Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems

1

• Research and Development InitiativesFocused
  onPreventing, Detecting, and Responding to
  Insider Misuse ofCritical Defense Information
  Systems
• Results of a Three-Day WorkshopAugust 16-19, 1999

2
Background

• Three-day workshop held at RAND Santa Monica,
  August 16-18, 1999 35 invited participants
• Sponsored by Army Research Lab, DARPA, NSA
• Purpose to recommend technical RD initiatives
  addressing the insider threat to DoD info systems
• ASD/C3I report DoD Insider Threat Mitigation Plan
  (June 1999) concentrated on near-term steps to be
  taken -
• This workshop focused on longer-term technical
  RD required
• Workshop is expected to be first in a series

3
Policy and Precursors to RD

• Technical initiatives must have a supportive
  environment. Required are
• Guidance from legal and law enforcement
  communities re. attribution,collection,
  maintenance, processing and storage of data
• Clear definitions re. what are critical assets
  on a system
• Clarity regarding who is an insider
• Cost/benefit analysis of recommended measures
• Plans for technology transfer
• Support for multiple, diverse, concurrent
  approaches

4
Characterizing an Info System Security
Incident(modified from JTF-CND document)
5
Workshop Developed Recommendationsin 4 Categories

• 20 specific recommendations
• Threat (4)
• Prevention (5)
• Detection (6)
• Response (5)

6
RD Recommendations Focused on Insider Threat -
Overview

• T1 Develop reactive configuration controls, in
  which an unauthorized result is mapped back to a
  specific type of threat
• T2 Develop an insider trust model
• T3 Develop means to map users to unauthorized
  results
• T4 Identify signatures of unauthorized results

7
T1 Develop reactive configuration controls -- an
unauthorized result mapped back to specific type
of threat

• Research objective Characterize the insider
  threat
• Unique insider characteristic Some routine
  insider activity might be interpreted as
  malicious behavior using outsider model
• Research problems1. ID insider misuse
  characteristics2. Compare and contrast insider
  vs. outside ability to achieve adverse,
  unauthorized results3. Demonstrate traceback of
  computer security events to specific insiders

8
T2 Develop an insider trust model

• Research objective Develop a model of trust
  covering the full breadth of organizational roles
  authorizing degrees of technical configuration
  control privilege
• Unique insider characteristic The attributes
  of the trust relationship are the key
  distinguishing factors separating insider from
  outsider
• Research problems1. A characterization schema
  with insider roles and privileges, covering the
  full spectrum of military operations2. Develop
  parametric sensitivity criteria useful in
  recognizing attempted unauthorized escalation of
  privilege, before a security-breaching event

9
T3 Develop means to map usersto unauthorized
results

• Research objective Given a system anomaly,
  determine if an insider did it, and if so, which
  one
• (Note This recommendation is similar to D3see
  it for details.)

10
T4 Identify signatures of unauthorized results

• Research objectives1. Focus insider misuse
  detection on unique vulnerabilities presented by
  the insider threat2. Develop an understanding of
  insider patterns that can be detected by machine
• Unique insider characteristic The objective is
  to find insider-distinguishing patterns of misuse
• Research problems1. Prove that sensors can
  reliably alert to specific examples of signatures
  identified as representing insider misuse

11
RD Recommendations Focused on Insider Prevention
- Overview

• P1 Develop authentication components
• P2 Develop access control components
• P3 Develop system integrity components
• P4 Develop a bidirectional trusted path to the
  security system
• P5 Develop attribution components

12
P1 Develop authentication components

• Research objectives1. Extend technologies to
  work in multi-tier transactional environments2.
  Ability to bind keys and tokens to users3.
  Strong authentication that can scale for
  increasing transaction rates4. Ability to
  include practical revocation and recovery
• Unique insider characteristic Insiders have
  superior knowledge of asset value, only they can
  abuse trust, and law enforcement is deterrent
• Research problems(Same as research objectives,
  above)

13
P2 Develop access control components

• Research objectives1. Development of
  finer-grained access control that is
  affordable2. Inter-platform access control
  management3. Reducing mgmt. cost of
  implementation/maintenance of access controls4.
  New types of access control to reduce
  vulnerability to trusted insiders
• Unique insider characteristic Insiders have
  superior knowledge of asset value, only they can
  abuse trust, and law enforcement is deterrent
• Research problems1. Expert-system-based access
  control automation able to translate natural
  language policy statements into machine-level
  policy2. Meta-access control system for
  cross-platform access management3. Ability to
  prevent insider misuse by security administrators
  and other privileged users

