Analysis and Detection of Insider Threats

Analysis and Detection of Insider Threats

4 May 2005MITRE

DSS

Mark Maybury, Penny Chase, Brant Cheikes Dick Brackney Information Technology Division Advanced Research and Development Activity The MITRE Corporation in Information Technology 202 Burlington Road 9800 Savage Road Bedford, MA 01730, USA Fort George G. Meade, MD {maybury, pc, bcheikes}@mitre.org [email protected] Sara Matzner Brad Wood Tom Longstaffand Tom Hetherington Conner Sibley CERT Research and Analysis Centers

and Jack Marin Software Engineering InstituteApplied Research Laboratories BBN Technologies Carnegie Mellon University University of Texas 9861 Broken Land Parkway, Suite 400 4500 Fifth Avenue Austin, TX 78713 Columbia MD 21046 Pittsburgh, PA 15213-3890{matzner, tomh}@arlut.utexas.edu {bwood,csibley, jamarin}@bbn.com [email protected]

Lance Spitzner John Copeland Scott Lewandowskiand Jed Haile Electrical and Computer Engineering MIT Lincoln Laboratory

Honey Net Consortium Georgia Institute of Technology 244 Wood Street [email protected] Atlanta, GA 30332-0490 Lexington, MA 02420-9108

[email protected] [email protected] [email protected]

mailto:[email protected]

Copyright © 2005 The MITRE Corporation. All rights reserved.

Workshop Goal

Design and develop a proof of concept system

for early indication and warning of malicious insiders


Multidisciplinary Team


Hypotheses A heterogeneous approach to indications and warning will

enhance MI detection

Fusing information results in more accurate and timely indications and warning of MIs

Observables together with domain knowledge (e.g., user role) can help detect inappropriate behavior (e.g., need to know violations)


Methodology

Model Insidersand Observables

InsiderCase Analysis

Live NetworkExperimentation

Novel SensorsDesign and

Development Evaluation


Cases


Observables Taxonomy

MissingReporting(financial,

travel, contact)Physical

Security Cyber

Security

Counter Intelligence

Physical Access

(e.g., card door logs)

Foreign Travel

Reconnaissance Exploitation Communication Manipulation Other Cyber Activities

Materials Transfer to

handlers

Violations Cyber Actions

Observables

Access

Honeypot dataCalling patterns

Email patternsTravel/vacation

Trouble Tickets

SyslogNetwork IDS Logs

Maintenance ScheduleKeyboard logs

File systems logs

Entrenchment

DATA and SENSORS

Extraction&

Exfiltration

Finances, Wealth,Vices


Polygraph

Internal External

SocialActivity

Communications

Orphan account usePassword crackingAccount misusePrivilege escalationTerminals left logged on unattended, no time out

Net ScanWeb BrowsingDB Search

Encrypted EmailCoded MessagesCovert Channels

CI Case FilesDisk ErasureDisk Wiping

PornographyGambling

…

File PermissionsMisinformation

Info suppression

Install SensorsInstall unauthor.

software PrintingDownloadsRemovableMediaCopy machine

Sensor MgmtBotCommand & Control


Asset TaxonomyAssets

System AdminNetwork Admin

HumanAnalystOperator

Manager…

Secretary


Net VulnerabilitiesSources & Methods

Information

Log (web, DB, …)Network Structure

Passwords

Document/BriefingWeb Page

Resources$$……

SoftwareWeb ServerMail ServerDBApplication

…Op. System

Key

PhysicalAccess

Badge

……

……

HardwareServerRouterGuardEncryptor

SatellitePhone

Workstation Monitor Keyboard

CPU

Removable Media (floppys, USB devices, CDROMs)


