Insider Attacks: Theft 1

Running Head: INSIDER ATTACKS: THEFT

Insider Attacks: Theft of Intellectual and Proprietary Data

Lindsey Landolfi

Towson University

Network Security

Professor Charles Pak

June 2011

1

Insider Attacks: Theft 2

While hacking and malware are major threats responsible for data compromise, the

misuse of insider privileges is the leading threat action in 2009. The term insider refers to an

individual who has or has had access privileges and is knowledgeable of the organization and its

functioning such as employees of the organization, former employees, or contractors. Malicious

insider threats are becoming increasingly prevalent. The 2010 Data Breach Investigations Report

(DBIR) analyzed a compilation of “900+ breaches, and over 900 million compromised records”,

(Verizon RISK Team, 2010, p. 5) their investigation of computer crime revealed that “48% were

caused by insiders”. (Verizon RISK Team, 2010, p. 2) That is an approximate 26 percent

increase from the previous year. Specifically, the United States Secret Service has observed

notable increases of insider threat incidents in their own data breaching cases.

As network security is becoming increasingly advanced the threat of internal attacks is a

greater concern. Privileged data is much more accessible to insiders in comparison to external

attackers; therefore a system is more vulnerable to an organized or sporadic internal malicious

incident. The motivations and intentions for theft of intellectual property occur for various

reasons. Behavioral catalysts for employee theft range from disgruntle employees who have

experienced dissatisfaction with their job or organization, to those employees who possess a

sense of entitlement to the data. In some cases encouragement from an external source will

persuade an insider to take advantage of their access privileges. “A striking finding is that in over

two-thirds of the cases of theft for financial gain, the insider was recruited to steal by someone

outside the organization.” (Carnegie Mellon, 2008, p.12)

There are numerous incidents when unintentional insider incidents result in damages, but

“malicious attacks have surpassed human error for the first time in three years”. (Identity Theft

Resource Center, 2010) This paper will specifically address those insiders with malicious

2

Insider Attacks: Theft 3

intentions. Prevalent thievery objective categories include espionage in the government sector,

the attempt for business advantage, and for financial gain. The use of proprietary intellectual

property can be beneficial in creating a new business or used to coordinate with competition to

sell trade secrets for new position; this is the concept supporting the business advantage. Theft

for profit typically occurs in the banking and finance sector, a typically example would be fraud.

Typically intellectual property theft is either targeted at the organization’s product such as a

software system, or specific organization data such as strategic plans or client information. The

thievery techniques tend to be different depending on the intentions of the attacker. It is possible

for the insider to be a rouge employee for an extended period of time while they slowly steal

small amounts of data or they can plan for a major malicious attack that will compromise

massive amounts of data and then resign from their position with the company.

A recent insider data theft case which is still undergoing investigation resulted in an

estimated 10 million dollar loss for Bank of America. An employee had accessed and stolen,

"names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's

license numbers, birth dates, email addresses, mother's maiden names, PINs and account

balances." (Lazarus, 2011) The insider then proceeded to leak out this information to external

scammers; the information was then used to execute identity theft fraud. Since insiders are

inside of the firewall on the network or their section of the network, they have access via

network privileges. If there is a lack of access control it is relatively easy for a malicious insider

to exploit their technical access. They can proceed to snoop around the network and discover

privileged information much like the Bank of America employee. This case and similar security

breaches may have been prevented if a form of encryption was used to secure the customers

personal identity information.

3

Insider Attacks: Theft 4

The catastrophic WikiLeaks incident highlights the seriousness of insider breaches.

Bradley Manning was a United States military analyst in Iraq who had access to classified

information via the secure Secret Internet Protocol Router Network. He disclosed confidential

military data to a database driven website called WikiLeaks. WikiLeaks describes their service as

an “uncensorable system for untraceable mass document leaking”. (Moss, 2010) The release of a

massive cache of sensitive government records has potential to do serious damage to national

security. Manning is being charged with delivering secure national defense information including

diplomatic cables to an unauthorized source, the illegal transfer of classified data onto a personal

device, and for adding unauthorized software onto a classified computer system. Manning

explained in an online chat with fellow hackers that "weak servers, weak logging, weak physical

security, weak counter-intelligence, inattentive signal analysis"(Dilanian, 2010) made it possible

for him to execute the data theft.

