Stopping Insiders before They Attack: Understanding Motivations and Drivers

Insider attacks are able to evade traditional security controls because the perpetrators of the attack often have legitimate access to protected systems and data. Massive logging of user online activity data (e.g. file access or transfer, use of data storage devices, email records) is collected and analyzed to detect insider attacks (e.g. data theft, fraud, policy violation, etc.). Such techniques are fraught with drawbacks and limitations: 1) the proverbial “needle in a haystack problem,” where very little useful information is found in massive data sets, especially where the incidence of malicious insider activities is very small compared to that of legitimate actors; 2) employee privacy issues may exist about the company monitoring employee behavior; and 3) these techniques are largely wanting in their accuracy, leading to notably high false positive rates. Perhaps the most salient limitation of these techniques is that the analyses are post-hoc, and by the time the activity is detected, the insider has already engaged in data theft or exfiltration, the impact of which may not be reversible. This paper discusses the concept of using probes for detection of threats, wherein user intentions to engage in insider attacks can be gauged by sending carefully designed probes that rouse malicious users into acting. In this research, we seek a broad understanding of the scope and relevance of such probes. There are various motivations for users to steal data, including financial gain, patriotic fervor, and disgruntlement with work. In the present experiment, we created simulated conditions to reflect common insider motivations by providing subjects with imagined scenarios, then asking them to take the perspective of insiders in those scenarios, and explicate their actions through a series of structured questions that mimic our probes. The results show the effect of different scenarios in motivating the users, and the effectiveness of different probes in eliciting their actions

Over-claiming as a Predictor of Insider Threat Activities in Individuals

Insiders can engage in malicious activities against organizations such as data theft and sabotage. Prior research on insider threat behavior indicates that once motivated to commit malicious activity, insiders seek opportunity where they can act without being detected. In this research we set up an experiment where we leverage this opportunistic behavior and present participants with messages signaling opportunity for data theft. In the experiment, students were engaged in routine tasks with a bonus based on their performance. While working on their assigned tasks, they were presented with opportunities (probes) to steal data that would increase their payout. Their pre and post probe behavior was observed to test if they engaged in behavior that was deemed suspicious when they received the probe. The goal of the project is to test whether the overclaiming personality trait is a predictor of malicious insider behavior and this was measured through the Over Claiming questionnaire developed by Paulhaus (Paulhaus et al. 2003) The results indicated that over claiming proved to be a strong predictor of malicious insider behavior

Deployment of Next Generation Intrusion Detection Systems against Internal Threats in a Medium-sized Enterprise

In this increasingly digital age, companies struggle to understand the origin of cyberattacks. Malicious actions can come from both the outside and the inside the business, so it is necessary to adopt tools that can reduce cyber risks by identifying the anomalies when the first symptoms appear. This thesis deals with the topic of internal attacks and explains how to use innovative Intrusion Detection Systems to protect the IT infrastructure of Medium-sized Enterprises. These types of technologies try to solve issues like poor visibility of network traffic, long response times to security breaches, and the use of inefficient access control mechanisms. In this research, multiple types of internal threats, the different categories of Intrusion Detection Systems and an in-depth analysis of the state-of-the-art IDSs developed during the last few years have been detailed. After that, there will be a brief explanation of the effectiveness of IDSs in both testing and production environments. All the reported phases took place within a company network, starting from the positioning of the IDS, moving on to its configuration and ending with the production environment. There is an analysis of the company expectations, together with an explanation of the different IDSs characteristics. This research shows data about potential attacks, mitigated and resolved threats, as well as network changes made thanks to the information gathered while using a cutting edge IDS. Moreover, the characteristics that a medium-sized company must have in order to be adequately protected by a new generation IDS have been generalized. In the same way, the functionalities that an IDS must possess in order to achieve the set objectives were reported. IDSs are incredibly adaptable to different environments, such as companies of different sectors and sizes, and can be tuned to achieve better results. At the end of this document are reported the potential future developments that should be addressed to improve IDS technologies further

A Novel Side-Channel in Real-Time Schedulers

We demonstrate the presence of a novel scheduler side-channel in preemptive, fixed-priority real-time systems (RTS); examples of such systems can be found in automotive systems, avionic systems, power plants and industrial control systems among others. This side-channel can leak important timing information such as the future arrival times of real-time tasks.This information can then be used to launch devastating attacks, two of which are demonstrated here (on real hardware platforms). Note that it is not easy to capture this timing information due to runtime variations in the schedules, the presence of multiple other tasks in the system and the typical constraints (e.g., deadlines) in the design of RTS. Our ScheduLeak algorithms demonstrate how to effectively exploit this side-channel. A complete implementation is presented on real operating systems (in Real-time Linux and FreeRTOS). Timing information leaked by ScheduLeak can significantly aid other, more advanced, attacks in better accomplishing their goals

Assessing the Usefulness of Visualization Tools to Investigate Hidden Patterns with Insider Attack Cases

The insider threat is a major concern for organizations. Open markets, technological advances, and the evolving definition of employee have exacerbated the insider threat. Insider threat research efforts are focusing on both prevention and detection techniques. However, recent security violation trends highlight the damage insider attacks cause organizations and illuminate why organizations and researchers must develop new approaches to this challenge. Although fruitful research is being conducted and new technologies are being applied to the insider threat problem, companies remain susceptible to the costly damage generated by insider threat actions. This research explored how visualization tools may be useful in highlighting patterns or relationships in insider attack case data and sought to determine if visualization software can assist in generating hypotheses for future insider threat research. The research analyzes cases of insider attack crimes committed during the period of 1998 to 2004 with an information visualization tool, IN-SPIRE. The results provide some evidence that visualization tools are useful in both finding patterns and generating hypotheses. By identifying new knowledge from insider threat cases, current insider threat models may be refined and other potential solutions may be discovered

Fraud as an Incentive for Change in Corporate America.

In this work, 1 explore the relationship between fraud and related changes in Corporate America with the express intention of showing that in spite of the negativity associated with fraud, it can still act as a mechanism that sets the wheels of change in motion in Corporate America. Of all the different kinds of fraud, this research focused on fraudulent financial reporting in corporations. In order to accomplish this goal, several research questions were examined which were aimed at examining the methods by which fraud is perpetrated, the relationship between fraud and business ethics and the effects fraud has had on various aspects of the society, including government regulation and public confidence in the accounting profession. With regards to government regulation, there was particular focus on the Sarbanes-Oxley Act as one of the major legislations dealing with fraud in corporations. The research findings showed that having a weak corporate ethical culture as well as a weak personal code of ethics were factors that increased the likelihood of perpetrating fraud. The proliferation of cases of accounting fraud has encouraged the growth and development of a new area of accounting called forensic accounting. In addition, this increase has also encouraged government involvement in coiporations, which has changed the face of corporate governance. The research concludes by asserting that fraud could act as an incentive for change in the American corporate world