User Taxonomy

Prof. SupportSecretarial SummerMisc. Non MITRE

Technical/Engineer

Executive

Financial

HR

Media/Comm

System & Network Admin

Facilities

Transportation

Employees

InfoSec

Security and Safety

Legal

Data and Info

Software

Electronics

AnalystPhysicalInfoSec subcontractor

consultant tenant


Account Taxonomy

ExecutiveProfessional SupportCo-op/

Summer

Secretarial

User Accounts

Summer

TechnicalFinancial / Purchasing / AdminHuman ResourcesTechnical Project SupportMedia / CommunicationsSystem & Network AdminFacilities & EquipmentTransportationInformation SecuritySecurity & SafetyMisc Expert Services

Executive Secretary

Applications EngineeringElectronics EngineeringAnalystsPhysical EngineeringInformation SecurityData & InformationMulti Discipline Information Systems

Others

Subcontract

Non-MITRE Employees

Groups Non-human entities

Locations: Bedford, Washington, Sites

ConsultantsTenants

Co-opSecretary (328)

Clerks / Aides (46)

Listservers

MailForwarders

SysAdminAccounts


Malicious Insider Testbed Real network - MITRE’s DMZ

- A separate network for experimentation and sponsor community support established outside of the MITRE internal network

- 300 – 400 hosts- Various services: Web, news,

email, database, ...- Data sources on network for

use in scenarios- Deploy additional sensors

3 of 75 users active during period acted as malicious insiders based on historical and project scenarios of insider behavior

Internet

MITRE Internal Network

MITRE DMZ


Insider Scenarios

Three scenarios:- Aggregate Historical Insider

“Pal”- Projected Insiders

“Jill” News Admin “Jack”

Drew upon historical examples for “Pal”- Intelligence analyst

News Admin and “Jack” developed their scenarios- Needed to be consistent with prior activity on systems

An application administrator A system administrator

- More realistic (“red teaming”)


Multiple Data Sources

Network Server

WebServer

HTTPSupport

WebService

Framework

su login yppasswdd last

sendmail sshd web_log web_notice web_warn web_error nnrpd inndApplication

Network

Physical

Host

badge reader

Snort IDS Stealthwatch Honeynet e-mail sensor

UserRole

Taxonomy

DomainKnowledge

18 (of 400) Hosts, 11+M records, 4000 users, 75 active on DMZ


Collection and Anonymization

Sendmail logs

Authentication logsBadge reader logs

Web server logs

StealthWatch logsHoneynet logs

Other logs

ArchiveDatabase Scrubber

Protected Computing Space

CommonData

Repository

Flat Files

ARDA NRRC Space

News server logs


Evaluation Activity

December January February. . .

PAL(Analyst)

Jill(News Admin)

Jack(Sys Admin)

Insider Activity with Journal Available During Test

Insider Activity with Journal Revealed After Test

Normal Activity

Normal Activity

Normal Activity


Heterogeneous I&W Approaches

StealthWatch- Multilevel network flow analysis

Honeynets- Simulated targets to elicit knowledge of attacker

Structured Analysis Group (SAG)- Top-down, real-time model based detection of MI

Data Fusion- Bottom-up analysis of traditional and novel indicators


Integrated Framework

Common Data

Sensor Sensor Sensor

Honeynet

Anomaly Detection(StealthWatch+)

Big file, scanning, zone alert COMMON DATA

- Authentication, Mail, DMZ Servers, IDS, Honeynet, BadgeData- Application Logs (e.g., web, DB, mail)- Nessus Scans (vulnerability analysis)- Switch logs, Stealth Watch logs

Data Fusion

Structured Analysis

AdversaryModels

Decision Analysis


Performance Evaluation Metrics

Timeliness, e.g., time from defection to detection- years, months, weeks, minutes

Accuracy- Precision = # correctly detected insiders / # reported- Recall = # reported insiders / total # actual insiders- False positives = 1-precision- False negatives = total # actual insiders - # correctly detected


StealthWatch:

Multilevel network flow analysis

LANCOPE


Alarm Level, 20

Scanning Activity by “Jack”

Approved Scanning Activity by “info-scan”


Hypothesis (Brad Wood-BBN)

“Jack” downloaded more than 4 gigabyteson Feb. 12

Jack

OK, Common Data Repository

- Known SSH


“Jack” did not increase the number of

inside connections, normally 8,

maximum was 10 on Feb. 11.

