Download presentation
Presentation is loading. Please wait.
Published byJasmyn Caress Modified over 9 years ago
1
Analysis and Detection of Insider Threats 4 May 2005 MITRE DSS Mark Maybury, Penny Chase, Brant CheikesDick Brackney Information Technology Division Advanced Research and Development Activity The MITRE Corporation in Information Technology 202 Burlington Road 9800 Savage Road Bedford, MA 01730, USA Fort George G. Meade, MD {maybury, pc, bcheikes}@mitre.org rcbrack@nsa.gov Sara MatznerBrad WoodTom Longstaff and Tom HetheringtonConner Sibley CERT Research and Analysis Centers and Jack Marin Software Engineering Institute Applied Research LaboratoriesBBN TechnologiesCarnegie Mellon University University of Texas9861 Broken Land Parkway, Suite 4004500 Fifth Avenue Austin, TX 78713Columbia MD 21046Pittsburgh, PA 15213-3890 {matzner, tomh}@arlut.utexas.edu{bwood,csibley, jamarin}@bbn.comtal@cert.org Lance SpitznerJohn CopelandScott Lewandowski and Jed Haile Electrical and Computer EngineeringMIT Lincoln Laboratory Honey Net ConsortiumGeorgia Institute of Technology244 Wood Street lance@honeynet.orgAtlanta, GA 30332-0490Lexington, MA 02420-9108 jed.haile@thelogangroup.bizcopeland@ece.gatech.eduscl@ll.mit.eduscl@ll.mit.edu
2
Page 2 Copyright © 2005 The MITRE Corporation. All rights reserved. Workshop Goal Design and develop a proof of concept system for early indication and warning of malicious insiders
3
Page 3 Copyright © 2005 The MITRE Corporation. All rights reserved. Multidisciplinary Team
4
Page 4 Copyright © 2005 The MITRE Corporation. All rights reserved. Hypotheses A heterogeneous approach to indications and warning will enhance MI detection Fusing information results in more accurate and timely indications and warning of MIs Observables together with domain knowledge (e.g., user role) can help detect inappropriate behavior (e.g., need to know violations)
5
Page 5 Copyright © 2005 The MITRE Corporation. All rights reserved. Methodology Model Insiders and Observables Insider Case Analysis Live Network Experimentation Novel Sensors Design and Development Evaluation
6
Page 6 Copyright © 2005 The MITRE Corporation. All rights reserved. Cases
7
Page 7 Copyright © 2005 The MITRE Corporation. All rights reserved. Observables Taxonomy Missing Reporting (financial, travel, contact) Physical Security Cyber Security Counter Intelligence Physical Access (e.g., card door logs) Foreign Travel ReconnaissanceExploitationCommunicationManipulationOther Cyber Activities Materials Transfer to handlers ViolationsCyber Actions Observables Access Honeypot data Calling patterns Email patterns Travel/vacation Trouble Tickets Syslog Network IDS Logs Maintenance Schedule Keyboard logs File systems logs Entrenchment DATA and SENSORS Extraction & Exfiltration Finances, Wealth, Vices Counter Intelligence Polygraph InternalExternal Social Activity Communications Orphan account use Password cracking Account misuse Privilege escalation Terminals left logged on unattended, no time out Net Scan Web Browsing DB Search Encrypted Email Coded Messages Covert Channels CI Case Files Disk Erasure Disk Wiping Pornography Gambling … File Permissions Misinformation Info suppression Install Sensors Install unauthor. software Printing Downloads Removable Media Copy machine Sensor Mgmt Bot Command & Control
8
Page 8 Copyright © 2005 The MITRE Corporation. All rights reserved. Asset Taxonomy Assets System Admin Network Admin Human Analyst Operator Manager … Secretary Counter Intelligence Net Vulnerabilities Sources & Methods Information Log (web, DB, …) Network Structure Passwords Document/Briefing Web Page Resources $$ … … Software Web Server Mail Server DB Application … Op. System Key Physical Access Badge … … … … Hardware Server Router Guard Encryptor Satellite Phone WorkstationMonitor Keyboard CPU Removable Media (floppys, USB devices, CDROMs)
9
Page 9 Copyright © 2005 The MITRE Corporation. All rights reserved. User Taxonomy Prof. SupportSecretarialSummerMisc.Non MITRE Technical/ Engineer Executive Financial HR Media/Comm System & Network Admin Facilities Transportation Employees InfoSec Security and Safety Legal Data and Info Software Electronics Analyst Physical InfoSec subcontractor consultant tenant
10
