© 2013 Carnegie Mellon University
Overview of the Threat Posed by Insiders to Critical Assets
Randall TrzeciakInsider Threat Center at CERT
9 September 2013http://www.cert.org/insider_threat/
2
© 2013 Carnegie Mellon UniversityExcept for the U.S. government purposes described below, this material SHALL NOT bereproduced or used in any other manner without requesting formal permission from theSoftware Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract NumberFA8721-05-C-0003 with Carnegie Mellon University for the operation of the SoftwareEngineering Institute, a federally funded research and development center. The U.S.government's rights to use, modify, reproduce, release, perform, display, or disclose thismaterial are restricted by the Rights in Technical Data-Noncommercial Items clauses(DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the aboveidentified contract. Any reproduction of this material or portions thereof marked with thislegend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use thismaterial for U.S. government purposes, the SEI recommends attendance to ensureproper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLONDISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING,BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/ORNON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
Notices
3
AgendaIntroduction to the CERT Insider Threat Center
CERT’s Insider Threat Crime Profiles
Insider Threats in the Chemical, Critical Manufacturing, and Energy Industry Sectors
Mitigation Strategies
Discussion
4
What is CERT?
Center of Internet security expertise
Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today
Located in the Software Engineering Institute (SEI)• Federally Funded Research & Development Center (FFRDC)• Operated by Carnegie Mellon University (Pittsburgh,
Pennsylvania)
5
What is the CERT Insider Threat Center?
Center of insider threat expertise
Began working in this area in 2001 with the U.S. Secret Service
Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats.
6
Goal for an Insider Threat Program
Opportunities for prevention, detection, and response for an insider incident
7
CERT’s Unique Approach to the Problem
PersonalPredisposition
FinancialPredisposition
InsiderStress
PersonalNeeds
FinancialGreed
SS
S
S
increasingfinancial greed
increasing persona
l need
decreasingfinancial
greed
decreasingpersonal
need
RuleViolations
Indicators ofFinancial Needor Unexplained
Affluence
Indicators ofPersonal
Predisposition
violatingrules
indicatingfinancial needor unexplained
affluence
indicating personalpredisposition
S
Organization'sPerceived Risk ofInsider Espionage organization
perceivingrisk
S
S
S
Level of Auditingand Monitoring(technical andnon-technical)
increasing auditingand monitoring
O
Insider'sPerceived Risk
of BeingCaught
insiderperceiving risk
Sanctionssanctioning forrule violations
S
increasingstress
organizationresponse to
unauthorizedaccess
R3
InsiderConformance to
Rules
O
S
EspionageKnown to
Organization
EspionageUnknown toOrganization
Receiving Moneyfor Espionage
S
espionage
S
FulfillingPersonal Need
S
S
discoveringespionage
S
UnauthorizedInsider Accesses
Known toOrganization
UnauthorizedInsider Accesses
Unknown toOrganization
discoveringunauthorized
accesses
S
unauthorizedaccessing
S S
AuthorizedInsider
Accesses
O
S
Willingness toCommit Espionage
S
S
S
O
S
SOrganization'sTrust of Insider
O
SecurityAwarenessTraining
EnforcingAuthorization Level
Using AccessControls
S
S
O
trust trap
R2
<Level of Auditingand Monitoring(technical and
non-technical)>
S
B3reducing violationsdue to organization
sanctions
sanctions for ruleviolations produce
escalation
R5
authorizedaccessing by
insider
S
espionage control byrestricting authorization
level
B2
R1a
harmful actions tofulfill needs
B1b harmful actions tofulfill needs
O
B5espionage control by
enforcing accesscontrols
<Willingness toCommit
Espionage>
S
S
unobservedemboldening
of insider
R4
Ratio of Sanctionsto Violations
O
S
Feedback loops B2 andB5 based on expert
opinion
S
S
AccessAuthorization
Level
S
<unauthorizedaccessing>S
ConcealingIndicators and
Violations
S
O
B4
concealing ruleviolations due to
organizationsanctions
O
O
O
Addiction toFinancial
Gain
InitialSatisfaction
SS
S
FinancialNeeds
increasingfinancial need
