badge reader Snort IDS Stealthwatch Honeynet sensor User Role Taxonomy Domain Knowledge 18 (of 400) Hosts, 11+M records, 4000 users, 75 active on DMZ

14 Page 14 Copyright © 2005 The MITRE Corporation. All rights reserved. Collection and Anonymization Sendmail logs Authentication logs Badge reader logs Web server logs StealthWatch logs Honeynet logs Other logs Archive Database Scrubber Protected Computing Space Common Data Repository Flat Files ARDA NRRC Space News server logs

15 Page 15 Copyright © 2005 The MITRE Corporation. All rights reserved. Evaluation Activity DecemberJanuaryFebruary... PAL (Analyst) Jill (News Admin) Jack (Sys Admin) Insider Activity with Journal Available During Test Insider Activity with Journal Revealed After Test Normal Activity

16 Page 16 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous I&W Approaches  StealthWatch -Multilevel network flow analysis  Honeynets -Simulated targets to elicit knowledge of attacker  Structured Analysis Group (SAG) -Top-down, real-time model based detection of MI  Data Fusion - Bottom-up analysis of traditional and novel indicators

17 Page 17 Copyright © 2005 The MITRE Corporation. All rights reserved. Integrated Framework Common Data Sensor Honeynet Anomaly Detection (StealthWatch+) Big file, scanning, zone alert COMMON DATA - Authentication, Mail, DMZ Servers, IDS, Honeynet, BadgeData - Application Logs (e.g., web, DB, mail) - Nessus Scans (vulnerability analysis) - Switch logs, Stealth Watch logs Data Fusion Structured Analysis Adversary Models Decision Analysis

18 Page 18 Copyright © 2005 The MITRE Corporation. All rights reserved. Performance Evaluation Metrics  Timeliness, e.g., time from defection to detection - years, months, weeks, minutes  Accuracy -Precision = # correctly detected insiders / # reported -Recall = # reported insiders / total # actual insiders -False positives = 1-precision -False negatives = total # actual insiders - # correctly detected

19 Page 19 Copyright © 2005 The MITRE Corporation. All rights reserved. StealthWatch: Multilevel network flow analysis LANCOPE

20 Page 20 Copyright © 2005 The MITRE Corporation. All rights reserved. Alarm Level, 20 Scanning Activity by “Jack” Approved Scanning Activity by “info-scan”

21 Page 21 Copyright © 2005 The MITRE Corporation. All rights reserved. Hypothesis (Brad Wood-BBN) “Jack” downloaded more than 4 gigabytes on Feb. 12 Jack OK, Common Data Repository - Known SSH

22 Page 22 Copyright © 2005 The MITRE Corporation. All rights reserved. “Jack” did not increase the number of inside connections, normally 8, maximum was 10 on Feb. 11. Jack CDR

23 Page 23 Copyright © 2005 The MITRE Corporation. All rights reserved. Structured Analysis Group: Top-down, real-time model based detection

24 Page 24 Copyright © 2005 The MITRE Corporation. All rights reserved. Structured Analysis Group Observables Taxonomy Missing Reporting (financial, travel, contact) Physical Security Cyber Security Counter Intelligence Physical Access (e.g., card door logs) Foreign Travel ReconnaissanceExploitationCommunicationManipulationOther Cyber Activities Materials Transfer to handlers ViolationsCyber Actions Observables Access Honeypot data Calling patterns patterns Travel/vacation Trouble Tickets Syslog Network IDS Logs Maintenance Schedule Keyboard logs File systems logs Entrenchment DATA and SENSORS Extraction & Exfiltration Finances, Wealth, Vices Counter Intelligence Polygraph InternalExternal Social Activity Communications Orphan Account use Password Cracking Account misuse Privilege escalation Unattended terminals Web Browsing DB Searches Net Scan Encrypted Coded Messages Covert Channels CI Case Files Disk Erasure Disk Wiping Pornography Gambling … File Permissions … Sensors Install unauthor soft. Printing Downloads Removable Media Copy machine Addressed at Workshop

25 Page 25 Copyright © 2005 The MITRE Corporation. All rights reserved. Adversary Models

26 Page 26 Copyright © 2005 The MITRE Corporation. All rights reserved. Accuracy of Structured Analysis

27 Page 27 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion: Bottom-up analysis of traditional and novel indicators

28 Page 28 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion Observables Taxonomy Missing Reporting Physical Security Cyber Security Counter Intelligence Physical Access Foreign Travel ReconnaissanceExploitationCommunicationManipulationOther Cyber Activities Materials Transfer to handlers ViolationsCyber Actions Observables AccessEntrenchmentExtraction & Exfiltration Finances, Wealth, Vices Counter Intelligence Polygraph InternalExternal Social Activity Communications Sensors Implemented at Workshop Implemented elsewhere Not Implemented Authentication logs - root access for non-admin - su from one normal user to another IDS logs - http, tp, telnet from non-standard ports News/Web Browsing need-to-know Bulk news/ web search Net Scan in IDS logs Uploads (fttp, http) in IDS logs Printing Unusual recipient & encrypted hidden or masqueraded content type Lack of required digital watermark on images

