Meeting TENACE PhD Session Fai della Paganella, 11 febbraio 2014 R esilient C omputing L ab A methodology and supporting techniques for the assessment of insider threats Nicola Nostro Tutors Bondavalli Andrea, Di Giandomenico Felicita Università degli Studi di Firenze

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Subject of the research Nowadays the life of each of us is highly dependent on critical infrastructures. Characterized by heterogeneity, and dynamicity They may be prone to failures, intrusions, and attacks from outside and inside. It is crucial to design systems ensuring resilience and security.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Context Security is a major challenge for today’s companies. Security measures are attentively selected and maintained to protect organizations from external threats. Several tools and solutions are available for this scope firewalls, antivirus, intrusion detection systems,… What happens inside the system?

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Motivations Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers. They are difficult to detect and mitigate due to the nature of the attackers. How to detect data theft or sabotage by malicious insiders? These activities can be difficult to differentiate from legitimate uses. Protecting from insider threats requires a deep study on the socio- economical profiles, possible actions, and the impact of these actions on the system. Insider attackers constitute an actual threat for ICT organizations. This calls for a tailored insider threats assessment activity

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Objectives Define a methodology and supporting libraries for insider threats assessment and mitigation. Evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs. Identify proper countermeasures.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio The methodology in 6 steps ◊ Identification of components ◊ Interactions ◊ Functional description System under analysis Profiling potential Insiders Insider Threats Iteration and Update ◊ All users are identified ◊ Definition of attributes ◊ Identification ◊ Description ◊ Selection proper countermeasures ◊ Reference to a predefined library Attack paths ◊ Identify exploitable paths ◊ Set up the modeling approach Countermeasures selection ◊ Reference to a predefined library ◊ Potential consequences ◊ Evaluation

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology - System description A system is characterized by a number of resources: services, computers, removable drives, etc. more communication networks users, which can use the system or in general interact with it new features can be integrated over time, due to the evolution of technologies, and the update of system specification or requirements. Providing a formal description of the overall system, may be expensive in terms of time.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology - System description A semi-formal description limited to the aspects of interest of the system and the interactions that users may have with it, is appropriate. Through a semi-formal notation, it is possible to immediately understand the description of the system by using graphical notations along with natural language descriptions. UML use case diagrams allow to describe the system's functionalities and use case scenarios, from the point of view of the users/insiders, and the use case descriptions are shown in tables.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology – Insiders ’ profile Identify a taxonomy of system users and potential attributes A predefined library of insiders to consider which constitute a consistent reference library describing the human agents involved in IT systems and that could pose threats to such kind of systems eight attributes defined: Intent, Access, Outcome, Limits, Resource, Skill Level, Objective, Visibility T. Casey, “Threat Agent Library Helps Identify Information Security Risks,” Intel White Paper, September 2007

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology – Insider threats We can identify a number of threats of different type of severity, related to the actions performed by the insiders install malicious software/code, create backdoors, disable system logs and anti-virus, create new users, plant logic bombs, perform operation on data base. The idea is to list the possible threats and try to associate them to the previously identified insiders

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology – Attack Paths Identify the path(s) exploitable by the insider(s) to realize the threat(s) and achieve the goal(s). A critical step, especially if we think of unknown paths Many insiders are able to set up unexpected attack paths, that are unknown Several techniques exist and are very useful for determining what threats exist in a system and how to deal with them attack trees, attack graphs, privilege graphs, ADVISE Evaluate success rate and effects of the attack is of paramount importance, allowing to get information on the probability of occurrence of an attack.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology – Countermeasures Selection of the proper countermeasure(s), to avoid or mitigate the identified threat(s). A defined library which lists the countermeasures can be used. Introduction of such countermeasures may require to re-assess the system. In case a model of the system and of the countermeasure is available, these can be integrated with the attack path.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology application – System & Insider Profiling Insiders: Operator, Domain expert, Unknown user, System Expert, System Administrator (SA) System Maintenance Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system. Description: Apply OS patches and upgrades on a regular basis the system, and the administrative tools and utilities. Configure/add new services as necessary. Upgrade and configure system software or Asset Management applications. Maintain operational, configuration, or other procedures. Perform periodic performance reporting. Perform ongoing performance tuning, hardware upgrades, and resource optimization. Data Management Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the data. Description: Perform daily backup operations, ensuring the integrity and availability of data. Profile Management Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system data. Description: Create, change, and delete user accounts. Crisis Management Use Case Actor/s: SA Pre-condition: The actor must be authenticated. Post-condition: The SA has full access to the system data. Description: Repair and recover from hardware or software failures or from cyber attacks. Coordinate and communicate any recovery actions.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology application – Insider Threats Threats InsiderDisabl e system logs Corrup t data View confid ential data Add not require d service s Impro per config uration Impro per user manag ement Elevat e users privile ges Install vulner able suppor ting sw Install vulner able Secure ! service s Use of defecti ve hw Transf er confid ential files Access to crypto keys Putting Trojan horses Disabli ng protect ion of compo nents Alterin g audit trails and logs SAYES SENOYESNO YESNOYESNOYES NO AttributeValue - SA IntentHostile AccessInternal, External Outcome/Goal Damage, Acquisition/Theft Limits Code of Conduct, Legal, Extra-legal ResourcesIndividual Minimum SkillsAdept ObjectiveCopy, Destroy, Take VisibilityClandestine Matching attributes-values Mapping Insiders to Threats Attack goals: -degradation of the performance of the system, -theft of sensitive data

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology application – Attack Paths ADVISE attack execution graph for Data Theft Rectangular boxes represent the attack steps; Squares are the access domain; Circles are the knowledge items; Ovals represent the attack goal.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Methodology application - Countermeasures Countermeasures: Identify the sensitive data and set up a detection system that prevents all queries on such data Keep track of accesses (username, timestamp, event description (computer system, devices, utilized software, software installation, error condition, etc.). Implement biometric system, which every predetermined time (minutes, hours), performs an identity check. Avoid to log into the system during holiday days or outside the office hours. Allow printing reports only in specific printers Implement an system with an automatic cc forwarding to a higher-ranking person.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Conclusions Several techniques exists to avoid or detect the risk that a legitimate user abuses of its authority. Technological protection from external threats is important, but Defending against insider attacks is and will remain challenging. Insider attacks are difficult to detect, either by human or technical means. We identified a lack in the definition of a methodology and related supports for the systematic investigation and assessment of insider threats.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Future works Define a method which supports the creation, usage and maintenance of the threats library. Identify an approach to support the selection of the input parameters that characterize the attack path to understand the costs and dangerousness of an attack. Mapping between the Insider Library and ADVISE profiles must be provided, also assigning numerical values.

Nicola Nostro Meeting TENACE – Fai della Paganella 11 febbraio Thank You