Analysis and Detection of Insider Threats
description
Transcript of Analysis and Detection of Insider Threats
Analysis and Detection of Insider Threats
4 May 2005MITRE
DSS
Mark Maybury, Penny Chase, Brant Cheikes Dick Brackney Information Technology Division Advanced Research and Development Activity The MITRE Corporation in Information Technology 202 Burlington Road 9800 Savage Road Bedford, MA 01730, USA Fort George G. Meade, MD {maybury, pc, bcheikes}@mitre.org [email protected] Sara Matzner Brad Wood Tom Longstaffand Tom Hetherington Conner Sibley CERT Research and Analysis Centers
and Jack Marin Software Engineering InstituteApplied Research Laboratories BBN Technologies Carnegie Mellon University University of Texas 9861 Broken Land Parkway, Suite 400 4500 Fifth Avenue Austin, TX 78713 Columbia MD 21046 Pittsburgh, PA 15213-3890{matzner, tomh}@arlut.utexas.edu {bwood,csibley, jamarin}@bbn.com [email protected]
Lance Spitzner John Copeland Scott Lewandowskiand Jed Haile Electrical and Computer Engineering MIT Lincoln Laboratory
Honey Net Consortium Georgia Institute of Technology 244 Wood Street [email protected] Atlanta, GA 30332-0490 Lexington, MA 02420-9108
Page 2
Copyright © 2005 The MITRE Corporation. All rights reserved.
Workshop Goal
Design and develop a proof of concept system
for early indication and warning of malicious insiders
Page 3
Copyright © 2005 The MITRE Corporation. All rights reserved.
Multidisciplinary Team
Page 4
Copyright © 2005 The MITRE Corporation. All rights reserved.
Hypotheses A heterogeneous approach to indications and warning will
enhance MI detection
Fusing information results in more accurate and timely indications and warning of MIs
Observables together with domain knowledge (e.g., user role) can help detect inappropriate behavior (e.g., need to know violations)
Page 5
Copyright © 2005 The MITRE Corporation. All rights reserved.
Methodology
Model Insidersand Observables
InsiderCase Analysis
Live NetworkExperimentation
Novel SensorsDesign and
Development Evaluation
Page 6
Copyright © 2005 The MITRE Corporation. All rights reserved.
Cases
Page 7
Copyright © 2005 The MITRE Corporation. All rights reserved.
Observables Taxonomy
MissingReporting(financial,
travel, contact)Physical
Security Cyber
Security
Counter Intelligence
Physical Access
(e.g., card door logs)
Foreign Travel
Reconnaissance Exploitation Communication Manipulation Other Cyber Activities
Materials Transfer to
handlers
Violations Cyber Actions
Observables
Access
Honeypot dataCalling patterns
Email patternsTravel/vacation
Trouble Tickets
SyslogNetwork IDS Logs
Maintenance ScheduleKeyboard logs
File systems logs
Entrenchment
DATA and SENSORS
Extraction&
Exfiltration
Finances, Wealth,Vices
Counter Intelligence
Polygraph
Internal External
SocialActivity
Communications
Orphan account usePassword crackingAccount misusePrivilege escalationTerminals left logged on unattended, no time out
Net ScanWeb BrowsingDB Search
Encrypted EmailCoded MessagesCovert Channels
CI Case FilesDisk ErasureDisk Wiping
PornographyGambling
…
File PermissionsMisinformation
Info suppression
Install SensorsInstall unauthor.
software PrintingDownloadsRemovableMediaCopy machine
Sensor MgmtBotCommand & Control
Page 8
Copyright © 2005 The MITRE Corporation. All rights reserved.
