© 2013 Carnegie Mellon University

Overview of the Threat Posed by Insiders to Critical Assets

Randall TrzeciakInsider Threat Center at CERT

9 September 2013http://www.cert.org/insider_threat/

2

© 2013 Carnegie Mellon UniversityExcept for the U.S. government purposes described below, this material SHALL NOT bereproduced or used in any other manner without requesting formal permission from theSoftware Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract NumberFA8721-05-C-0003 with Carnegie Mellon University for the operation of the SoftwareEngineering Institute, a federally funded research and development center. The U.S.government's rights to use, modify, reproduce, release, perform, display, or disclose thismaterial are restricted by the Rights in Technical Data-Noncommercial Items clauses(DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the aboveidentified contract. Any reproduction of this material or portions thereof marked with thislegend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use thismaterial for U.S. government purposes, the SEI recommends attendance to ensureproper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLONDISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING,BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/ORNON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Notices

3

AgendaIntroduction to the CERT Insider Threat Center

CERT’s Insider Threat Crime Profiles

Insider Threats in the Chemical, Critical Manufacturing, and Energy Industry Sectors

Mitigation Strategies

Discussion

4

What is CERT?

Center of Internet security expertise

Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today

Located in the Software Engineering Institute (SEI)• Federally Funded Research & Development Center (FFRDC)• Operated by Carnegie Mellon University (Pittsburgh,

Pennsylvania)

5

What is the CERT Insider Threat Center?

Center of insider threat expertise

Began working in this area in 2001 with the U.S. Secret Service

Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats.

6

Goal for an Insider Threat Program

Opportunities for prevention, detection, and response for an insider incident

7

CERT’s Unique Approach to the Problem

PersonalPredisposition

FinancialPredisposition

InsiderStress

PersonalNeeds

FinancialGreed

SS

S

S

increasingfinancial greed

increasing persona

l need

decreasingfinancial

greed

decreasingpersonal

need

RuleViolations

Indicators ofFinancial Needor Unexplained

Affluence

Indicators ofPersonal

Predisposition

violatingrules

indicatingfinancial needor unexplained

affluence

indicating personalpredisposition

S

Organization'sPerceived Risk ofInsider Espionage organization

perceivingrisk

S

S

S

Level of Auditingand Monitoring(technical andnon-technical)

