Insider Threat: Analysis and Detection of Malicious Insiders

2005 ARDA Challenge Workshop

Title: Insider Threat: Analysis and Detection of Malicious Insiders

Technical Leader(s) and Participants: Mark Maybury, Penny Chase, and Brant Cheikes, Richard Pietravalle and Jeff Sebring (MITRE Corp), Dick Brackney (ARDA), Sara Matzner and Tom Hetherington (Applied Research Laboratories, University of Texas), Brad Wood, Conner Sibley and Jack Marin (BBN Technologies), Tom Longstaff (CERT Research and Analysis Centers, Software Engineering Institute, Carnegie Mellon University), Lance Spitzner and Jed Haile (Honey Net Consortium) , John Copeland (Georgia Institute of Technology) an d Scott Lewandowski (MIT Lincoln Laboratory).

Definitions

An insider as anyone in an organization with approved access, privilege, or knowledge of information systems, information services, and missions. A malicious insider (MI) is one motivated to adversely impact an organization's mission through a range of actions that compromise information confidentiality, integrity, and/or availability.

Problem Challenge
Malicious insiders have had devastating impact including violation of confidentiality, undermining of intelligence integrity, adverse influence on US policy, the revelation of sources and methods, and the death and compromise of field agents. The ability to semi-automatically indicate and warn about insiders would be a valuable capability.

Workshop Goal(s)
The primary objective of the workshop was to design and develop a proof of concept system for early indication and warning of malicious insiders.

Approach
The figure below illustrates the overall methodology which started from an analysis of prior malicious insiders, followed by the modeling of insider behaviors, identification of associated observables, use of existing and creation of new sensors, experimentation to detect insiders on a live network, and evaluation of performance both in terms of timeliness and accuracy.

Our cross organizational research team began with a detailed study of analysis of prior malicious insiders. While we investigated information on dozens of insider cases (DSS 1999, Herbi and Wiskoff 2002), we performed detailed analysis on six cases. Maybury et al. (2004) summarizes some key features of three representative cases such as CIA's Aldrich "Rick" Ames, FBI's Robert Philip Hanssen (2003), and DIA's Ana Belen Montes (2001). In each of these cases we summarized their position, motive, foreign handlers, impact, sentence, computer skill, polygraph experience, cyber security violations, counter intelligence activities, physical and cyber access, cyber extraction and exfiltration, cyber communication, and the transfer of materials to foreign handlers.

1. While some MIs can be detected using a single cyber observable, other MIs could be detected only by using multiple and heterogeneous observables.

2. Fusing information from heterogeneous information sources (e.g., logs from printers, authentication, card readers, telephone calls) and various levels of the IP stack (e.g., application vs. network traffic) allows more accurate and timely indications and warning of malicious insiders.

3. Observables together with domain knowledge (e.g., user role, asset value to mission) can help detect inappropriate behavior (e.g., need to know violations).

To maximize progress in this challenge workshop, we created multiple working groups: one responsible for our experimentation data and network, one using StealthWatch sensors (which perform traffic and host profiling), another using honeynets, another using structured analysis models, and another using bottom up fusion across multiple sensors to detect insiders. Details of the results of these experiments can be found in Maybury et al (2005).

Contributions and Impact

One key contribution was the exploration and detection of three types of malicious insiders. The first was a historical insider modeled as a prototype of past need-to-know violators. We call this insider Pal. A second insider, named Jack, was a projected insider who would aim to disrupt, damage, or destroy the network or elements thereof. In the course of defining and simulating these insiders, the scenario team implemented a third category of insider, an application administrator, called News Admin or Jill.

While the instrumentation of a live network provided an unprecedented and essential set of MI experimental data, the thrust of our activity was developing novel algorithms to detect MIs. One key result was a proof of concept system that was designed, implemented, and tested to detect MIs. Distributed, heterogeneous sensors provide input to a Common Data Repository (CDR) from which a range of analyses were performed including data fusion and structural analysis to identify potential suspects on a watch list or issue an alert of an insider threat. Our approach was novel in the following respects:

" A Common Data Repository (CDR) captured and anonymized heterogeneous sensor input.
" Multilevel monitoring occured at the packet level, system level, and application level.
" StealthWatch sensors detected abnormal insider behavior on the network such as scanning, file transfer, or internal network connections.
" Distributed honeynets acquired attacker properties, pre-attack intensions, and potential attack strategies.
" A real-time, top-down structural analysis drawing upon functional models of MIs mapped pre-attack indicators to models of potential MIs.
" Traditional and non-traditional indicators (e.g., logs of network activity, physical access, PBX, help desks), including non-digital sources, were fused bottom-up.

Another key contribution was a deeper understanding of the cyber behaviors of MIs. Our joint knowledge was captured in a taxonomy of cyber events which had associated observables that hold promise for the foundation of a detection system. The taxonomy distinguishes observables in the cyber domain from those in the physical domain. The taxonomy includes observables such as results of the polygraph, records of security violations, missing or misleading reports on finances, foreign travel or foreign contacts, physical facility access, personal finances, materials transfer, counter intelligence, social behavior, and communications. In this research we focused exclusively on cyber observables, including other observables that could be readily converted to a cyber signal (e.g., digitized facility access logs).

1. Matzner, Sara Nov. 2004. Approaches to Insider Threat Mitigation. ISSA Journal, Feature article pp.6-8.
2. Matzner, Sara and Tom Hetherington. Summer 2004. Detecting Early Indications of a Malicious Insider", IA Newsletter, 7(2): 42-45.
3. Maybury, Mark, Sebring, Jeff, Chase, Penny, Chiekes, Brant, Pietravalle, Richard, Costa, Mick, Zarrella, Guido; Gaimari, Bob; Brackney, Dick, Lehtola, Penny, Matzner, Sara; Hetherington, Tom; Marin, Jack; Wood, Brad; Sibley, Conor; Longstaff, Tom; Spitzner, Lance; Haile, Jed; Copeland, John; and Lewandowski, Scott. 2004. Insider Threat Challenge Workshop: Final Report. MITRE Technical Report 04B-14.
4. Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T., Spitzner, L., Haile, J., Copeland, J and Lewandowski, S. Analysis and Detection of Malicious Insiders. In 2005 International Conference on Intelligence Analysis, Sheraton Premiere, McLean, VA, May 2-4, 2005.http://analysis.mitre.org/proceedings/Final_Papers_Files/280_Camera_Ready_Paper.pdf
5. Spitzner, Lance. "Honeypots: Catching the Insider Threat" ACSAC, Las Vegas, Dec 2003

[DSS 1999] Recent Espionage Cases 1975-1999 (Defense Security Service). Security Research Center. Defense Security Service. Monterey, California September 1999. http://www.dss.mil/training/espionage
[Hanssen 2003] A Review of the FBI's Performance in Deterring, Detecting, and Investigating the Espionage Activities of Robert Philip Hanssen August 14, 2003 Office of the Inspector General. http://www.usdoj.gov/oig/special/03-08/index.htm