Insider Threat Assessment: a Model-Based Methodology Nicola Nostro, Andrea Ceccarelli, Andrea Bondavalli University of Firenze, Viale Morgagni 65, Firenze, Italy {nicola.nostro, andrea.ceccarelli, bondavalli}@unifi.it Francesco Brancati Resiltech S.r.l. Piazza Nilde Iotti 25, Pontedera (Pisa), Italy francesco.brancati@resiltech.com ABSTRACT Security is a major challenge for today’s companies, especially ICT ones which manage large scale cyber-critical systems. Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers i.e., users with legitimate access which abuse or misuse of their power, thus leading to unexpected security violation (e.g., acquire and disseminate sensitive information). These attacks are very difficult to detect and mitigate due to the nature of the attackers, which often are company’s employees motivated by socio-economical reasons, and to the fact that attackers operate within their granted restrictions. It is a consequence that insider attackers constitute an actual threat for ICT organizations. In this paper we present our methodology, together with the application of existing supporting libraries and tools from the state-of-the-art, for insider threats assessment and mitigation. The ultimate objective is to define the motivations and the target of an insider, investigate the likeliness and severity of potential violations, and finally identify appropriate countermeasures. The methodology also includes a maintenance phase during which the assessment can be updated to reflect system changes. As case study, we apply our methodology to the crisis management system Secure!, which includes different kinds of users and consequently is potentially exposed to a large set of insider threats. Categories and Subject Descriptors C.2.0 [General]: Security and protection K.6.5: [Computers and Education]: Security and Protection: authentication, unauthorized access K.6.m: [Computers and Education]: Miscellaneous: security General Terms security, standardization, verification. Keywords security; insider threats; risk assessment; attack path. 1. INTRODUCTION Today’s ICT organizations are constantly facing the challenge of ensuring high degrees of security and privacy. Security measures are attentively selected and maintained, mainly with the intent of protecting the organization from external threats. Several tools and solutions are available for this purpose, for example firewalls. A lesser amount of solutions is instead available for mitigating threats coming from within the company, that is, from its own employees; these threats, that we refer to as insider threats, are most often mitigated almost exclusively through regulations and policies [6]. For example, insiders to an organization such as former, or newly fired employees or system administrators might abuse their privileges to conduct masquerading, data harvesting, or simply sabotage attacks. Although some intrusion detection systems offer insider threats capability, it is still very difficult to characterize all the threats, transform them into rules (or, in case of anomaly-based intrusion detection, instruct the detector to identify them as anomalies), and effectively detect intruders. The problem of insider threats have been, and currently is, largely discussed in literature, because it is particularly challenging to identify insiders and mitigate the possible threats they pose to a system. In fact it should be considered that an insider may have socio-economical roots, and the detection of false positive in insider attacks may have severe consequences on an organization (e.g., due to the impact of false accusations of insider threats on both the individual and the organization [7]). Mitigation may be composed of prevention including deterrents as strict regulatory aspects, surveillance, legal implications, or detection methods and procedures that may help protecting the system. It appears evident that protecting from insider threats requires to study the socio-economical profiles of the users, the assets they use, their actions, and the impact of the actions on the assets, systems and organization. This calls for a tailored insider threats assessment activity, which takes into account socio-economical aspects while identifying the attacks, their impact on the system and organization, and possible countermeasures. We aim to tackle this problem proposing in this paper a methodology for insider threats assessment and mitigation. The methodology presents the following features: i) it is tailored for the challenges posed by insider threats, ii) although it benefits of the support of attack libraries and tools for system and attack modeling, it does not impose restrictions on the characteristic of the libraries and tools to use, iii) it takes into account socio- economical aspects, including a description of the profile of the attacker, iv) relies on model-based formalisms of the system and of the attack paths to analyze threats and evaluate countermeasures. The methodology first defines the system requirements and the attackers profiles, then identifies the threats, the attack paths and the potential countermeasures. The methodology also includes a maintenance phase during which Copyright 2014 by the Authors. Permission for classroom and personal use is granted, providing this notice appears on all copies. This work is based on an earlier work: “A methodology and supporting techniques for the quantitative assessment of insider threats”, in the Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing, (DISCCO’13, September 30 2013, Braga, Portugal), Copyright ACM, 2013. http://dx.doi.org/10.1145/2506155.2506158 3