increasing auditingand monitoring

O

Insider'sPerceived Risk

of BeingCaught

insiderperceiving risk

Sanctionssanctioning forrule violations

S

increasingstress

organizationresponse to

unauthorizedaccess

R3

InsiderConformance to

Rules

O

S

EspionageKnown to

Organization

EspionageUnknown toOrganization

Receiving Moneyfor Espionage

S

espionage

S

FulfillingPersonal Need

S

S

discoveringespionage

S

UnauthorizedInsider Accesses

Known toOrganization

UnauthorizedInsider Accesses

Unknown toOrganization

discoveringunauthorized

accesses

S

unauthorizedaccessing

S S

AuthorizedInsider

Accesses

O

S

Willingness toCommit Espionage

S

S

S

O

S

SOrganization'sTrust of Insider

O

SecurityAwarenessTraining

EnforcingAuthorization Level

Using AccessControls

S

S

O

trust trap

R2

<Level of Auditingand Monitoring(technical and

non-technical)>

S

B3reducing violationsdue to organization

sanctions

sanctions for ruleviolations produce

escalation

R5

authorizedaccessing by

insider

S

espionage control byrestricting authorization

level

B2

R1a

harmful actions tofulfill needs

B1b harmful actions tofulfill needs

O

B5espionage control by

enforcing accesscontrols

<Willingness toCommit

Espionage>

S

S

unobservedemboldening

of insider

R4

Ratio of Sanctionsto Violations

O

S

Feedback loops B2 andB5 based on expert

opinion

S

S

AccessAuthorization

Level

S

<unauthorizedaccessing>S

ConcealingIndicators and

Violations

S

O

B4

concealing ruleviolations due to

organizationsanctions

O

O

O

Addiction toFinancial

Gain

InitialSatisfaction

SS

S

FinancialNeeds

increasingfinancial need

decreasingfinancial need

S

S

S

EAP

O

S

EnvironmentalFactors

Security ProcedureEnforcement

S

S

S

Reporting ofSuspicious

ActivityO

CulturalReluctance to

Report

O

StressfulEvents

S

Security ProcedureExistence

S

S

B1aharmful actionsamplifying needs

InsiderTermination

S

TerminationThreshold

CulturalReluctance to

Terminate

O

S

TerminationTime

O<Espionage Known

to Organization>

S

<FinancialGreed>

S<Financial

Needs>

S

<organizationperceivingrisk>

S

S

S

External OrganizationEffort to Coopt Insider

External OrganizationLeaking Espionage

External OrganizationPaying for Espionage

<InsiderStress>

S

Detecting ConcerningBehavior and Technical

Actions

S

Research Models

(R1)

insider contributionto developinginformation or

product

insider predispositionto feeling entitled

insider sense ofownership of the

information/product

insider time andresources invested

in groupinsider

dissatisfaction withjob/organization

organizationdenial of insider

requests

insider desire tocontribute toorganization

insider planning togo to competing

organization

insider desire tosteal org

information

insider sense ofloyalty to

organization

precipitating event(e.g., proposal by

competitor)

informationstolen

opportunity todetect theft

insider concernover being caught

insider perpetrateddeceptions related to the

info theft

org discoveryof theft

org discovery ofdeceptions

level of technicaland behavioral

monitoring

(R3)

(B1)

insidercontribution toorganizational

group

insider sense of entitlementto products of the group

(R2)

Deriving Candidate Controls and Indicators

Our lab transforms that into this…

Splunk Query Name: Last 30 Days - Possible Theft of IPTerms: 'host=HECTOR [search host="zeus.corp.merit.lab" Message="A user account was disabled. *" | eval Account_Name=mvindex(Account_Name, -1) | fields Account_Name | strcat Account_Name "@corp.merit.lab" sender_address | fields - Account_Name] total_bytes > 50000 AND recipient_address!="*corp.merit.lab" startdaysago=30 | fields client_ip, sender_address, recipient_address, message_subject, total_bytes'

8

171

299

111

72

147

0

50

100

150

200

250

300

350

Sabotage Fraud Theft of IP Miscellaneous Espionage

U.S. Crimes by Category

CERT’s Insider Threat Case Database

9

What is Insider Threat?

10

Insider Threat Issue -1Insiders pose a substantial threat by virtue of their

knowledge of, and access to, their employers’ systems and/or databases.

Insiders can bypass existing physical and electronic security measures through legitimate measures.

11

Insider Threat Issue -2How many of your organizations have been victim of

an insider attack / incident?How many of your organizations can confidently say

you have not been the victim of an insider attack?

12

The Insider ThreatThere is not one “type” of insider threat

• Threat is to an organization’s critical assets• People

• Information

• Technology

• Facilities

• Based on the motive(s) of the insider• Impact is to Confidentiality, Availability, Integrity

There is not one solution for addressing the insider threat• Technology alone may not be the most effective way to prevent

and/or detect an incident perpetrated by a trusted insider

13

What is a Malicious Insider Threat?

Current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network,

system or data and

intentionally exceeded or misused that access in a manner that

negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

14

What is an Unintentional Insider Threat?

Current or former employee, contractor, or other business partner who who has or had authorized access to an organization’s network,

system, or data and who, through

their action/inaction without malicious intent

cause harm or substantially increase the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.

15

Separate the “Target” from the “Impact” from the “Actor”

Actor(s)

WHO

Employees•Current•Former

ContractorsSubcontractorsSuppliersTrusted Business Partners

Target

WHAT

Critical Assets• People• Technology• Information• Facilities

Impact

HOW

ConfidentialityAvailabilityIntegrity

16

Types of Insider CrimesInsider IT sabotage

An insider’s use of IT to direct specific harm at an organization or an individual.