decreasingfinancial need
S
S
S
EAP
O
S
EnvironmentalFactors
Security ProcedureEnforcement
S
S
S
Reporting ofSuspicious
ActivityO
CulturalReluctance to
Report
O
StressfulEvents
S
Security ProcedureExistence
S
S
B1aharmful actionsamplifying needs
InsiderTermination
S
TerminationThreshold
CulturalReluctance to
Terminate
O
S
TerminationTime
O<Espionage Known
to Organization>
S
<FinancialGreed>
S<Financial
Needs>
S
<organizationperceivingrisk>
S
S
S
External OrganizationEffort to Coopt Insider
External OrganizationLeaking Espionage
External OrganizationPaying for Espionage
<InsiderStress>
S
Detecting ConcerningBehavior and Technical
Actions
S
Research Models
(R1)
insider contributionto developinginformation or
product
insider predispositionto feeling entitled
insider sense ofownership of the
information/product
insider time andresources invested
in groupinsider
dissatisfaction withjob/organization
organizationdenial of insider
requests
insider desire tocontribute toorganization
insider planning togo to competing
organization
insider desire tosteal org
information
insider sense ofloyalty to
organization
precipitating event(e.g., proposal by
competitor)
informationstolen
opportunity todetect theft
insider concernover being caught
insider perpetrateddeceptions related to the
info theft
org discoveryof theft
org discovery ofdeceptions
level of technicaland behavioral
monitoring
(R3)
(B1)
insidercontribution toorganizational
group
insider sense of entitlementto products of the group
(R2)
Deriving Candidate Controls and Indicators
Our lab transforms that into this…
Splunk Query Name: Last 30 Days - Possible Theft of IPTerms: 'host=HECTOR [search host="zeus.corp.merit.lab" Message="A user account was disabled. *" | eval Account_Name=mvindex(Account_Name, -1) | fields Account_Name | strcat Account_Name "@corp.merit.lab" sender_address | fields - Account_Name] total_bytes > 50000 AND recipient_address!="*corp.merit.lab" startdaysago=30 | fields client_ip, sender_address, recipient_address, message_subject, total_bytes'
8
171
299
111
72
147
0
50
100
150
200
250
300
350
Sabotage Fraud Theft of IP Miscellaneous Espionage
U.S. Crimes by Category
CERT’s Insider Threat Case Database
9
What is Insider Threat?
10
Insider Threat Issue -1Insiders pose a substantial threat by virtue of their
knowledge of, and access to, their employers’ systems and/or databases.
Insiders can bypass existing physical and electronic security measures through legitimate measures.
11
Insider Threat Issue -2How many of your organizations have been victim of
an insider attack / incident?How many of your organizations can confidently say
you have not been the victim of an insider attack?
12
The Insider ThreatThere is not one “type” of insider threat
• Threat is to an organization’s critical assets• People
• Information
• Technology
• Facilities
• Based on the motive(s) of the insider• Impact is to Confidentiality, Availability, Integrity
There is not one solution for addressing the insider threat• Technology alone may not be the most effective way to prevent
and/or detect an incident perpetrated by a trusted insider
13
What is a Malicious Insider Threat?
Current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network,
system or data and
intentionally exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
14
What is an Unintentional Insider Threat?
Current or former employee, contractor, or other business partner who who has or had authorized access to an organization’s network,
system, or data and who, through
their action/inaction without malicious intent
cause harm or substantially increase the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.
15
Separate the “Target” from the “Impact” from the “Actor”
Actor(s)
WHO
Employees•Current•Former
ContractorsSubcontractorsSuppliersTrusted Business Partners
Target
WHAT
Critical Assets• People• Technology• Information• Facilities
Impact
HOW
ConfidentialityAvailabilityIntegrity
16
Types of Insider CrimesInsider IT sabotage
An insider’s use of IT to direct specific harm at an organization or an individual.
Insider theft of intellectual property (IP)An insider’s use of IT to steal intellectual property from the organization. This category includes industrial espionage involving insiders.