The evolution of technical infiltration and theft is progressing, insiders are able to exploit

their organization specific knowledge and use it to support their technical expertise while

executing an attack. Insiders are knowledgeable of the system and are aware of the security holes

within it; this makes it easier for them to exploit the vulnerabilities of the system or procedures.

Due to their system privileges and supporting knowledge it is reasonable to state that insiders

have a higher probability for successfully breaching a system than an external hacker. The

following paragraphs will discuss the major alternative techniques and strategies that are possible

to execute in an insider theft attack scenario.

There are different possible locations where attacks can originate from, for example

within the internal system perimeter, remote access, and internet. With insiders it is especially

necessary to consider the direct physical security of an authenticated computer network.

4

Insider Attacks: Theft 5

According to a major survey conducted by the U.S. Secret Services and the CERT, “the majority

of crimes were committed during normal working hours using authorized access.” (Carnegie

Mellon, 2008, p.11) There are many possibilities for an attack to access a secure system. For

example, if the data the attacker is attempting to access in on a computer they do not have the

password to the attack can use the trust established with co-workers to trick them into providing

access to the system. If they can not directly gain access they could verbally pry to learn secrets

into getting access to the system, this form of attack is known as social engineering. Social

engineering can be as simple as an attacker probing a computer that was left logged on. An

attacker who can gain access to a secured machine could quickly install malicious code onto the

machine and steal data undetected.

An insider may plant malware internally that will shoot to a server on the outside, that

way when an unsuspecting user logs in the data outside the company making it harder to trace.

The malware can be set on a timer and run behind a program; doing so will make it less likely

that the user will notice. The prior knowledge to the organizational programs and procedures that

an insider would posses makes it easier to facilitate an attack. Explicit deception will make it

more difficult for the organization to suspect or detect the rogue employee. “About a third (34%)

of the insiders used deception to hide their plans for the theft of IP.” (Moore, 2009, p.10) This

figure may seem lower then expected, but it is important to consider that many insiders

especially those who feel a sense of entitlement may not feel it necessary to dissimulate their

activities.

Address Resolution Protocol poison routing can be use by an insider to attack the local-

area network and take or block information. By sending out rouge spoof messages the attacker

can associate their MAC address with the IP address of another node, hence any traffic intending

5

Insider Attacks: Theft 6

for the compromised IP address will be forwarded to the attacker instead. The attacker can then

choose to forward the information back to the actual node or modify before sending. An insider

may choose to passively sniff the data, stealing information they consider valuable. Generally, it

is easier to manipulate TCP/IP communication as an insider since they are already within the

organizations firewall.

Insider could construct, test, plant, and deploy a logic bomb into the system. The

malicious function specified in the code of a logic bomb is activated when certain conditions are

met inside the network or when commanded by the attacker. A computer programmer can design

the logic bomb code to facilitate data theft by having it send proprietary information to

unauthorized systems. Logic bombs do not replicate themselves or spread over the network as

some other malicious programs do; therefore it is easier to target a specific victim or goal. In a

series of case studies conducted by Carnegie Mellon University “an insider prepared for the

future release of a logic bomb by systematically centralizing the critical manufacturing programs

for his organization onto a single server.” (Band, 2006, p.27) This technique will make the attack

easier to execute and result in greater damages. This is form of attack is difficult to detect within

the system and it is not necessary for it to be exfiltrated, therefore it is unlikely to identify the

attacker through tracing the communication. Certain deployment methods can even be used to

frame other employees for example, using a hacked into account of a colleague to commit the

attack.