Insider theft of intellectual property (IP)An insider’s use of IT to steal intellectual property from the organization. This category includes industrial espionage involving insiders.

Insider fraudAn insider’s use of IT for the unauthorized modification, addition, or deletion of an organization's data (not programs or systems) for personal gain, or theft of information which leads to fraud (identity theft, credit card fraud).

National Security EspionageThe act of stealing and delivering, or attempting to deliver, information pertaining to the national defense of the United States to agents or subjects of foreign countries, with intent or reason to believe that is to be used to the injury of the United States or to the advantage of a foreign nation.

17

Insider Crime Profiles

18

IT Sabotage

19

TRUE STORY:SCADA systems for an oil-exploration

company is temporarily disabled…

A contractor, who’s request for permanent employment was rejected, planted malicious code following termination

20

Insider IT Sabotage: True Story

Insider had difficulties prior to hiring• High school dropout• Fired from prior job• History of drug use

Expressed feelings of dissatisfaction and frustration with work conditions• Complained that

“he did all the work”• Frequently late for

work• Drug use on the job• Demoted

Subject frames his supervisor for sabotage• Discovered plans to

fire him• Installed logic bomb to

delete all files on all servers

• Set to execute from supervisor’s .profile

• Included “ha ha” message

• Also planted in script to run when system log file reached certain size

Tried to hide actions technically, but admitted to co-worker• Took great pains to

conceal act by deleting system logs

• Forgot to modify one system log, which was used to identify him as perpetrator

• Told co-worker the day before attack that “he would see some serious stuff happen”

A disgruntled system administrator is able to deploy a logic bomb and modify the system logs to frame his supervisor even though he had been demoted and his privileges should have been restricted.

21

Other Cases of IT SabotageThe Insider, employed as a programmer by a U.S. power company, was terminated for poor performance. He was responsible for programming the models that controlled the management of power facilities.

• Insider terminated, escorted off premises, but failed to disable VPN access and to collect company issued laptop. After termination, insider modified and deleted critical files disabling operations as well as transferring proprietary information to a personal email account.

A subcontractor at an energy management facility breaks the glass enclosing the emergency power button, then shuts down computers that regulate the exchange of electricity between power grids, even though his own employer had disabled his access to their own facility following a dispute.

• Impact: Internal power outage; Shutdown of electricity between the power grids in the US.

Former employee of auto dealer modified vehicle control system after being laid off

• Searched for known customers and sent out unwarranted signals to vehicle control devices…disabled ignitions and set off alarms

22

Stressors / Sanctions Observed in CasesTermination

gross insubordination

violation of company rules

poor performance

not being a team player

close to Christmas

false information on background check

discussion about termination of employment

Passed over for promotion

Demotion

due to poor performance

due to project completion

Sanctions

reprimands for work-related issues

reprimands for aggressive and malicious behavior

suspension for excessive absenteeism

Transfer between departments

Supervisornew supervisor hireddisagreement with supervisor

Access changedFinancial

disagreement over salary & compensationbonuses lower than expectedfailure of offering of severance package

Death in familyDivorce

Explosive disagreement with colleagues

Termination of subcontractor contract

Termination of partnership because of money

Co-workers overriding decisions

Responsibilities removed from projects

Outsourcing of project

Suspension of Internet access

23

Summary of Insider ThreatsIT Sabotage Fraud Theft of Intellectual

PropertyCurrent or former

employee? Former Current Current (within 30 days of resignation)

Type of positionTechnical (e.g. sys

admins, programmers, or DBAs)

Non-technical (e.g. data entry, customer

service) or their managers

Technical (e.g. scientists,

programmers, engineers) or

sales

Gender MaleFairly equally split between male and

femaleMale

Target Network, systems, or data

PII or Customer Information

IP (trade secrets) –or customer Info

Access used Unauthorized Authorized Authorized

When Outside normal working hours

During normal working hours

During normal working hours

Where Remote access At work At work

24

How do you handle privileged technical

employees and contractors who are “on the HR radar”?

25

Fraud

26

TRUE STORY:

An undercover agent who claims to be on the “No Fly list” buys a fake drivers license from a ring of DMV employees...