Asset TaxonomyAssets
System AdminNetwork Admin
HumanAnalystOperator
Manager…
Secretary
Counter Intelligence
Net VulnerabilitiesSources & Methods
Information
Log (web, DB, …)Network Structure
Passwords
Document/BriefingWeb Page
Resources$$……
SoftwareWeb ServerMail ServerDBApplication
…Op. System
Key
PhysicalAccess
Badge
……
……
HardwareServerRouterGuardEncryptor
SatellitePhone
Workstation Monitor Keyboard
CPU
Removable Media (floppys, USB devices, CDROMs)
Page 9
Copyright © 2005 The MITRE Corporation. All rights reserved.
User Taxonomy
Prof. SupportSecretarial SummerMisc. Non MITRE
Technical/Engineer
Executive
Financial
HR
Media/Comm
System & Network Admin
Facilities
Transportation
Employees
InfoSec
Security and Safety
Legal
Data and Info
Software
Electronics
AnalystPhysicalInfoSec subcontractor
consultant tenant
Page 10
Copyright © 2005 The MITRE Corporation. All rights reserved.
Account Taxonomy
ExecutiveProfessional SupportCo-op/
Summer
Secretarial
User Accounts
Summer
TechnicalFinancial / Purchasing / AdminHuman ResourcesTechnical Project SupportMedia / CommunicationsSystem & Network AdminFacilities & EquipmentTransportationInformation SecuritySecurity & SafetyMisc Expert Services
Executive Secretary
Applications EngineeringElectronics EngineeringAnalystsPhysical EngineeringInformation SecurityData & InformationMulti Discipline Information Systems
Others
Subcontract
Non-MITRE Employees
Groups Non-human entities
Locations: Bedford, Washington, Sites
ConsultantsTenants
Co-opSecretary (328)
Clerks / Aides (46)
Listservers
MailForwarders
SysAdminAccounts
Page 11
Copyright © 2005 The MITRE Corporation. All rights reserved.
Malicious Insider Testbed Real network - MITRE’s DMZ
- A separate network for experimentation and sponsor community support established outside of the MITRE internal network
- 300 – 400 hosts- Various services: Web, news,
email, database, ...- Data sources on network for
use in scenarios- Deploy additional sensors
3 of 75 users active during period acted as malicious insiders based on historical and project scenarios of insider behavior
Internet
MITRE Internal Network
MITRE DMZ
Page 12
Copyright © 2005 The MITRE Corporation. All rights reserved.
Insider Scenarios
Three scenarios:- Aggregate Historical Insider
“Pal”- Projected Insiders
“Jill” News Admin “Jack”
Drew upon historical examples for “Pal”- Intelligence analyst
News Admin and “Jack” developed their scenarios- Needed to be consistent with prior activity on systems
An application administrator A system administrator
- More realistic (“red teaming”)
Page 13
Copyright © 2005 The MITRE Corporation. All rights reserved.
Multiple Data Sources
Network Server
WebServer
HTTPSupport
WebService
Framework
su login yppasswdd last
sendmail sshd web_log web_notice web_warn web_error nnrpd inndApplication
Network
Physical
Host
badge reader
Snort IDS Stealthwatch Honeynet e-mail sensor
UserRole
Taxonomy
DomainKnowledge
18 (of 400) Hosts, 11+M records, 4000 users, 75 active on DMZ
Page 14
Copyright © 2005 The MITRE Corporation. All rights reserved.
Collection and Anonymization
Sendmail logs
Authentication logsBadge reader logs
Web server logs
StealthWatch logsHoneynet logs
Other logs
ArchiveDatabase Scrubber
Protected Computing Space
CommonData
Repository
Flat Files
ARDA NRRC Space
News server logs
Page 15
Copyright © 2005 The MITRE Corporation. All rights reserved.
Evaluation Activity
December January February. . .
PAL(Analyst)
Jill(News Admin)
Jack(Sys Admin)
Insider Activity with Journal Available During Test
Insider Activity with Journal Revealed After Test
Normal Activity
Normal Activity
Normal Activity
Page 16
Copyright © 2005 The MITRE Corporation. All rights reserved.
