"攘" Don't forget "An Nen" - Talk about Insider Threat Research

xiaoxiao2021-03-06  78

Zhao Bigheng, Zuo Xiaodong

(Key Laboratory of Information Security, Chinese Academy of Sciences, Beijing 100039, China)

introduction

The media continues to report about hackers, while guiding people to enhance information security awareness, also strongly guided people's attention to the importance of preventing information security from the outside. This is important, but it is a one-sided. The threat to information security, from "inside", "outside", and the external cause is due to the role, the fortress is easier to attack from the interior. Although all threats generally don't forget to include "Insider Threat" "in it, but because of the lack of effective internal staff threat solutions, even in this area, most people are internal The awareness of personnel threats is limited to the general concept level. For longer, research on internal personnel threats may become a blank in the security field. To this end, this paper discusses the latest developments in the international threat research in internal personnel, hoping to causing the research community to threaten the solution to the solutions, and take this opportunity to scream? Quot; "Do not forget" Anni "!

First, Insider threats come to us

Specific security solutions must be targeted for specific security threats. Therefore, almost all system introduces all of the security literature talks and all kinds of security threats, and "internal personnel threats" will be inevitably "seat". Figure 1 is a classification of security threats in the "Information Safeguard Technology Framework" written by the National Security Authority.

Now, in the 1990s, we can also find experts in the threat of internal staff, but recently causing people to start more attention to internal personnel, from two aspects:

One is the Hansen espionage case of the US Federal Investigation Bureau in the first half of 2001. As the FBI senior employee, the former Soviet Union and Russia act as a 15-year-old spy, selling a large number of national core confidentiality, and there is more than the downstream of the FBI strict safety system, he can even read the FBI case, judgment Has a spy behavior has caused FBI doubts.

Hanssen shocked the United States in the United States, Yu Bo has not yet filed. Safety experts exclaimed: "The most important lessons we get from this incident are from internal inside, not external." And once again: "Safety ... First - and Main, it is aware of people and policies. "

The results of a series of computer crimes statistics have also prompted more people to pay attention to internal personnel threats.

According to the survey of 359 companies in accordance with the FBI and Computer Security Society (CSL), these companies have caused more than 50 million US dollars in 2000 due to the access and abuse of the IT system in 2000. Among these companies, 38% of companies have taken one to five internal staff duty abuse, while 37% of companies say they don't know how many security incidents related to internal personnel have occurred.

Professionals engaged in information security at home and abroad, gradually recognize that the media has fried external intrusion events, which takes 20% -30% of all security events, while 70% -80% of security events come from the interior. The statistics from different channels is slightly different, but in China, internal personnel crimes (or related crimes related to internal personnel) generally account for more than 0% of the cylinder. As long as you have a slight statistical to computers' criminal events from this year's media, it is not difficult to find this trend.

Figure one key base set? / P>

With the intensification of internal staff, internal personnel have already reflected the characteristics of "harmful, hard to resist, and difficult to find": (1) The most easily contact sensitive information, and their actions are very targeted, harmful It is often the core data, resources, etc. of the organization. (2) Generally speaking, the information security measures of various agencies are all? Quot; anti-other than the inside ", such as many companies depend to protect their security firewalls, there is no effect on internal personnel attacks, shameful. (3) Internal personnel It is very familiar with the operation, structure, culture, etc. of an institution, causing them to be in action, it is difficult to find out afterwards. Therefore, whether we are optimistic or pessimistic to see the status of information security and future development, we are It can be appreciated that an inSider threat has become a highly severe reality, and the Insider threat is gradually coming to us. And we lack research on its system, theory. Second, the historical stage of internal person threat research

The international threat to internal personnel has been paying more early, and some relatively deep research has been done. In general, the threat research of internal personnel can be divided into three stages.