Insider fraudAn insider’s use of IT for the unauthorized modification, addition, or deletion of an organization's data (not programs or systems) for personal gain, or theft of information which leads to fraud (identity theft, credit card fraud).
National Security EspionageThe act of stealing and delivering, or attempting to deliver, information pertaining to the national defense of the United States to agents or subjects of foreign countries, with intent or reason to believe that is to be used to the injury of the United States or to the advantage of a foreign nation.
17
Insider Crime Profiles
18
IT Sabotage
19
TRUE STORY:SCADA systems for an oil-exploration
company is temporarily disabled…
A contractor, who’s request for permanent employment was rejected, planted malicious code following termination
20
Insider IT Sabotage: True Story
Insider had difficulties prior to hiring• High school dropout• Fired from prior job• History of drug use
Expressed feelings of dissatisfaction and frustration with work conditions• Complained that
“he did all the work”• Frequently late for
work• Drug use on the job• Demoted
Subject frames his supervisor for sabotage• Discovered plans to
fire him• Installed logic bomb to
delete all files on all servers
• Set to execute from supervisor’s .profile
• Included “ha ha” message
• Also planted in script to run when system log file reached certain size
Tried to hide actions technically, but admitted to co-worker• Took great pains to
conceal act by deleting system logs
• Forgot to modify one system log, which was used to identify him as perpetrator
• Told co-worker the day before attack that “he would see some serious stuff happen”
A disgruntled system administrator is able to deploy a logic bomb and modify the system logs to frame his supervisor even though he had been demoted and his privileges should have been restricted.
21
Other Cases of IT SabotageThe Insider, employed as a programmer by a U.S. power company, was terminated for poor performance. He was responsible for programming the models that controlled the management of power facilities.
• Insider terminated, escorted off premises, but failed to disable VPN access and to collect company issued laptop. After termination, insider modified and deleted critical files disabling operations as well as transferring proprietary information to a personal email account.
A subcontractor at an energy management facility breaks the glass enclosing the emergency power button, then shuts down computers that regulate the exchange of electricity between power grids, even though his own employer had disabled his access to their own facility following a dispute.
• Impact: Internal power outage; Shutdown of electricity between the power grids in the US.
Former employee of auto dealer modified vehicle control system after being laid off
• Searched for known customers and sent out unwarranted signals to vehicle control devices…disabled ignitions and set off alarms
22
Stressors / Sanctions Observed in CasesTermination
gross insubordination
violation of company rules
poor performance
not being a team player
close to Christmas
false information on background check
discussion about termination of employment
Passed over for promotion
Demotion
due to poor performance
due to project completion
Sanctions
reprimands for work-related issues
reprimands for aggressive and malicious behavior
suspension for excessive absenteeism
Transfer between departments
Supervisornew supervisor hireddisagreement with supervisor
Access changedFinancial
disagreement over salary & compensationbonuses lower than expectedfailure of offering of severance package
Death in familyDivorce
Explosive disagreement with colleagues
Termination of subcontractor contract
Termination of partnership because of money
Co-workers overriding decisions
Responsibilities removed from projects
Outsourcing of project
Suspension of Internet access
23
Summary of Insider ThreatsIT Sabotage Fraud Theft of Intellectual
PropertyCurrent or former
employee? Former Current Current (within 30 days of resignation)
Type of positionTechnical (e.g. sys
admins, programmers, or DBAs)
Non-technical (e.g. data entry, customer
service) or their managers
Technical (e.g. scientists,
programmers, engineers) or
sales
Gender MaleFairly equally split between male and
femaleMale
Target Network, systems, or data
PII or Customer Information
IP (trade secrets) –or customer Info
Access used Unauthorized Authorized Authorized
When Outside normal working hours
During normal working hours
During normal working hours
Where Remote access At work At work
24
How do you handle privileged technical
employees and contractors who are “on the HR radar”?
25
Fraud
26
TRUE STORY:
An undercover agent who claims to be on the “No Fly list” buys a fake drivers license from a ring of DMV employees...