Heterogeneous I&W Approaches
StealthWatch- Multilevel network flow analysis
Honeynets- Simulated targets to elicit knowledge of attacker
Structured Analysis Group (SAG)- Top-down, real-time model based detection of MI
Data Fusion- Bottom-up analysis of traditional and novel indicators
Page 17
Copyright © 2005 The MITRE Corporation. All rights reserved.
Integrated Framework
Common Data
Sensor Sensor Sensor
Honeynet
Anomaly Detection(StealthWatch+)
Big file, scanning, zone alert COMMON DATA
- Authentication, Mail, DMZ Servers, IDS, Honeynet, BadgeData- Application Logs (e.g., web, DB, mail)- Nessus Scans (vulnerability analysis)- Switch logs, Stealth Watch logs
Data Fusion
Structured Analysis
AdversaryModels
Decision Analysis
Page 18
Copyright © 2005 The MITRE Corporation. All rights reserved.
Performance Evaluation Metrics
Timeliness, e.g., time from defection to detection- years, months, weeks, minutes
Accuracy- Precision = # correctly detected insiders / # reported- Recall = # reported insiders / total # actual insiders- False positives = 1-precision- False negatives = total # actual insiders - # correctly detected
Page 19
Copyright © 2005 The MITRE Corporation. All rights reserved.
StealthWatch:
Multilevel network flow analysis
LANCOPE
Page 20
Copyright © 2005 The MITRE Corporation. All rights reserved.
Alarm Level, 20
Scanning Activity by “Jack”
Approved Scanning Activity by “info-scan”
Page 21
Copyright © 2005 The MITRE Corporation. All rights reserved.
Hypothesis (Brad Wood-BBN)
“Jack” downloaded more than 4 gigabyteson Feb. 12
Jack
OK, Common Data Repository
- Known SSH
Page 22
Copyright © 2005 The MITRE Corporation. All rights reserved.
“Jack” did not increase the number of
inside connections, normally 8,
maximum was 10 on Feb. 11.
Jack
Jack
CDR
Page 23
Copyright © 2005 The MITRE Corporation. All rights reserved.
Structured Analysis Group:
Top-down, real-time model based detection
Page 24
Copyright © 2005 The MITRE Corporation. All rights reserved.
Structured Analysis GroupObservables Taxonomy
MissingReporting(financial,
travel, contact)Physical
Security Cyber
Security
Counter Intelligence
Physical Access
(e.g., card door logs)
Foreign Travel
Reconnaissance Exploitation Communication Manipulation
Other Cyber Activities
Materials Transfer to
handlers
Violations Cyber Actions
Observables
Access
Honeypot dataCalling patterns
Email patternsTravel/vacation
Trouble Tickets
SyslogNetwork IDS Logs
Maintenance ScheduleKeyboard logs
File systems logs
Entrenchment
DATA and SENSORS
Extraction&
Exfiltration
Finances, Wealth,Vices
Counter Intelligence
Polygraph
Internal External
SocialActivity
Communications
Orphan Account usePassword CrackingAccount misusePrivilege escalationUnattended terminals
Web BrowsingDB SearchesNet Scan
Encrypted EmailCoded MessagesCovert Channels
CI Case FilesDisk ErasureDisk Wiping
PornographyGambling
…
File Permissions…
SensorsInstall unauthor soft.
PrintingDownloadsRemovableMediaCopy machine
Addressed at Workshop
Page 25
Copyright © 2005 The MITRE Corporation. All rights reserved.
Adversary Models
Page 26
Copyright © 2005 The MITRE Corporation. All rights reserved.