Jack

Jack

CDR


Structured Analysis Group:

Top-down, real-time model based detection


Structured Analysis GroupObservables Taxonomy

MissingReporting(financial,

travel, contact)Physical

Security Cyber

Security


Physical Access

(e.g., card door logs)

Foreign Travel

Reconnaissance Exploitation Communication Manipulation

Other Cyber Activities


handlers


Observables

Access

Honeypot dataCalling patterns

Email patternsTravel/vacation

Trouble Tickets

SyslogNetwork IDS Logs

Maintenance ScheduleKeyboard logs

File systems logs

Entrenchment

DATA and SENSORS

Extraction&

Exfiltration



Polygraph

Internal External

SocialActivity

Communications

Orphan Account usePassword CrackingAccount misusePrivilege escalationUnattended terminals

Web BrowsingDB SearchesNet Scan

Encrypted EmailCoded MessagesCovert Channels

CI Case FilesDisk ErasureDisk Wiping

PornographyGambling

…

File Permissions…

SensorsInstall unauthor soft.

PrintingDownloadsRemovableMediaCopy machine

Addressed at Workshop


Adversary Models


Accuracy of Structured Analysis

0

100

200

300

400

500

600

700

800

PAL

user2304

TIDES-A

DM

IN

user8859

user6550

user10718

user9673

JAC

K

user318

user8

user757

user10368

user268

user2649

user324

user1284

user365

user1265

user9673

user266

user281

user287

PAL

Fact

or

SAG: PAL* = Max change

False Pos. 0 3% 12% False Neg. 0 0 0

= 50% of Highest Factor

= 10% of Highest Factor0

100

200

300

400

500

600

700

800

PAL

user2304

TIDES-A

DM

IN

user8859

user6550

user10718

user9673

JAC

K

user318

user8

user757

user10368

user268

user2649

user324

user1284

user365

user1265

user9673

user266

user281

user287

PAL

Fact

or

SAG: PAL* = Max change

False Pos. 0 3% 12% False Neg. 0 0 0



0

100

200

300

400

500

600

700

JAC

K

user318

user268

user324

user2304

user2649

user287

PAL

TIDES-A

DM

IN

user1265

user281

user266

user8859

user2644

user8859

user215

user2645

user322

user757

user319

user6550

user10368

JAC

K F

acto

r

= Max change

False Pos. 1% 7%False Neg. 50% 50%

*

*



SAG: JACK

0

100

200

300

400

500

600

700

JAC

K

user318

user268

user324

user2304

user2649

user287

PAL

TIDES-A

DM

IN

user1265

user281

user266

user8859

user2644

user8859

user215

user2645

user322

user757

user319

user6550

user10368

JAC

K F

acto

r

= Max change


*

*



0

100

200

300

400

500

600

700

JAC

K

user318

user268

user324

user2304

user2649

user287

PAL

TIDES-A

DM

IN

user1265

user281

user266

user8859

user2644

user8859

user215

user2645

user322

user757

user319

user6550

user10368

JAC

K F

acto

r

= Max change


*

*



SAG: JACK


Data Fusion:

Bottom-up analysis of traditional and novel indicators


Data Fusion Observables Taxonomy

MissingReporting

Physical Security

Cyber Security


Physical Access

Foreign Travel

Reconnaissance Exploitation Communication Manipulation

Other Cyber Activities


handlers


Observables

Access Entrenchment Extraction&

Exfiltration



Polygraph

Internal External

SocialActivity

Communications

SensorsImplemented at Workshop

Implemented elsewhere Not Implemented

Authentication logs - root access for non-admin - su from one normal user to anotherIDS logs - http, tp, telnet from

non-standard ports

News/Web Browsing need-to-knowBulk news/web searchNet Scan in IDS logs

Uploads (fttp, http) in IDS logsPrinting

Unusual recipient & encryptedhidden or masqueraded content typeLack of required digital watermark on images