14
P3 Develop system integrity components

• Research objectives1. Malicious code
  detection2. Arbitrary corruption prevention3.
  Develop boot sequence integrity4. Total system
  configuration management, for both hardware and
  software
• Unique insider characteristic Insiders have
  superior knowledge of asset value, only they can
  abuse trust, and law enforcement is deterrent
• Research problems(Same as research objectives,
  above)

15
P4 Develop a bidirectional trusted pathto the
security system

• Research objectives1. Develop cross-platform
  trusted paths, both ways2. Develop two-way
  trusted paths in distributed systems3. Find ways
  to make trusted path concepts and techniques
  widely available in security architectures
• Unique insider characteristic Insiders have
  superior knowledge of asset value, only they can
  abuse trust, and law enforcement is deterrent
• Research problems(Same as research objectives,
  above)

16
P5 Develop attribution components

• Research objectives1. Be able to attribute
  specific actions to individual users
• Unique insider characteristic Insiders may
  have access to the attribution mechanisms, so
  they must be hardened against insider misuse
• Research problems(Similar to D3, below)

17
RD Recommendations Focused on Insider Detection
- Overview

• D1 Develop profiling as a technique
• D2 Detect misuse of applications
• D3 Provide traceability for system-object usage
• D4 Identify critical information automatically
• D5 Design systems for detectability
• D6 Determine unauthorized changes due to
  physical access

18
D1 Develop profiling as a technique

• Research objectives1. To discriminate between
  normal and anomalous behavior for a given user2.
  To be able to discriminate among users3. To
  create technology that can identify new
  insider-initiated misuse
• Unique insider characteristic Ability to
  collect user profile data is unique to the
  insider problem
• Research problems1. What are the best (sensor)
  sources of data?2. Feature extraction
  problems3. Best algorithms for detection4.
  Fusion/correlation of diverse information
  collected5. Scientific evaluation and comparison
  of techniques6. Design of contrastive experiments

19
D2 Detect misuse of applications

• Research objectives1. Detect insider misuse of
  given resources and privileges2. Develop
  application-level sensors and detectors of
  misuse3. Go beyond access controls in user
  monitoring4. Generalize profiles to applications
• Unique insider characteristic This is a higher
  layer of detection that is specifically
  applicable to insiders, since system apps and
  processes are available to them
• Research problems1. Develop techniques for
  program profiling2. Apply this detection
  technique within commercial OSs3. Develop
  application-specific misuse detection4. Examine
  cases of insider misuse develop a weighted
  threat model or matrix5. Develop auditability of
  object accesses

20
D3 Provide traceability for system-object usage

• Research objectives1. Be able to determine who
  uses what, when, and how2. Detect suspicious
  exfiltration of data, programs, and intellectual
  property3. Provide object-centric traceability
• Unique insider characteristic This is quite
  specific to the insider problem, since the vast
  majority of uses of inside system resources is by
  insiders
• Research problems1. Mandatory watermarking of
  objects2. Embedding audit trails in objects3.
  Apply techniques to text, graphics, source and
  binary code4. Retrofit COTS software enabling
  watermarking of intellectual property5.
  Developing appropriate algorithms and
  infrastructure

21
D4 Identify critical information automatically

• Research objectives1. Machine recognition of
  critical, possibly classified, information by its
  content2. Development of machine-processible
  classification guides (to be used by automated
  recognition procedures)
• Unique insider characteristic The description
  and protection of critical information is done
  inside an enterprise, and tailored to unique
  needs of insiders
• Research problems1. Develop expert systems
  and/or rule-based approaches for recognizing
  critical content2. Investigate statistical
  modeling approaches3. Develop means for reliable
  detection of critical content4. Identify ground
  truth in recognizing critical content

22
D5 Design systems for detectability

• Research objectives1. Develop system
  architectures that channel insider misuse into
  enclaves2. Regulate passage among enclaves by
  gates that are instrumented for observation and
  response
• Unique insider characteristic The intent is to
  make an insider an outsider to enclaves for
  which access is not immediately needed or
  authorized
• Research problems1. Design of gateways internal
  to a system that partition it into enclaves with
  separately controllable permissions2. Resolution
  of the tension between system/data redundancy
  (for robustness) and concentration of critical
  assets within specific enclaves3. Strategic
  deployment of sensors or tripwires based on
  enclaves