Accuracy of Structured Analysis
0
100
200
300
400
500
600
700
800
PAL
user2304
TIDES-A
DM
IN
user8859
user6550
user10718
user9673
JAC
K
user318
user8
user757
user10368
user268
user2649
user324
user1284
user365
user1265
user9673
user266
user281
user287
PAL
Fact
or
SAG: PAL* = Max change
False Pos. 0 3% 12% False Neg. 0 0 0
= 50% of Highest Factor
= 10% of Highest Factor0
100
200
300
400
500
600
700
800
PAL
user2304
TIDES-A
DM
IN
user8859
user6550
user10718
user9673
JAC
K
user318
user8
user757
user10368
user268
user2649
user324
user1284
user365
user1265
user9673
user266
user281
user287
PAL
Fact
or
SAG: PAL* = Max change
False Pos. 0 3% 12% False Neg. 0 0 0
= 50% of Highest Factor
= 10% of Highest Factor
0
100
200
300
400
500
600
700
JAC
K
user318
user268
user324
user2304
user2649
user287
PAL
TIDES-A
DM
IN
user1265
user281
user266
user8859
user2644
user8859
user215
user2645
user322
user757
user319
user6550
user10368
JAC
K F
acto
r
= Max change
False Pos. 1% 7%False Neg. 50% 50%
*
*
= 50% of Highest Factor
= 10% of Highest Factor
SAG: JACK
0
100
200
300
400
500
600
700
JAC
K
user318
user268
user324
user2304
user2649
user287
PAL
TIDES-A
DM
IN
user1265
user281
user266
user8859
user2644
user8859
user215
user2645
user322
user757
user319
user6550
user10368
JAC
K F
acto
r
= Max change
False Pos. 1% 7%False Neg. 50% 50%
*
*
= 50% of Highest Factor
= 10% of Highest Factor
0
100
200
300
400
500
600
700
JAC
K
user318
user268
user324
user2304
user2649
user287
PAL
TIDES-A
DM
IN
user1265
user281
user266
user8859
user2644
user8859
user215
user2645
user322
user757
user319
user6550
user10368
JAC
K F
acto
r
= Max change
False Pos. 1% 7%False Neg. 50% 50%
*
*
= 50% of Highest Factor
= 10% of Highest Factor
SAG: JACK
Page 27
Copyright © 2005 The MITRE Corporation. All rights reserved.
Data Fusion:
Bottom-up analysis of traditional and novel indicators
Page 28
Copyright © 2005 The MITRE Corporation. All rights reserved.
Data Fusion Observables Taxonomy
MissingReporting
Physical Security
Cyber Security
Counter Intelligence
Physical Access
Foreign Travel
Reconnaissance Exploitation Communication Manipulation
Other Cyber Activities
Materials Transfer to
handlers
Violations Cyber Actions
Observables
Access Entrenchment Extraction&
Exfiltration
Finances, Wealth,Vices
Counter Intelligence
Polygraph
Internal External
SocialActivity
Communications
SensorsImplemented at Workshop
Implemented elsewhere Not Implemented
Authentication logs - root access for non-admin - su from one normal user to anotherIDS logs - http, tp, telnet from
non-standard ports
News/Web Browsing need-to-knowBulk news/web searchNet Scan in IDS logs
Uploads (fttp, http) in IDS logsPrinting
Unusual recipient & encryptedhidden or masqueraded content typeLack of required digital watermark on images
Page 29
Copyright © 2005 The MITRE Corporation. All rights reserved.
Data FusionCyber-Access, user324, weight 1, at 2003-12-10 11:14:38, from news.mitre.org
su to user9676 failed for non-admin user user324 on /dev/pts/0-----------------------------------------------------------------------------------------------------Physical-Access, user295, weight 5, at 2003-12-15 19:19:37, After hours badge access for user295-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user2649, weight 5, at 2004-01-06 15:37:28, from nrrc-springfield.mitre.org,
Data was uploaded to an external server via FTP protocol -----------------------------------------------------------------------------------------------------Cyber-Reconnaissance, user295, weight 10, at 2004-01-09 20:57:18, from nrrc-springfield.mitre.org,
User user295 searching in non-need-to-know country korea-----------------------------------------------------------------------------------------------------Cyber-Communication, user9, weight 15, at 2004-02-10 22:14:48, from cvw.mitre.org,
User user9 received email with masqueraded content from user11649@yahoo.com-----------------------------------------------------------------------------------------------------Cyber-Reconnaissance, user1, weight 5, at 2004-02-10 13:54:15, from nrrc-plymouth.mitre.org,
Ongoing CI violation -- 066.170.227.074 has 49613 alerts of this type…-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user295, weight 8, at 2004-02-12 23:54:58, from dmzsrv1.mitre.org,
User user295 sent encrypted email user9983@comcast.net-----------------------------------------------------------------------------------------------------Cyber-Extraction-Exfiltration, user1, weight 15, at 2004-02-20 12:25:03, from nrrc-erie.mitre.org,
user1 sent email with masqueraded content [email protected]
Page 30
Copyright © 2005 The MITRE Corporation. All rights reserved.