The 7 person identity theft ring consisted of 7 employees who sold more than 200 fake licenses for more than $1 Million.
27
Other Cases of Fraud
An accounts payable clerk, over a period of 3 years, issued 127 unauthorized checks to herself an others...
• Checks totaled over $875,000
A front desk office coordinator stole PII from hospital... • Over 1100 victims and over $2.8 M in fraudulent claims
A database administrator at major US Insurance Co. downloaded 60,000 employee records onto removable and solicited bids for sale over the Internet
An office manager for a trucking firm fraudulently puts her husband on the payroll for weekly payouts, and erases records of payments…
• Over almost a year loss of over $100K
28
Summary of Insider ThreatsIT Sabotage Fraud Theft of Intellectual
PropertyCurrent or former
employee? Former Current Current (within 30 days of resignation)
Type of positionTechnical (e.g. sys
admins, programmers, or DBAs)
Non-technical (e.g. data entry, customer
service) or their managers
Technical (e.g. scientists,
programmers, engineers) or
sales
Gender MaleFairly equally split between male and
femaleMale
Target Network, systems, or data
PII or Customer Information
IP (trade secrets) –or customer Info
Access used Unauthorized Authorized Authorized
When Outside normal working hours
During normal working hours
During normal working hours
Where Remote access At work At work
29
Have you seriously considered how your
employees could misuse your systems for financial gain?
30
Theft of Intellectual Property
31
TRUE STORY:Research scientist downloads 38,000
documents containing his company’s trade secrets before going to work for a competitor…
Information was valued at $400 Million
32
Other Cases of Theft of IP
An insider, a foreign national and contractor, programmer, worked for an oil company, developed software for surveying land for oil and natural gas. During the 6-month training period, the insider gained unauthorized access to software via a compromised password…
• Insider stole software and source code by copying it to employee laptop and then to his own laptop. Insider was arrested while waiting to board a plane to his home country.
Simulation software for the reactor control room in a US nuclear power plant was being run from Iran…
• A former software engineer born in that country took it with him when he left the company.
33
Do you check for stolen information when employees, contractors, and other trusted business partners with access to critical information leave?
34
Summary of Insider ThreatsIT Sabotage Fraud Theft of Intellectual
PropertyCurrent or former
employee? Former Current Current (within 30 days of resignation)
Type of positionTechnical (e.g. sys
admins, programmers, or DBAs)
Non-technical (e.g. data entry, customer
service) or their managers
Technical (e.g. scientists,
programmers, engineers) or
sales
Gender MaleFairly equally split between male and
femaleMale
Target Network, systems, or data
PII or Customer Information
IP (trade secrets) –or customer Info
Access used Unauthorized Authorized Authorized
When Outside normal working hours
During normal working hours
During normal working hours
Where Remote access At work At work
35
Insider Threats in the Chemical, Critical
Manufacturing, and Energy Industry Sectors
36
Number of Cases by Industry
0
2
4
6
8
10
12
14
16
Chemical Critical Manufacturing Energy
Num
ber o
f Cas
es
Industry Sector
37
Opportunity for AttackResearcher with access to new technical and product
line documents (only related to work)Insider able to download a confidential databaseInsider offered promotions at competing organization
uses current access to steal intellectual propertyInsider was able to use outdated credentials to
access organization IT resources
38
Job TitlesThough some of the insider in these cases were
managers or sales people, the insiders primarily held technical roles such as: • Programmer• Research Scientist• Engineer
39
Insider Affiliation with OrganizationThe majority of the insiders were full time employees
at the time of the incident:
4
25
8
0
5
10
15
20
25
30
Contractor Full Time Unknown
Num
ber o
f Ins
ider
s
Insider Affiliation with Organization
40
Insider Employee StatusThe majority of insiders in these attacks were current
employees at the time of the incident.
0
5
10
15
20
25
30
Current Former Unknown
Num
ber o
f Ins
ider
s
Employee Status
41
Planning of AttackAt least twenty of the insiders planned their attack.