23
D6 Determine unauthorized changesdue to
physical access

• Research objectives1. Investigate and mitigate
  the risks of physical access afforded to
  insiders2. Map physical network changes
  dynamically3. Audit physical changes to detect
  unauthorized changes4. Determine unauthorized
  physical changes in real time
• Unique insider characteristic Insiders are
  unique in having physical access to many aspects
  of a system
• Research problems1. Develop effective,
  automated techniques for network mapping2.
  Real-time dynamic change detection3. Automatic
  recognition and notification of changes4. System
  profiling and modeling to handle dynamic
  conditions of systems5. Scalability of proposed
  solution to tens of thousands of nodes or links

24
RD Recommendations Focused on Insider Response -
Overview

• R1 Develop a capability for monitoring
  privacy-enhanced systems, such as those using
  encryption
• R2 Incorporate practical autonomic system
  response into production systems
• R3 Develop data correlation tools, including
  data reduction for forensics, and visualization
  tools focused on internal misuse
• R4 Develop a capability for surveillance of
  non-networked components
• R5 Consider deception technologies specifically
  applicable to the insider threat

25
R1 Develop capability for monitoring
privacy-enhanced systems

• Research objectives1. Give analysts and
  investigators the ability to inspect encrypted
  information content during an insider incident
• Unique insider characteristic Insider use of
  overtly-covert techniques (e.g., encryption)
  disables auditing of potentially unauthorized
  information flows
• Research problems1. Develop universal
  decryption tools to aid in forensic analysis of
  insider misuse incidents

26
R2 Incorporate practical autonomic system
response into production systems

• Research objectives1. Create environmentally
  aware management technology that can dynamically
  modify privilege authorizations and exposure to
  risk2. Ensure that the technology cannot be
  spoofed by an insider3. Develop threat response
  mechanisms that are resistant to misuse4.
  Improve the general survivability of software
  products
• Unique insider characteristic Insiders have
  distinguished signatures/patterns of misuse
• Research problems1. Identify insider misuse
  characteristics2. Automatic recognition and
  notification of changes3. System profiling and
  modeling that can handle dynamic conditions4.
  Watermark and digital signature technologies to
  tag artifacts as evidence in insider misuse
  investigations

Autonomic Due to internal causes or influences
spontaneous
27
R3 Develop data correlation tools, including
data reduction for forensics, and for
visualization

• Research objectives1. Create multi-medium
  repositories to store data related to insider
  misuse characteristics, incident data, personnel
  records, etc.
• Unique insider characteristic Apprehension of
  insiders requires the rapid accumulation and
  analysis of locally available data from all
  sources
• Research problems1. Develop insider misuse
  characterization schema encompassing all relevant
  aspects of the DoD information environment2.
  Create info systems that correlate and fuse
  various data sets related to insider phenomena
  and threats to system survivability3.
  Demonstrate capability to correlate
  event-specific information

28
R4 Develop capability for surveillance
ofnon-networked components

• Research objectives1. Incorporate
  multi-dimensional analysis capability in
  insider-misuse-oriented information assurance
  technology
• Unique insider characteristic Insider
  footprint spans several technology mediums that
  are not normally accessible in local
  investigative processes
• Research problems1. Analyze the insider
  footprint and map sources of insider misuse
  evidence to the characterization schema
  recommended in R3, above

29
R5 Consider deception technologies specifically
applicable to the insider threat

• Research objectives1. Develop deception
  techniques for information systems tailored to
  discovering malicious activities by insiders2.
  Develop policies and procedures guiding use of
  these techniques
• Unique insider characteristic Use of deception
  is believed to be a powerful way of discovering
  malicious insider activities, and determining
  their interests and intent
• Research problems1. Discover what system
  aspects are amenable to the introduction of
  deceptive techniques2. How can such techniques
  be introduced without negative impacts?3. Can
  these techniques be used to discover misuse by
  highly trusted individuals, such as sysadmins?4.
  Can they be installed in a manner that prevents
  their misuse?5. What are legal implications of
  using deception in info systems?