Experimental ResultsData Fusion
User Weights and Indicators
0
50
100
150
200
250
300
350
PAL user8859 JACK user301 user2649
Tota
l Wei
ghtCyber Extract-Exfiltrate
Physical Access
Cyber Communication
Cyber Access
Cyber Reconn
Breadth 5 1 3 2 2
Breadth of 1:Not on Watch DATA REDUCTION
• 7.4 M records examined for 75 users• 259 indicators for 24 users
Page 31
Copyright © 2005 The MITRE Corporation. All rights reserved.
Data Fusion Accuracy
0
50
100
150
200
250
300
350
PA
L
user
8859
JAC
K
user
301
user
2649
user
322
user
2644
user
2304
user
2645
user
2647
user
9
user
317
user
319
user
2648
user
1265
user
7448
user
215
user
252
user
318
user
2306
user
1183
8
user
324
TID
ES
-AD
MIN
user
287
Wei
ght
*
*
*
False Pos. 0/72 = 0 2/72 = 3%False Neg. 2/3 = 66% 1/3 = 33%
= 50% of Highest Factor = 152
= 10% of Highest = 30
= Max change
Data Fusion
0
50
100
150
200
250
300
350
PA
L
user
8859
JAC
K
user
301
user
2649
user
322
user
2644
user
2304
user
2645
user
2647
user
9
user
317
user
319
user
2648
user
1265
user
7448
user
215
user
252
user
318
user
2306
user
1183
8
user
324
TID
ES
-AD
MIN
user
287
Wei
ght
*
*
*
False Pos. 0/72 = 0 2/72 = 3%False Neg. 2/3 = 66% 1/3 = 33%
= 50% of Highest Factor = 152
= 10% of Highest = 30
= Max change
Data Fusion
Across approaches, correctly identified 3 out of 3 insiders
Page 32
Copyright © 2005 The MITRE Corporation. All rights reserved.
Performance: Timeliness
Dec Jan Feb
Jack 2/11/04 2/20/04
Jill (News Admin) 2/11/04 2/16/04
1/9/04 2/6/0412/11/03 12/17/03
2/15/041/24/04
2/20/04 2/12/04
2/17/04
2/6/04
2/11/04
PAL 12/9/04 2/15/04
StealthWatchStructured Analysis
Data Fusion
Watch listAlert
KEY
Page 33
Copyright © 2005 The MITRE Corporation. All rights reserved.
Summary
Malicious insiders are a serious threat Malicious insider behavior is distinct and cannot be readily
detected using classic, external intruder detection Results from the challenge workshop show that an
integration of multiple approaches promises early and effective warning and detection
Workshop insider cases and dataset leave behinds Inspiration of new sensor development
Page 34
Copyright © 2005 The MITRE Corporation. All rights reserved.
Malicious Insider Evaluation
Simulate on network
Select Insider Case
Participants Sign Data NDA
Participants Submit Runs
Data Sent to Participants
Page 35
Copyright © 2005 The MITRE Corporation. All rights reserved.