Enlightenment phase

The significant feature of this phase is that there is no clearness of "Insider Threat", but the internal personnel control means have been intentionally incorporated in the implementation of the security strategy. The most representative of this is the access control mechanism discussed in the TCSec (Orange Skin) of the US Department of Defense in the 1980s. The access control mechanism keeps the use of the authentication mechanism, obviously, the visitor already belongs to internal personnel after the authentication mechanism, so it can be said that it achieves the decentralization balance of internal personnel. Now, we may not think that the access control mechanism has to be, but from the perspective of "Insider Threat", the meaning of access control mechanism is very important.

Awareness phase

The most sensitive department of information is non-military universal, so it is the earliest of the military to pay attention to the threat of internal staff in history. However, the study of the threat to internal personnel is only in conceptual sense, and there is no mature idea, people are eager to solve but feel awkward. In the end, it is only a certain sense of consciousness and understanding of the characteristics, hazards, etc. of the internal personnel. It has made a certain foundation for subsequent research. At this stage, it is called the quot; consciousness stage. The current research in many places is still only staying Here.

Representative research in this stage is that the US Department of Defense is aware of the largest threat of internal personnel to be a key national defense information system, and the Ministry of Defense is threatened by the internal personnel. In the end, the Ministry of Defense made reports in June 1999: "DOD Insider Threat Mitigation Plan: Final Report of the Insider Threat Integrated Process Team". However, the shortcomings of this report are in short-term behavior, hoping to weaken internal personnel threats with a short time, little cost, so it is very limited in reality. Also, it is excessive definitions of internal personnel, and even extended to all employees such as Microsoft, Cisco, etc., theoretical significance is greater than practical. The concept of information security in the primary research phase has been greatly expanded. The United States establishes the concept of "information security" to deal with key infrastructure protection. "Internal Personnel" Problem Facing new historical periods, new ideas, technology, and paying attention again at higher levels, we call them "primary research phases". Unlike the first two stages, there is a systematic study on internal personnel threat solutions, and has made a lot of trials. But because of the complexity of the "internal person threat", this type of research is still in the primary level.

Since the US military (including the Minister of China, the Office, etc.), the famous Land Company (the company is a member of the US government and the intelligence of the smart group of the US) Threat Research Series (following It is a representative result of this phase. Rand Conference has been held twice (from August 16 to 18, 1999, from August 30 to September 1, 2000), each meeting is around 40 people, from military, research, respectively In terms of boundaries, industrial and government. These two meetings basically reflect the highest level of current internal staff threat research, its research ideas, research methods and research results have high reference value.

Third, the first Land Conference

The first Rand Conference is "R & D Activities" used to prevent, detect and respond to internal personnel in key defense information systems. The purpose of the meeting is mainly recommended and launched technical research projects related to internal personnel. Resolve internal staff threats.

(1) Prelude

The Land Conference believes that before determining the direction, focusing and research and development projects of internal personnel, it is necessary to make R & D activities to be effectively implemented, so there is a series of prelude activities in terms of concept, policy. Specifically divided into the following:

1. Legal and law enforcement agencies should have clear guidelines and requirements for data distribution, collection, maintenance, processing, and storage for research communities.

One of the ways to prevent internal personnel is to strengthen the use of audit and forensics tools, but before the research community develops an effective internal personnel criminal data collection tool, they need to use legal and law enforcement agencies, they should deal with criminal data, audit trails, etc. Information has a clear policy and requirement.

2. "Key Assets" that need to be clearly defined under the concept of "Internal People's Abuse".

Determining key assets is the first step before any protection measures, and the internal threat research is no exception. While determining key assets, it is also clear that the actions of these key assets can be determined as "abuse" because the same behavior is implemented, and the nature is different. This puts a new topic for the work of "Determination of Key Assets", which is no previous, does not involve the determination of "abuse" (because the conventional key assets are determined to be external threats).

3. What is the "internal person" needs to be clearly defined

The definition of "Internal Personnel" is actually a big problem in the study of internal staff. Attenders, in discussing this problem, I joked that the role of the internal personnel is like the color of the chameleon. The Land Conference is quite a bitter heart, and participants have put forward a lot of problems and hoped that these problems will help the "internal personnel" definitions are gradually clear.