The 7 person identity theft ring consisted of 7 employees who sold more than 200 fake licenses for more than $1 Million.

27

Other Cases of Fraud

An accounts payable clerk, over a period of 3 years, issued 127 unauthorized checks to herself an others...

• Checks totaled over $875,000

A front desk office coordinator stole PII from hospital... • Over 1100 victims and over $2.8 M in fraudulent claims

A database administrator at major US Insurance Co. downloaded 60,000 employee records onto removable and solicited bids for sale over the Internet

An office manager for a trucking firm fraudulently puts her husband on the payroll for weekly payouts, and erases records of payments…

• Over almost a year loss of over $100K

28

Summary of Insider ThreatsIT Sabotage Fraud Theft of Intellectual

PropertyCurrent or former

employee? Former Current Current (within 30 days of resignation)

Type of positionTechnical (e.g. sys

admins, programmers, or DBAs)

Non-technical (e.g. data entry, customer

service) or their managers

Technical (e.g. scientists,

programmers, engineers) or

sales

Gender MaleFairly equally split between male and

femaleMale

Target Network, systems, or data

PII or Customer Information

IP (trade secrets) –or customer Info

Access used Unauthorized Authorized Authorized

When Outside normal working hours

During normal working hours

During normal working hours

Where Remote access At work At work

29

Have you seriously considered how your

employees could misuse your systems for financial gain?

30

Theft of Intellectual Property

31

TRUE STORY:Research scientist downloads 38,000

documents containing his company’s trade secrets before going to work for a competitor…

Information was valued at $400 Million

32

Other Cases of Theft of IP

An insider, a foreign national and contractor, programmer, worked for an oil company, developed software for surveying land for oil and natural gas. During the 6-month training period, the insider gained unauthorized access to software via a compromised password…

• Insider stole software and source code by copying it to employee laptop and then to his own laptop. Insider was arrested while waiting to board a plane to his home country.

Simulation software for the reactor control room in a US nuclear power plant was being run from Iran…

• A former software engineer born in that country took it with him when he left the company.

33

Do you check for stolen information when employees, contractors, and other trusted business partners with access to critical information leave?

34

Summary of Insider ThreatsIT Sabotage Fraud Theft of Intellectual

PropertyCurrent or former

employee? Former Current Current (within 30 days of resignation)

Type of positionTechnical (e.g. sys

admins, programmers, or DBAs)

Non-technical (e.g. data entry, customer

service) or their managers

Technical (e.g. scientists,

programmers, engineers) or

sales

Gender MaleFairly equally split between male and

femaleMale

Target Network, systems, or data

PII or Customer Information

IP (trade secrets) –or customer Info

Access used Unauthorized Authorized Authorized

When Outside normal working hours

During normal working hours

During normal working hours

Where Remote access At work At work

35

Insider Threats in the Chemical, Critical

Manufacturing, and Energy Industry Sectors

36

Number of Cases by Industry

0

2

4

6

8

10

12

14

16

Chemical Critical Manufacturing Energy

Num

ber o

f Cas

es

Industry Sector

37

Opportunity for AttackResearcher with access to new technical and product

line documents (only related to work)Insider able to download a confidential databaseInsider offered promotions at competing organization

uses current access to steal intellectual propertyInsider was able to use outdated credentials to

access organization IT resources

38

Job TitlesThough some of the insider in these cases were

managers or sales people, the insiders primarily held technical roles such as: • Programmer• Research Scientist• Engineer

39

Insider Affiliation with OrganizationThe majority of the insiders were full time employees

at the time of the incident:

4

25

8

0

5

10

15

20

25

30

Contractor Full Time Unknown

Num

ber o

f Ins

ider

s

Insider Affiliation with Organization

40

Insider Employee StatusThe majority of insiders in these attacks were current

employees at the time of the incident.

0

5

10

15

20

25

30

Current Former Unknown

Num

ber o

f Ins

ider

s

Employee Status

41

Planning of AttackAt least twenty of the insiders planned their attack.