It is also plausible for the insider to use their legitimate access to create a backdoor

account and then use this account to plant and deploy the bomb or other malicious code. A

backdoor account is an unauthorized account that has been created by the attacker and is

unknown to the operators of the system. Another illegitimate system access path is the use of

6

Insider Attacks: Theft 7

disregarded inactive accounts. It is also possible to search for and use old password files that

may have been created during a system backup that are now forgotten in the system storage.

There are many circumstances where the attacker held a position at an institution with full data

access privileges, a malicious insider can simply copy proprietary files onto CD or USB. This is

one of the techniques used by Bradley Manning in the WikiLeaks incident. At that time workers

were permitted to use CD or other media for data transfer among the computer system, Manning

explained that he "would come in with music on a CD-RW labeled with something like ' Lady

Gaga' … erase the music … then write a compressed split file. No one suspected a thing."

(Dilanian, 2010)

Damages resulting from insider theft are vast ranging from monetary repercussions, to

operational impacts, to reputation hindrance. High profile infrastructures tend to suffer greater

reputational damages due to the massive public exposure. Countermeasures enable organizations

to minimize risk and potential losses due to insiders. Compliance to prevention techniques such

as an auditing system will have a positive effect on security efforts. Finally, it is vital to be

observant of employees, there are often technical and behavioral violations exhibited by

malicious insiders such as testing after work hours that could have indicated a potential theft

attack.

7

Insider Attacks: Theft 8

References

2008 CERT Research Annual Report, Carnegie Mellon University Software Engineering Institute and U.S. Department of Defense and CERT (2008) http://www.cert.org/research/2008research-report.pdf.

2010 Verizon Data Breach Investigations Report, Verizon RISK Team in cooperation with the United States Secret Service (2010) http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Band, S. R., Cappelli, D. M., Fischer, L. F., Moore, A. P., Shaw, E. D., & Trzeciak, R. F. Comparing insider IT sabotage and espionage: a model-based analysis. Technical Report, Carnegie Mellon University, Software Engineering Institute (2006) www.cert.org/archive/pdf/06tr026.pdf

Dilanian, K. (2010, December 4). Leaks may clog up anti-terrorism intelligence sharing. Los Angeles Times. Retrieved from http://articles.latimes.com/2010/dec/04/nation/la-na-wikileaks-siprnet-20101205/2

Franqueira, V.N.L., van Eck, P.: Defense against insider threat: a framework forgathering goal-based requirements. Technical Report TR-CTIT-06-75, Universityof Twente (2006) http://eprints.eemcs.utwente.nl/9615/01/EMMSAD07_TR_v2.pdf.

Identity Theft Resource Center. (2010, January 8). Data breaches: the insanity continues. Retrieved June 10, 2010, from http://www.idtheftcenter.org/artman2/publish/lib_survey/Breaches_2009.shtml

Lazarus, D. (2011, May 24). Bank of America data leak destroys trust. Los Angeles Times. Retrieved from http://www.latimes.com/business/la-fi-lazarus-20110524,0,3701056,full.column

Moore, A.P., Cappelli, D.M., Caron, T.C. Shaw, E.D. and Trzeciak, R.F. Insider theft of intellectual property for business advantage: A Preliminary Model. paper delivered at The First Workshop on Managing Insider Security Threats, Purdue University (2009) www.cert.org/archive/pdf/11tn013.pdf

Moss, S. (2010, July 14). Julian Assange: the whistleblower. Retrieved from guardian.co.uk home website: http://www.guardian.co.uk/media/2010/jul/14/julian-assange-whistleblower-wikileaks

8

Insider Attacks: Theft 9

Appendix A - Tree structures of attack strategies

Pre-attack tree structure

Gain access tree structure

9

Insider Attacks: Theft 10

Abuse access tree structure

Abuse access tree structure

Franqueira, V.N.L., van Eck, P.: Defense against insider threat: a framework for gathering goal-based requirements. Technical Report TR-CTIT-06-75, University of Twente (2006) http://eprints.eemcs.utwente.nl/9615/.

10

Insider Attacks: Theft 11

11