Data FusionCyber-Access, user324, weight 1, at 2003-12-10 11:14:38, from news.mitre.org

su to user9676 failed for non-admin user user324 on /dev/pts/0-----------------------------------------------------------------------------------------------------Physical-Access, user295, weight 5, at 2003-12-15 19:19:37, After hours badge access for user295-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user2649, weight 5, at 2004-01-06 15:37:28, from nrrc-springfield.mitre.org,

Data was uploaded to an external server via FTP protocol -----------------------------------------------------------------------------------------------------Cyber-Reconnaissance, user295, weight 10, at 2004-01-09 20:57:18, from nrrc-springfield.mitre.org,

User user295 searching in non-need-to-know country korea-----------------------------------------------------------------------------------------------------Cyber-Communication, user9, weight 15, at 2004-02-10 22:14:48, from cvw.mitre.org,

User user9 received email with masqueraded content from user11649@yahoo.com-----------------------------------------------------------------------------------------------------Cyber-Reconnaissance, user1, weight 5, at 2004-02-10 13:54:15, from nrrc-plymouth.mitre.org,

Ongoing CI violation -- 066.170.227.074 has 49613 alerts of this type…-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user295, weight 8, at 2004-02-12 23:54:58, from dmzsrv1.mitre.org,

User user295 sent encrypted email user9983@comcast.net-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user1, weight 15, at 2004-02-20 12:25:03, from nrrc-erie.mitre.org,

user1 sent email with masqueraded content [email protected]




Experimental ResultsData Fusion

User Weights and Indicators

0

50

100

150

200

250

300

350

PAL user8859 JACK user301 user2649

Tota

l Wei

ghtCyber Extract-Exfiltrate

Physical Access

Cyber Communication

Cyber Access

Cyber Reconn

Breadth 5 1 3 2 2

Breadth of 1:Not on Watch DATA REDUCTION

• 7.4 M records examined for 75 users• 259 indicators for 24 users


Data Fusion Accuracy

0

50

100

150

200

250

300

350

PA

L

user

8859

JAC

K

user

301

user

2649

user

322

user

2644

user

2304

user

2645

user

2647

user

9

user

317

user

319

user

2648

user

1265

user

7448

user

215

user

252

user

318

user

2306

user

1183

8

user

324

TID

ES

-AD

MIN

user

287

Wei

ght

*

*

*

False Pos. 0/72 = 0 2/72 = 3%False Neg. 2/3 = 66% 1/3 = 33%

= 50% of Highest Factor = 152

= 10% of Highest = 30

= Max change

Data Fusion

0

50

100

150

200

250

300

350

PA

L

user

8859

JAC

K

user

301

user

2649

user

322

user

2644

user

2304

user

2645

user

2647

user

9

user

317

user

319

user

2648

user

1265

user

7448

user

215

user

252

user

318

user

2306

user

1183

8

user

324

TID

ES

-AD

MIN

user

287

Wei

ght

*

*

*

False Pos. 0/72 = 0 2/72 = 3%False Neg. 2/3 = 66% 1/3 = 33%

= 50% of Highest Factor = 152

= 10% of Highest = 30

= Max change

Data Fusion

Across approaches, correctly identified 3 out of 3 insiders


Performance: Timeliness

Dec Jan Feb

Jack 2/11/04 2/20/04

Jill (News Admin) 2/11/04 2/16/04

1/9/04 2/6/0412/11/03 12/17/03

2/15/041/24/04

2/20/04 2/12/04

2/17/04

2/6/04

2/11/04

PAL 12/9/04 2/15/04

StealthWatchStructured Analysis

Data Fusion

Watch listAlert

KEY


Summary

Malicious insiders are a serious threat Malicious insider behavior is distinct and cannot be readily

detected using classic, external intruder detection Results from the challenge workshop show that an

integration of multiple approaches promises early and effective warning and detection

