A Discussion of the Insider Threat

1
A Discussion of the Insider Threat
Outside
Inside

• Jason Franklin

2
Example Insider Attack

• Ivan the insider gets fired and Alf the
  administrator forgets to void Ivans (login)
  credentials.
• Ivan goes home, logins into his work machine and
  takes some malicious action (introduces bugs into
  source, deletes files and backups, etc)
• Alternatively, Alf might void Ivans credentials,
  but forget that Ivan also uses a shared group
  account.

3
Proposed Definition

• A malicious insider is an adversary who operates
  inside the trusted computing base, basically a
  trusted adversary.
• The insider threat is an adversarial model
  encompassing all possible malicious insiders.

Ivan
4
Example Threats

• Data corruption, deletion, and modification
• Leaking sensitive data
• Denial of service attacks
• Blackmail
• Theft of corporate data
• On and on.

5
Statistics

• Insider attacks account for as much as 80 of all
  computer and Internet related crimes 1
• 70 of attacks causing at least 20,000 of damage
  are the direct result of malicious insiders 1
• Majority of insiders are privileged users and
  majority of attacks are launched from remote
  machines 3

6
Problem Discussion

• Typical adversarial models ignore the insider
  threat by assuming the TCB is free of threats
• Insider threat violates this assumption

Corporate Network
Firewall/IDS
7
Prevailing Sentiments (Myths?)

• Current systems are capable of countering the
  insider threat
• Insider threat is impossible to counter because
  of the insiders resources and access permissions
• Insider attacks are a social or organizational
  issue which cannot be countered by technical
  means (Anderson94)

8
Remediation Initial Thoughts

• Minimize the size of the TCB to decrease the
  number of possible insiders
• Distribute trust amongst multiple parties to
  force collusion
• Most insiders act alone
• Question trust assumptions made in computing
  systems
• Treat the LAN like the WAN
• BroLAN, SANE, etc
• Others?

9
Is the insider threat unavoidable?

• If we define an insider as an adversary inside
  the TCB, can we ever eliminate the insider
  threat?
• Perhaps we can only reduce the number of possible
  insiders or the extent of possible damage?
• Perhaps we should rely on the lone wolf nature
  of insiders and distribute trust?

10
Discussion

• Is the insider threat definition a good one?
• Is the insider an actual threat or just media
  hype?
• Can/do we build systems that already counter the
  insider threat?
• Is this worth our time?
• Whats the best paper you could imagine in this
  area?

11
References

• 1 Jim Carr. Strategies and issues Thwarting
  insider attacks, 2002.
• 2 Nathan Einwechter. The enemy inside the
  gates Preventing and detecting insider attacks,
  2002.
• 3 National Threat Assessment Center - Insider
  Threat Study, http//www.ustreas.gov/usss/ntac_its
  .shtml
• 4 Jason Franklin, Parisa Tabriz, and Matthew
  Thomas. A Case Study of the Insider Threat
  through Modifications to Legacy Network Security
  Architectures, unpublished manuscript.