Our Insider Knowledge and Focus
Occurred Not yet Occurred
Robert Philip Hanssen MI who attacksthe networkDetectable
Hard to Detect
Not yetDetectable
No cyber component
? - Unaddressed by workshopX – Unobservable in cyberspace
Ana Belen Montes
S T
E A
L T
H
Focus: “Indications and warnings not conviction and sentencing”
O C C U R R E N C E
? X
Page 36
Copyright © 2005 The MITRE Corporation. All rights reserved.
“Pal” Scenario
Changes news subscriptionsMakes new
(inappropriate) queries
Exfiltration and communication with
handler
NewsWeb Search
Honeytoken
Retrieves “interesting” datafor which has no need to know
Page 37
Copyright © 2005 The MITRE Corporation. All rights reserved.
“Jill” or News Admin Scenario
Makes new (inappropriate)
queries
Web Search
Account Manipulation
Creates news account and uses
this account to read news
Covert Access
Accesses news through hidden
newsgroups
Page 38
Copyright © 2005 The MITRE Corporation. All rights reserved.
Jack Scenario
Create backdoor
Maps network using nmap
Maps network Builds a reverse ssh tunnel between news
server and admin workstation
Searches for data
Searches news.mitre.org data at file system level
Stealthy exfiltration
Masquerades compressed data as
image
Page 39
Copyright © 2005 The MITRE Corporation. All rights reserved.
Heterogeneous Data (1 of 3) Badge reader:
- “0M151_Telephone_Room 12/06/2003 02:43:26 Admitted user2930 at 0M151 Telephone Room”
- “0M422_Rear_Door_[In]_ 12/06/2003 05:20:24 Admitted user2930 at 0M422 Rear Door [In]”
Login:- “nrrc-plymouth.mitre.org ROOT LOGIN /dev/console”
Su:- “nrrc-plymouth.mitre.org 'su root' succeeded for user1 on
/dev/pts/1”
Page 40
Copyright © 2005 The MITRE Corporation. All rights reserved.
Heterogeneous Data (2 of 3) Sshd:
- “Accepted publickey for root from 129.83.10.17 port 52893”
- “Accepted password for user1265 from 66.189.44.167 port 61007”
- “Failed password for user1265 from 66.189.44.167 port 61011”
Last-a:- “nrrc-boston.mitre.org user2645 pts/0 Wed Jan 7 21:06 -
23:18 (02:11) 128.230.14.115”- “nrrc-boston.mitre.org user2643 pts/0 Fri Dec 12 16:54 -
17:25 (00:30) sgdykes.datasys.swri.edu”
Page 41
Copyright © 2005 The MITRE Corporation. All rights reserved.
Heterogeneous Data (3 of 3) Web_log:
- “GET /cvw/licenses/source/license.html HTTP/1.0”- “GET /basilix.php3?request_id[DUMMY]=../../../../etc/passwd
&RequestID=DUMMY&username=user2311&password=xxxxx HTTP/1.1”
Web_error:- “Invalid method in request get /scripts/...”- “File does not exist: /news_1/.../etc/passwd”
Sendmail:- “cvw.mitre.org 14436 i0J507Lb014436: from=<[email protected]>,
size=2789, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp-bedford-x.mitre.org [192.160.51.76]”
- “cvw.mitre.org 14645 i0J7ErLb014644: to=user8, ctladdr=<[email protected]> (1/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=41013, dsn=2.0.0, stat=Sent”
Page 42
Copyright © 2005 The MITRE Corporation. All rights reserved.
Data [# of records and % of total]
sendmail, 74,622, 2%
badge_reader, 1,008,176, 29%
snort, 29,562, 1%
last-a, 8,669, 0%
su, 1,860, 0%
web_notice, 315, 0%
login, 125, 0%
web_warn, 122, 0%
yppasswdd, 12, 0%
sshd, 155,493, 4%
web_error, 259,175, 7%
innd, 469,956, 13%
nnrpd, 980,826, 27%
web_log, 630,740, 17%
Not shown: StealthWatch = 7.5MB or 68%