0

2

4

6

8

10

12

1-7 Days 32-90 Days 8-31 Days 90-365 Days > 1 Year Planned, TimeUnknown

Num

ber o

f Ins

ider

Atta

cks

Time Taken to Plan the Attack

42

Time of Attack (When Known)

12

4

1

0

2

4

6

8

10

12

14

During Work Hours During and Outside of Work Hours Outside of Work Hours

43

Location of Attack (When Known)

0

2

4

6

8

10

12

14

16

18

On-Site On-Site and Remotely Remotely

44

Financial Impact of Attacks (When Known)

0

1

2

3

4

5

6

7

8

9

10

$1-$9,999 $10,000-$99,999 $100,000-$999,999 $1,000,000+

Num

ber o

f Ins

ider

Cas

es

Cost of Attack to Victim Organization

45

Mitigation Strategies

46

Our Suggestion

Continuous Logging

Targeted Monitoring

Real-time Alerting

47

Common Sense Guide to Mitigating Insider Threats

http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm

48

Best Practices for Insider Threat MitigationConsider threats from insiders and business partners in enterprise-wide risk assessments.

Clearly document and consistently enforce policies and controls.

Incorporate insider threat awareness into periodic security training for all employees.

Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.

Anticipate and manage negative issues in the work environment.

Know your assets.

Implement strict password and account management policies and practices.

Enforce separation of duties and least privilege.

Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

Institute stringent access controls and monitoring policies on privileged users.

Institutionalize system change controls.

Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.

Monitor and control remote access from all end points, including mobile devices.

Develop a comprehensive employee terminationprocedure.

Implement secure backup and recovery processes.

Develop a formalized insider threat program.

Establish a baseline of normal network device behavior.

Be especially vigilant regarding social media.

Close the doors to unauthorized data exfiltration.

49

The CERT Top 10 List for Winning the Battle Against Insider Threats

50

CERT’s Insider Threat Services

51

Insider Threat Assessment (ITA)Objective: To measure an organization’s level of preparedness to address insider threats to their organization.

Method: Document Review, Process Observation, and Onsite interviews using insider threat assessment workbooks based on all insider threat cases in the CERT case library.

Outcome: Confidential report of findings with findings and recommendations.

Areas of Focus: Information Technology/Security; Software Engineering; Data Owners; Human Resources; Physical Security; Legal / Contracting; Trusted Business Partners.

52

CERT Insider Threat WorkshopsGoal: participants leave with actionable steps they can take to better manage the risk of insider threat in their organization

½ day, One day, Two days - Presentations and interactive exercises

Addresses technical, organizational, personnel, security, and process issues

Exercises

• Address portions of the insider threat assessment• Purpose: assist participants in assessing their own

organization's vulnerability to insider threat in specific areas of concern

53

Building an Insider Threat ProgramGoal: CERT staff work with senior executives from across the organization to develop a strategic action plan, based on actual cases of insider threats at the participating organization and research by CERT staff, to address and mitigate the risk of insider threat at the organization. • Key differences from standard workshop

• Tailored course material based on actual insider incidents at the organization.

• Cases are provided in advance by the organization, and treated with strict confidentiality.

• Workshop is preceded by a 3-day onsite by CERT staff to work with the organization’s staff to familiarize themselves with the provided case material.

• Second day of workshop CERT staff and executives work together to create the Organization’s strategic plan for preventing, detecting and responding to insider threats.

54

CERT ResourcesInsider Threat Center website (http://www.cert.org/insider_threat/)

Common Sense Guide to Mitigating Insider Threats, 4th Ed. (http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm)

The Insider Threat and Employee Privacy: An Overview of Recent Case Law, Computer Law and Security Review, Volume 29, Issue 4, August 2013 by Carly L. Huth

Insider threat workshops

Insider threat assessments

New controls from CERT Insider Threat Lab

Insider threat exercises

The CERT® Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak

55

Discussion

56

Point of ContactInsider Threat Technical ManagerRandall F. TrzeciakCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-7040 – Phonerft@cert.org – Email

http://www.cert.org/insider_threat/