Workshop insider cases and dataset leave behinds Inspiration of new sensor development


Malicious Insider Evaluation

Simulate on network

Select Insider Case

Participants Sign Data NDA

Participants Submit Runs

Data Sent to Participants


Our Insider Knowledge and Focus

Occurred Not yet Occurred

Robert Philip Hanssen MI who attacksthe networkDetectable

Hard to Detect

Not yetDetectable

No cyber component

? - Unaddressed by workshopX – Unobservable in cyberspace

Ana Belen Montes

S T

E A

L T

H

Focus: “Indications and warnings not conviction and sentencing”

O C C U R R E N C E

? X


“Pal” Scenario

Changes news subscriptionsMakes new

(inappropriate) queries

Exfiltration and communication with

handler

NewsWeb Search

Email

Honeytoken

Retrieves “interesting” datafor which has no need to know


“Jill” or News Admin Scenario

Makes new (inappropriate)

queries

Web Search

Account Manipulation

Creates news account and uses

this account to read news

Covert Access

Accesses news through hidden

newsgroups


Jack Scenario

Create backdoor

Maps network using nmap

Maps network Builds a reverse ssh tunnel between news

server and admin workstation

Searches for data

Searches news.mitre.org data at file system level

Stealthy exfiltration

Masquerades compressed data as

image


Heterogeneous Data (1 of 3) Badge reader:

- “0M151_Telephone_Room 12/06/2003 02:43:26 Admitted user2930 at 0M151 Telephone Room”

- “0M422_Rear_Door_[In]_ 12/06/2003 05:20:24 Admitted user2930 at 0M422 Rear Door [In]”

Login:- “nrrc-plymouth.mitre.org ROOT LOGIN /dev/console”

Su:- “nrrc-plymouth.mitre.org 'su root' succeeded for user1 on

/dev/pts/1”


Heterogeneous Data (2 of 3) Sshd:

- “Accepted publickey for root from 129.83.10.17 port 52893”

- “Accepted password for user1265 from 66.189.44.167 port 61007”

- “Failed password for user1265 from 66.189.44.167 port 61011”

Last-a:- “nrrc-boston.mitre.org user2645 pts/0 Wed Jan 7 21:06 -

23:18 (02:11) 128.230.14.115”- “nrrc-boston.mitre.org user2643 pts/0 Fri Dec 12 16:54 -

17:25 (00:30) sgdykes.datasys.swri.edu”


Heterogeneous Data (3 of 3) Web_log:

- “GET /cvw/licenses/source/license.html HTTP/1.0”- “GET /basilix.php3?request_id[DUMMY]=../../../../etc/passwd

&RequestID=DUMMY&username=user2311&password=xxxxx HTTP/1.1”

Web_error:- “Invalid method in request get /scripts/...”- “File does not exist: /news_1/.../etc/passwd”

Sendmail:- “cvw.mitre.org 14436 i0J507Lb014436: from=<[email protected]>,

size=2789, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp-bedford-x.mitre.org [192.160.51.76]”

- “cvw.mitre.org 14645 i0J7ErLb014644: to=user8, ctladdr=<[email protected]> (1/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=41013, dsn=2.0.0, stat=Sent”


Data [# of records and % of total]

sendmail, 74,622, 2%

badge_reader, 1,008,176, 29%

snort, 29,562, 1%

last-a, 8,669, 0%

su, 1,860, 0%

web_notice, 315, 0%

login, 125, 0%

web_warn, 122, 0%

yppasswdd, 12, 0%

sshd, 155,493, 4%

web_error, 259,175, 7%

innd, 469,956, 13%

nnrpd, 980,826, 27%

web_log, 630,740, 17%

Not shown: StealthWatch = 7.5MB or 68%

Analysis and Detection of Insider Threats

Documents

Transcript of Analysis and Detection of Insider Threats