Page 10 Copyright © 2005 The MITRE Corporation. All rights reserved. Account Taxonomy ExecutiveProfessional Support Co-op/ Summer Secretarial User Accounts Summer Technical Financial / Purchasing / Admin Human Resources Technical Project Support Media / Communications System & Network Admin Facilities & Equipment Transportation Information Security Security & Safety Misc Expert Services Executive Secretary Applications Engineering Electronics Engineering Analysts Physical Engineering Information Security Data & Information Multi Discipline Information Systems Others Subcontract Non-MITRE Employees Groups Non- human entities Locations: Bedford, Washington, Sites ConsultantsTenants Co-op Secretary (328) Clerks / Aides (46) Listservers Mail Forwarders SysAdmin Accounts
11
Page 11 Copyright © 2005 The MITRE Corporation. All rights reserved. Malicious Insider Testbed Real network - MITRE’s DMZ -A separate network for experimentation and sponsor community support established outside of the MITRE internal network -300 – 400 hosts -Various services: Web, news, email, database,... -Data sources on network for use in scenarios -Deploy additional sensors 3 of 75 users active during period acted as malicious insiders based on historical and project scenarios of insider behavior Internet MITRE Internal Network MITRE DMZ
12
Page 12 Copyright © 2005 The MITRE Corporation. All rights reserved. Insider Scenarios Three scenarios: -Aggregate Historical Insider “Pal” -Projected Insiders “Jill” News Admin “Jack” Drew upon historical examples for “Pal” -Intelligence analyst News Admin and “Jack” developed their scenarios -Needed to be consistent with prior activity on systems An application administrator A system administrator -More realistic (“red teaming”)
13
Page 13 Copyright © 2005 The MITRE Corporation. All rights reserved. Multiple Data Sources Network Server Web Server HTTP Support Web Service Framework su login yppasswdd last sendmail sshd web_log web_notice web_warn web_error nnrpd innd Application Network Physical Host badge reader Snort IDS Stealthwatch Honeynet e-mail sensor User Role Taxonomy Domain Knowledge 18 (of 400) Hosts, 11+M records, 4000 users, 75 active on DMZ
14
Page 14 Copyright © 2005 The MITRE Corporation. All rights reserved. Collection and Anonymization Sendmail logs Authentication logs Badge reader logs Web server logs StealthWatch logs Honeynet logs Other logs Archive Database Scrubber Protected Computing Space Common Data Repository Flat Files ARDA NRRC Space News server logs
15
Page 15 Copyright © 2005 The MITRE Corporation. All rights reserved. Evaluation Activity DecemberJanuaryFebruary... PAL (Analyst) Jill (News Admin) Jack (Sys Admin) Insider Activity with Journal Available During Test Insider Activity with Journal Revealed After Test Normal Activity
16
Page 16 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous I&W Approaches StealthWatch -Multilevel network flow analysis Honeynets -Simulated targets to elicit knowledge of attacker Structured Analysis Group (SAG) -Top-down, real-time model based detection of MI Data Fusion - Bottom-up analysis of traditional and novel indicators
17
Page 17 Copyright © 2005 The MITRE Corporation. All rights reserved. Integrated Framework Common Data Sensor Honeynet Anomaly Detection (StealthWatch+) Big file, scanning, zone alert COMMON DATA - Authentication, Mail, DMZ Servers, IDS, Honeynet, BadgeData - Application Logs (e.g., web, DB, mail) - Nessus Scans (vulnerability analysis) - Switch logs, Stealth Watch logs Data Fusion Structured Analysis Adversary Models Decision Analysis
18
Page 18 Copyright © 2005 The MITRE Corporation. All rights reserved. Performance Evaluation Metrics Timeliness, e.g., time from defection to detection - years, months, weeks, minutes Accuracy -Precision = # correctly detected insiders / # reported -Recall = # reported insiders / total # actual insiders -False positives = 1-precision -False negatives = total # actual insiders - # correctly detected
19
Page 19 Copyright © 2005 The MITRE Corporation. All rights reserved. StealthWatch: Multilevel network flow analysis LANCOPE
20
Page 20 Copyright © 2005 The MITRE Corporation. All rights reserved. Alarm Level, 20 Scanning Activity by “Jack” Approved Scanning Activity by “info-scan”
21
Page 21 Copyright © 2005 The MITRE Corporation. All rights reserved. Hypothesis (Brad Wood-BBN) “Jack” downloaded more than 4 gigabytes on Feb. 12 Jack OK, Common Data Repository - Known SSH
22
Page 22 Copyright © 2005 The MITRE Corporation. All rights reserved. “Jack” did not increase the number of inside connections, normally 8, maximum was 10 on Feb. 11. Jack CDR
