Evolving Threat series — Mining patterns to assess Insider Attacks (Part 3)

by Chetan Conikee on January 23, 2020

Evolving Threat series — Mining patterns to assess Insider Attacks (Part 3)

In the previous post we examined few of the published insider attacks over the current decade. In this post we attempt to mine, extract and classify patterns associated with these threats with intent to automate insider misuse detection methods.

The article considers how insider misuse incidents may be classified, giving particular attention to the points in the system at which different forms of misuse would be discernible.

Examples of the such patterns that could be identified are discussed below —

Access of prohibited content: User access of prohibited content on the web may be monitored through logging and examination of web addresses accessed.
Modifying system configuration: Users may be modifying system/application configuration files, which may affect the way the system and programs behave; such modifications are undesirable as the system may become insecure as a consequence.
Output redirection: Output from applications may be redirected to undesired destinations (files, networks, or machines). The output from certain applications may contain confidential information, which should only be sent to appropriate destinations. For example, backup process sending the backup data to a different machine than usual. In this example, the backup operator may be attempting to get proprietary information out of the company. Output destinations of applications processing important information can be profiled to detect anomalous output destinations.
Alteration of audit/forensic log data : Users may be altering audit and system accounting file to cover up traces of system abuse. Log files and audit trails should not be modified even by the system administrator, because they contain evidential information regarding system abuses. Modification of log files can be monitored to detect users destroying evidential information.
Batch Deletion: Users or processes deleting a large number of files may sometimes represent sabotage of system or data. Therefore, users or processes deleting a batch of files can be monitored to detect possible sabotage of system and data. Managerial controls such as separation of duties should also be applied to deletion of files in work folders. For example, a user can be assigned the job of actually deleting the files, while users can mark files that should be deleted.
Anomalous access of databases: Anomalous access of databases can result in disclosure of confidential information and fraud. Insiders may misuse databases containing PII/PHI data such as medical records, customer data, personal records, and statistical information relating to businesses. Query requests by users may be monitored to detect anomalous access of databases.
Inputs to applications: Web applications that process confidential data may be passed to encryption/steganographic modules as a part of a workflow routine. Monitoring input to encryption/steganographic programs can detect users attempting to disguise information before sneaking it out of the organization. This would require a list of encryption/steganographic programs installed on the system. Then the file inputs to such programs can be checked if they are important confidential files.
Inappropriate inputs: Users may type in inappropriate inputs into the applications. Inappropriate inputs can cause the application to crash, behave in an unexpected manner, or result in compromised integrity of the data. Entering a different type/format of data to the type/format expected by the application can result in the application misbehaving and disintegration of processed data. Entering a different range of data can result in fraud. User input could be monitored at the interface level where the users interact with the application. In a client server environment, user inputs/request (server messages) may also be monitored at the server side.
Function usage: Web Applications include many features some of which are not easily disabled, and usage of certain functions may result in disclosure of information or compromised data integrity. Monitoring of access to subroutines, function calls, and API calls can detect user access of features and application functions.
Supply Chain compromise: An insider gone rogue can masquerade to introduce a vulnerable open source component into the organization’s supply chain. When such a vulnerable component semantically binds to an application’s data flow it can potentially create a condition for remote code execution.