A methodology and supporting techniques for the quantitative assessment of insider threats Nicola Nostro, Andrea Ceccarelli, Andrea Bondavalli University of Firenze, Viale Morgagni 65, Firenze, Italy {nicola.nostro, andrea.ceccarelli, bondavalli}@unifi.it Francesco Brancati Resiltech S.r.l. Piazza Nilde Iotti 25, Pontedera (Pisa), Italy francesco.brancati@resiltech.com ABSTRACT Security is a major challenge for today’s companies, especially ICT ones which manages large scale cyber-critical systems. Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insiders attackers i.e., users with legitimate access which abuse or misuse of their power, thus leading to unexpected security violation (e.g., acquire and disseminate sensitive information). These attacks are very difficult to detect and mitigate due to the nature of the attackers, which often are company’s employees motivated by socio-economical reasons, and to the fact that attackers operate within their granted restrictions: it is a consequence that insiders attackers constitute an actual threat for ICT organizations. In this paper we present our ongoing work towards a methodology and supporting libraries and tools for insider threats assessment and mitigation. The ultimate objective is to quantitatively evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs, and finally select the countermeasures. The methodology also includes a maintenance phase during which the assessment is updated on the basis of system evolution. The paper discusses future works towards the completion of our methodology. Categories and Subject Descriptors K.6.5: [Computers and Education]: Security and Protection: authentication, unauthorized access K.6.m: [Computers and Education]: Miscellaneous: security General Terms security, standardization, verification. Keywords security; insider threats; risk assessment; attack path. 1. INTRODUCTION Today’s ICT organizations are constantly facing the challenge of ensuring high degrees of security (and privacy). Security measures are attentively selected and maintained, mainly with the intent of protecting the organization from external threats. Several tools and solutions are available for this scope, for example firewalls. A lesser amount of solutions is instead available for mitigating threats coming from within the company, that is, from its own employees; these threats, that we refer to as insider threats, are most often mitigated almost exclusively through regulations and policies [6]. For example, insiders to an organization such as former, or newly fired employees or system administrators might abuse their privileges to conduct masquerading, data harvesting, or simply sabotage attacks. Although some intrusion detection systems offer insider threats capability, it is still very difficult to characterize all the threats, transform them into rules (or, in case of anomaly-based intrusion detection, instruct the detector to identify them as anomalies), and effectively detect intruders. The problem of insider threats have been, and currently is, largely discussed in literature, because it is particularly challenging to identify insiders and mitigate the possible threats they pose to a system; we should consider that an insider attack may have socio- economical roots, and detection of false positive may have severe consequence on an organization (consider the impact of false accusations of insider threats on both the individual and the organization [7]). Mitigation may be composed of prevention (including deterrents as strict regulatory aspects, surveillance, legal implications), or detection methods and procedures that may help protecting the system. It appears evident that protecting from insider threats requires a deep study on the socio-economical profiles of the users, their possible actions, and the impact of these actions on the system and on the life of the organization. This calls for a tailored insider threats assessment activity, which takes into account socio- economical aspects while identifying the attacks, their impact on the system and on the organization, and possible countermeasures. We aim to tackle this problem proposing a methodology for insider threats assessment and mitigation. This paper presents our ongoing work towards the methodology completion. The methodology presents the following features: i) it is tailored for the challenges posed by insider threats, ii) it is supported by a set of libraries and tools, iii) it takes into account socio-economical aspects, including a description of the profile of the attacker, iv) relies on model-based formalisms of the system and of the attack paths to quantitatively analyze threats and evaluate countermeasures. The methodology first defines the system requirements and the attackers profiles, then identifies the threats, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. DISCCO '13, September 30 2013, Braga, Portugal Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2248-5/13/09…$15.00. http://dx.doi.org/10.1145/2506155.2506158