23
Page 23 Copyright © 2005 The MITRE Corporation. All rights reserved. Structured Analysis Group: Top-down, real-time model based detection
24
Page 24 Copyright © 2005 The MITRE Corporation. All rights reserved. Structured Analysis Group Observables Taxonomy Missing Reporting (financial, travel, contact) Physical Security Cyber Security Counter Intelligence Physical Access (e.g., card door logs) Foreign Travel ReconnaissanceExploitationCommunicationManipulationOther Cyber Activities Materials Transfer to handlers ViolationsCyber Actions Observables Access Honeypot data Calling patterns Email patterns Travel/vacation Trouble Tickets Syslog Network IDS Logs Maintenance Schedule Keyboard logs File systems logs Entrenchment DATA and SENSORS Extraction & Exfiltration Finances, Wealth, Vices Counter Intelligence Polygraph InternalExternal Social Activity Communications Orphan Account use Password Cracking Account misuse Privilege escalation Unattended terminals Web Browsing DB Searches Net Scan Encrypted Email Coded Messages Covert Channels CI Case Files Disk Erasure Disk Wiping Pornography Gambling … File Permissions … Sensors Install unauthor soft. Printing Downloads Removable Media Copy machine Addressed at Workshop
25
Page 25 Copyright © 2005 The MITRE Corporation. All rights reserved. Adversary Models
26
Page 26 Copyright © 2005 The MITRE Corporation. All rights reserved. Accuracy of Structured Analysis
27
Page 27 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion: Bottom-up analysis of traditional and novel indicators
28
Page 28 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion Observables Taxonomy Missing Reporting Physical Security Cyber Security Counter Intelligence Physical Access Foreign Travel ReconnaissanceExploitationCommunicationManipulationOther Cyber Activities Materials Transfer to handlers ViolationsCyber Actions Observables AccessEntrenchmentExtraction & Exfiltration Finances, Wealth, Vices Counter Intelligence Polygraph InternalExternal Social Activity Communications Sensors Implemented at Workshop Implemented elsewhere Not Implemented Authentication logs - root access for non-admin - su from one normal user to another IDS logs - http, tp, telnet from non-standard ports News/Web Browsing need-to-know Bulk news/ web search Net Scan in IDS logs Uploads (fttp, http) in IDS logs Printing Unusual recipient & encrypted hidden or masqueraded content type Lack of required digital watermark on images
29
Page 29 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion Cyber-Access, user324, weight 1, at 2003-12-10 11:14:38, from news.mitre.org su to user9676 failed for non-admin user user324 on /dev/pts/0 ----------------------------------------------------------------------------------------------------- Physical-Access, user295, weight 5, at 2003-12-15 19:19:37, After hours badge access for user295 ----------------------------------------------------------------------------------------------------- Cyber-Extraction-Exfiltration, user2649, weight 5, at 2004-01-06 15:37:28, from nrrc-springfield.mitre.org, Data was uploaded to an external server via FTP protocol ----------------------------------------------------------------------------------------------------- Cyber-Reconnaissance, user295, weight 10, at 2004-01-09 20:57:18, from nrrc-springfield.mitre.org, User user295 searching in non-need-to-know country korea ----------------------------------------------------------------------------------------------------- Cyber-Communication, user9, weight 15, at 2004-02-10 22:14:48, from cvw.mitre.org, User user9 received email with masqueraded content from user11649@yahoo.com ----------------------------------------------------------------------------------------------------- Cyber-Reconnaissance, user1, weight 5, at 2004-02-10 13:54:15, from nrrc-plymouth.mitre.org, Ongoing CI violation -- 066.170.227.074 has 49613 alerts of this type… ----------------------------------------------------------------------------------------------------- Cyber-Extraction-Exfiltration, user295, weight 8, at 2004-02-12 23:54:58, from dmzsrv1.mitre.org, User user295 sent encrypted email user9983@comcast.net ----------------------------------------------------------------------------------------------------- Cyber-Extraction-Exfiltration, user1, weight 15, at 2004-02-20 12:25:03, from nrrc-erie.mitre.org,user9983@comcast.net user1 sent email with masqueraded content user1@mitre.orguser1@mitre.org