29 Page 29 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion Cyber-Access, user324, weight 1, at :14:38, from news.mitre.org su to user9676 failed for non-admin user user324 on /dev/pts/ Physical-Access, user295, weight 5, at :19:37, After hours badge access for user Cyber-Extraction-Exfiltration, user2649, weight 5, at :37:28, from nrrc-springfield.mitre.org, Data was uploaded to an external server via FTP protocol Cyber-Reconnaissance, user295, weight 10, at :57:18, from nrrc-springfield.mitre.org, User user295 searching in non-need-to-know country korea Cyber-Communication, user9, weight 15, at :14:48, from cvw.mitre.org, User user9 received with masqueraded content from Cyber-Reconnaissance, user1, weight 5, at :54:15, from nrrc-plymouth.mitre.org, Ongoing CI violation has alerts of this type… Cyber-Extraction-Exfiltration, user295, weight 8, at :54:58, from dmzsrv1.mitre.org, User user295 sent encrypted Cyber-Extraction-Exfiltration, user1, weight 15, at :25:03, from user1 sent with masqueraded content

30 Page 30 Copyright © 2005 The MITRE Corporation. All rights reserved. Experimental Results Breadth Breadth of 1: Not on Watch DATA REDUCTION 7.4 M records examined for 75 users 259 indicators for 24 users

31 Page 31 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion Accuracy Across approaches, correctly identified 3 out of 3 insiders

32 Page 32 Copyright © 2005 The MITRE Corporation. All rights reserved. Performance: Timeliness Dec JanFeb Jack 2/11/042/20/04 Jill (News Admin)2/11/042/16/04 1/9/042/6/04 12/11/0312/17/03 2/15/04 1/24/04 2/20/04 2/12/04 2/17/04 2/6/04 2/11/04 PAL 12/9/042/15/04 StealthWatch Structured Analysis Data Fusion Watch list Alert KEY

33 Page 33 Copyright © 2005 The MITRE Corporation. All rights reserved. Summary  Malicious insiders are a serious threat  Malicious insider behavior is distinct and cannot be readily detected using classic, external intruder detection  Results from the challenge workshop show that an integration of multiple approaches promises early and effective warning and detection  Workshop insider cases and dataset leave behinds  Inspiration of new sensor development

34 Page 34 Copyright © 2005 The MITRE Corporation. All rights reserved. Malicious Insider Evaluation Simulate on network Select Insider Case Participants Sign Data NDA Participants Submit Runs Data Sent to Participants

35 Page 35 Copyright © 2005 The MITRE Corporation. All rights reserved. Our Insider Knowledge and Focus Occurred Not yet Occurred Robert Philip Hanssen MI who attacks the network Detectable Hard to Detect Not yet Detectable No cyber component ? - Unaddressed by workshop X – Unobservable in cyberspace Ana Belen Montes S T E A L T H Focus: “Indications and warnings not conviction and sentencing” O C C U R R E N C E ? X

36 Page 36 Copyright © 2005 The MITRE Corporation. All rights reserved. “Pal” Scenario Changes news subscriptions Makes new (inappropriate) queries Exfiltration and communication with handler NewsWeb Search Honeytoken Retrieves “interesting” data for which has no need to know

37 Page 37 Copyright © 2005 The MITRE Corporation. All rights reserved. “Jill” or News Admin Scenario Makes new (inappropriate) queries Web Search Account Manipulation Creates news account and uses this account to read news Covert Access Accesses news through hidden newsgroups

38 Page 38 Copyright © 2005 The MITRE Corporation. All rights reserved. Jack Scenario Create backdoor Maps network using nmap Maps network Builds a reverse ssh tunnel between news server and admin workstation Searches for data Searches news.mitre.org data at file system level Stealthy exfiltration Masquerades compressed data as image

39 Page 39 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous Data (1 of 3)  Badge reader: -“0M151_Telephone_Room 12/06/ :43:26 Admitted user2930 at 0M151 Telephone Room” -“0M422_Rear_Door_[In]_ 12/06/ :20:24 Admitted user2930 at 0M422 Rear Door [In]”  Login: -“nrrc-plymouth.mitre.org ROOT LOGIN /dev/console”  Su: -“nrrc-plymouth.mitre.org 'su root' succeeded for user1 on /dev/pts/1”

40 Page 40 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous Data (2 of 3)  Sshd: -“Accepted publickey for root from port 52893” -“Accepted password for user1265 from port 61007” -“Failed password for user1265 from port 61011”  Last-a: -“nrrc-boston.mitre.org user2645 pts/0 Wed Jan 7 21: :18 (02:11) ” -“nrrc-boston.mitre.org user2643 pts/0 Fri Dec 12 16: :25 (00:30) sgdykes.datasys.swri.edu”

41 Page 41 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous Data (3 of 3)  Web_log: -“GET /cvw/licenses/source/license.html HTTP/1.0” -“GET /basilix.php3?request_id[DUMMY]=../../../../etc/passwd &RequestID=DUMMY&username=user2311&password=xxxxx HTTP/1.1”  Web_error: -“Invalid method in request get /scripts/...” -“File does not exist: /news_1/.../etc/passwd”  Sendmail: -“cvw.mitre.org i0J507Lb014436: from=, size=2789, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp-bedford-x.mitre.org [ ]” -“cvw.mitre.org i0J7ErLb014644: to=user8, ctladdr= (1/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=41013, dsn=2.0.0, stat=Sent”

42 Page 42 Copyright © 2005 The MITRE Corporation. All rights reserved. Data [# of records and % of total] Not shown: StealthWatch = 7.5MB or 68%


Download ppt "Analysis and Detection of Insider Threats 4 May 2005 MITRE DSS Mark Maybury, Penny Chase, Brant CheikesDick Brackney Information Technology Division Advanced."

Similar presentations


Ads by Google