0
2
4
6
8
10
12
1-7 Days 32-90 Days 8-31 Days 90-365 Days > 1 Year Planned, TimeUnknown
Num
ber o
f Ins
ider
Atta
cks
Time Taken to Plan the Attack
42
Time of Attack (When Known)
12
4
1
0
2
4
6
8
10
12
14
During Work Hours During and Outside of Work Hours Outside of Work Hours
43
Location of Attack (When Known)
0
2
4
6
8
10
12
14
16
18
On-Site On-Site and Remotely Remotely
44
Financial Impact of Attacks (When Known)
0
1
2
3
4
5
6
7
8
9
10
$1-$9,999 $10,000-$99,999 $100,000-$999,999 $1,000,000+
Num
ber o
f Ins
ider
Cas
es
Cost of Attack to Victim Organization
45
Mitigation Strategies
46
Our Suggestion
Continuous Logging
Targeted Monitoring
Real-time Alerting
47
Common Sense Guide to Mitigating Insider Threats
http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm
48
Best Practices for Insider Threat MitigationConsider threats from insiders and business partners in enterprise-wide risk assessments.
Clearly document and consistently enforce policies and controls.
Incorporate insider threat awareness into periodic security training for all employees.
Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
Anticipate and manage negative issues in the work environment.
Know your assets.
Implement strict password and account management policies and practices.
Enforce separation of duties and least privilege.
Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
Institute stringent access controls and monitoring policies on privileged users.
Institutionalize system change controls.
Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
Monitor and control remote access from all end points, including mobile devices.
Develop a comprehensive employee terminationprocedure.
Implement secure backup and recovery processes.
Develop a formalized insider threat program.
Establish a baseline of normal network device behavior.
Be especially vigilant regarding social media.
Close the doors to unauthorized data exfiltration.
49
The CERT Top 10 List for Winning the Battle Against Insider Threats
50
CERT’s Insider Threat Services
51
Insider Threat Assessment (ITA)Objective: To measure an organization’s level of preparedness to address insider threats to their organization.
Method: Document Review, Process Observation, and Onsite interviews using insider threat assessment workbooks based on all insider threat cases in the CERT case library.
Outcome: Confidential report of findings with findings and recommendations.
Areas of Focus: Information Technology/Security; Software Engineering; Data Owners; Human Resources; Physical Security; Legal / Contracting; Trusted Business Partners.
52
CERT Insider Threat WorkshopsGoal: participants leave with actionable steps they can take to better manage the risk of insider threat in their organization
½ day, One day, Two days - Presentations and interactive exercises
Addresses technical, organizational, personnel, security, and process issues
Exercises
• Address portions of the insider threat assessment• Purpose: assist participants in assessing their own
organization's vulnerability to insider threat in specific areas of concern
53
Building an Insider Threat ProgramGoal: CERT staff work with senior executives from across the organization to develop a strategic action plan, based on actual cases of insider threats at the participating organization and research by CERT staff, to address and mitigate the risk of insider threat at the organization. • Key differences from standard workshop
• Tailored course material based on actual insider incidents at the organization.
• Cases are provided in advance by the organization, and treated with strict confidentiality.
• Workshop is preceded by a 3-day onsite by CERT staff to work with the organization’s staff to familiarize themselves with the provided case material.
• Second day of workshop CERT staff and executives work together to create the Organization’s strategic plan for preventing, detecting and responding to insider threats.
54
CERT ResourcesInsider Threat Center website (http://www.cert.org/insider_threat/)
Common Sense Guide to Mitigating Insider Threats, 4th Ed. (http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm)
The Insider Threat and Employee Privacy: An Overview of Recent Case Law, Computer Law and Security Review, Volume 29, Issue 4, August 2013 by Carly L. Huth
Insider threat workshops
Insider threat assessments
New controls from CERT Insider Threat Lab
Insider threat exercises
The CERT® Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak
55
Discussion
56
Point of ContactInsider Threat Technical ManagerRandall F. TrzeciakCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-7040 – [email protected] – Email
http://www.cert.org/insider_threat/