30
Source U.S. Department of Defense
31
Workshop Attendees
Adams, RobertAir Force Information Warfare
Center250 Hall Rd 139San Antonio, TX
78243 Alvarez, JorgeSpace and Naval Warfare
Systems Center53560 Hull StreetSan Diego, CA
92152 Anderson, RobertRAND CorporationP.O. Box
2138Santa Monica, CA 90407 Anderson, KarlNSA
R29800 Savage RoadFt. Meade, MD 20755 Arnold,
RichardGTE GSC1000 Wilson Blvd. Ste
810Arlington, VA 22209 Barnes, AnthonyArmy
Research LabC41 Systems Branch, AMSRL-SL-EIFt.
Monmouth, NJ 07703-5602 Bencivenga, AngeloArmy
Research Lab2800 Powder Mill RoadAdelphi, MD
20783 Bozek, ThomasOffice of the Secretary of
Defense / C3I6000 Defense, Rm 3E194Pentagon Brac
kney, RichardNSA R2, RE Bldg9800 Savage
RoadFt. Meade, MD 20755
Christy, JamesASDC3I/DIAPSte. 1101, 1215
Jefferson Davis Highway,Arlington, Va
22202 Cowan, CrispinOregon Graduate
InstituteP.O. Box 91000Portland, OR 97291 Dunn,
TimothyArmy Research Lab2800 Powder Mill
RoadAdelphi, MD 20783 Dunphy, BrianDefense
Information Systems Agency701 S.Courthouse Rd
D333Arlington VA Ghosh, Anup K.Reliable
Software Technologies21351 Ridgetop Circle, Ste
400Dulles, VA 20166 Gligor, VirgilUniversity of
MarylandElectrical/Computer Engineering, AVW
1333,College Park, MD 20742 Gilliom,
LauraSandia National LabsP. O. Box
5800-0455Albuquerque NM Goldring, TomNSA
R239800 Savage RoadFt. Meade, MD 20755 Hotes,
ScottNSA R225 RE Bldg9800 Savage RoadFt.
Meade, MD 20755
Hunker, JeffreyNational Security CouncilWhite
House 303Washington DC 20504 Jaeger, JimLucent
TechnologiesBox 186, Columbia, MD
21045 Longstaff, ThomasCERT/CC4500 Fifth
AvenuePittsburgh, PA 15213 Lunt, TeresaXerox
PARC3333 Coyote Hill RoadPalo Alto, CA
94304 Matzner, SaraU. Texas at Austin Applied
Research LabsInformation Systems Laboratory,
P.O. Box 8029,Austin Texas 78713 Maxion,
RoyCarnegie Mellon University5000 Forbes
AvenuePittsburgh, PA 15213 McGovern,
OwenDISALetterkenny Army DepotChambersburg, PA
17201-4122 Merritt, Larry D.NSA9800 Savage
RoadFt. George G. Meade, MD 20755 Neumann, Peter
GSRI International333 Ravenswood Ave.Menlo
Park, CA 94025
Skolochenko, StevenOffice of Information Systems
Security1500 Penn. Ave. NW, Annex, Rm.
3090,Washington, DC 20220 Skroch,
MichaelDARPA/ISO3701 N. Fairfax Dr.Arlington,
VA 22203 Solo, DavidCitibank666 Fifth Ave., 3rd
Floor/Zone 6New York, NY 10103 Teslich,
RobyneLawrence Livermore National LaboratoryPO
Box 808, Room L-52Livermore CA 94550 Tung,
BrianUSC Information Sciences Institute4676
Admiralty Way Ste. 1001,Marina del Rey, CA
90292 van Wyk, KennethPara-Protect5600 General
Washington Drive ste. B-212Alexandria, VA
22312 Walczak, PaulArmy Research Laboratory2800
Powder Mill RoadAdelphi, MD 20783 Zissman,
MarcMit Lincoln Laboratory244 Wood
StreetLexington, MA 20420
32
Bibliography (partial)

• NTISSIC draft, Advisory Memorandum on the Insider
  Threat to U.S. Government Information Systems
  (IS), in pdf and Word formats. This was deemed
  essential reading for participants before the
  workshop.
• DoD Insider Threat Mitigation Plan Final Report
  of the Insider Threat Integrated Process Team,
  June 1999 FOUO. Essential reading before the
  workshop.
• NIST bulletin, Threats to Computer Systems, March
  1994
• Neumann, Peter. The Challenges of Insider
  Misuse. August 1999