30
Page 30 Copyright © 2005 The MITRE Corporation. All rights reserved. Experimental Results Breadth 5 1 3 2 2 Breadth of 1: Not on Watch DATA REDUCTION 7.4 M records examined for 75 users 259 indicators for 24 users
31
Page 31 Copyright © 2005 The MITRE Corporation. All rights reserved. Data Fusion Accuracy Across approaches, correctly identified 3 out of 3 insiders
32
Page 32 Copyright © 2005 The MITRE Corporation. All rights reserved. Performance: Timeliness Dec JanFeb Jack 2/11/042/20/04 Jill (News Admin)2/11/042/16/04 1/9/042/6/04 12/11/0312/17/03 2/15/04 1/24/04 2/20/04 2/12/04 2/17/04 2/6/04 2/11/04 PAL 12/9/042/15/04 StealthWatch Structured Analysis Data Fusion Watch list Alert KEY
33
Page 33 Copyright © 2005 The MITRE Corporation. All rights reserved. Summary Malicious insiders are a serious threat Malicious insider behavior is distinct and cannot be readily detected using classic, external intruder detection Results from the challenge workshop show that an integration of multiple approaches promises early and effective warning and detection Workshop insider cases and dataset leave behinds Inspiration of new sensor development
34
Page 34 Copyright © 2005 The MITRE Corporation. All rights reserved. Malicious Insider Evaluation Simulate on network Select Insider Case Participants Sign Data NDA Participants Submit Runs Data Sent to Participants
35
Page 35 Copyright © 2005 The MITRE Corporation. All rights reserved. Our Insider Knowledge and Focus Occurred Not yet Occurred Robert Philip Hanssen MI who attacks the network Detectable Hard to Detect Not yet Detectable No cyber component ? - Unaddressed by workshop X – Unobservable in cyberspace Ana Belen Montes S T E A L T H Focus: “Indications and warnings not conviction and sentencing” O C C U R R E N C E ? X
36
Page 36 Copyright © 2005 The MITRE Corporation. All rights reserved. “Pal” Scenario Changes news subscriptions Makes new (inappropriate) queries Exfiltration and communication with handler NewsWeb Search Email Honeytoken Retrieves “interesting” data for which has no need to know
37
Page 37 Copyright © 2005 The MITRE Corporation. All rights reserved. “Jill” or News Admin Scenario Makes new (inappropriate) queries Web Search Account Manipulation Creates news account and uses this account to read news Covert Access Accesses news through hidden newsgroups
38
Page 38 Copyright © 2005 The MITRE Corporation. All rights reserved. Jack Scenario Create backdoor Maps network using nmap Maps network Builds a reverse ssh tunnel between news server and admin workstation Searches for data Searches news.mitre.org data at file system level Stealthy exfiltration Masquerades compressed data as image
39
Page 39 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous Data (1 of 3) Badge reader: -“0M151_Telephone_Room 12/06/2003 02:43:26 Admitted user2930 at 0M151 Telephone Room” -“0M422_Rear_Door_[In]_ 12/06/2003 05:20:24 Admitted user2930 at 0M422 Rear Door [In]” Login: -“nrrc-plymouth.mitre.org ROOT LOGIN /dev/console” Su: -“nrrc-plymouth.mitre.org 'su root' succeeded for user1 on /dev/pts/1”
40
Page 40 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous Data (2 of 3) Sshd: -“Accepted publickey for root from 129.83.10.17 port 52893” -“Accepted password for user1265 from 66.189.44.167 port 61007” -“Failed password for user1265 from 66.189.44.167 port 61011” Last-a: -“nrrc-boston.mitre.org user2645 pts/0 Wed Jan 7 21:06 - 23:18 (02:11) 128.230.14.115” -“nrrc-boston.mitre.org user2643 pts/0 Fri Dec 12 16:54 - 17:25 (00:30) sgdykes.datasys.swri.edu”
41
Page 41 Copyright © 2005 The MITRE Corporation. All rights reserved. Heterogeneous Data (3 of 3) Web_log: -“GET /cvw/licenses/source/license.html HTTP/1.0” -“GET /basilix.php3?request_id[DUMMY]=../../../../etc/passwd &RequestID=DUMMY&username=user2311&password=xxxxx HTTP/1.1” Web_error: -“Invalid method in request get /scripts/...” -“File does not exist: /news_1/.../etc/passwd” Sendmail: -“cvw.mitre.org 14436 i0J507Lb014436: from=, size=2789, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp-bedford-x.mitre.org [192.160.51.76]” -“cvw.mitre.org 14645 i0J7ErLb014644: to=user8, ctladdr= (1/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=41013, dsn=2.0.0, stat=Sent”
42
Page 42 Copyright © 2005 The MITRE Corporation. All rights reserved. Data [# of records and % of total] Not shown: StealthWatch = 7.5MB or 68%
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.