Define the environment

Physical Access - "Spatial Bound". Does the issue of "Threats" involve physical access to key assets? Because physical access sometimes exceeds the control range of the information system. Computer Access - "Logical Bound". How to view computer protection borders in internal personnel (such as rods, firewalls and protective applications, etc.)? Law enforcement environment. In order to make the law enforcement to prepare and respond to the Insider event, is there a related provisions and requirements?

Define internal personnel

Normal - abnormal - malicious. What is the intent of the internal person? "Normal" behavior of internal personnel will not cause a threat. The behavior of "abnormal" internal personnel may include everyday errors. These daily errors may cause unintentional disclosure of the system's weakening or privacy information. "Malicious" is the behavior of internal personnel who have a malicious attempt.

Novice - skilled. What level skills are internal personnel? Including the quantity and quality of their skill reserves, and detecting knowledge of disaster.

Intrinsic environment knowledge. Internal personnel know how much is the space or logical boundary within the working system? The various degrees of knowledge and understanding of internal environments were discussed at the meeting. Inherent privilege. What is the privilege of physical and management? This is related to the knowledge of the internal environment.

The extent is close to. It is necessary to have the relationship between the internal staff, and their roles and privileges, and their closeness of their intellectuality, which helps to better understand the threat of internal staff. To distinguish between permanent employees, temporary employees, external human resources, previous employees, system developers, etc. to determine opportunities, motivations, techniques, and system fragility.

Man - code / hardware. Is internal person who worked individual, software, firmware or hardware? Participants discussed a lot of people who don't have to be a separate person. For example, malicious code is seen as a typical, general but poor internal personnel threat.

After these discussions, the Land Conference has formed some of the following awareness (note that it is not a consensus):

"Internal personnel" can be based on the technical management role (and the trust relationship corresponding to each role), and the access rights owned in an organization's control domain. From three aspects, the internal personnel and external personnel can be distinguished: (1) knowledge of the internal environment; (2) Attack speed; (3) Easy to accessibility.

The understanding of the law enforcement and technology community is different. For law enforcements, internal personnel threats involve authorized personnel to the application of internal knowledge, the damage of internal personnel and the damage of trust relationship. For technicians, internal personnel threats are events that occur within security boundaries (such as firewalls), which can affect anyone who operates within an organization or system protection domain. Quot; Internal personnel.

Software Agent / Mobile Code Technology, Multiple Information Technology Fusion and New BUG introduced in the repair of thousands of Chinese insects belongs to non-human "internal person threats", and an organizational external resource may also generate "internal person threats", such as "Cooperative internal personnel threat".

In addition, the Land Conference also analyzed the cause of the threat of internal personnel in the Ministry of National Defense, and it was found that the preliminary conclusion is limited to the space, which is no longer discussed. It can be seen that in response to the concept of an internal personnel in the zone, the participants have already paid so much energy, which is very enlightened by us.

4. The implementation / benefit analysis The implementation of the threat solution for internal people is very likely to have a large impact on the efficiency of the system. Therefore, the price / benefit analysis is necessary, and this analysis must be carried out before the solution is implemented. However, the "consideration" and "benefit" involved in internal staff are difficult to estimate. This is a new topic. It is recommended to participate in economists, organize research experts and other fields of researchers. Come in and solve this problem together.

5. The detection content should include, but is not limited to, host-based information, because most security is an external attack, so attention to external interfaces and networks, and the internal person threaten, the detection and monitoring system should pay attention to the internal host And the client.

6. Accelerated technology transformation has long been, and the research and prototype development of safety technology has a huge gap between tests, assessments, and configuration. In the study of internal people's threat solutions, the time is not allowed to exist, so it should be accelerated to accelerate the transformation of internal people's threat research results.

7. There is a large number of non-technical internal personnel threatening effective solutions of the Working Group of the Land Conference emphasized that although this meeting focuses on the technical perspective R & D activities, there is a large number of non-technical programs to deal with internal personnel (such as training, Measures such as education).

8. Developing Internal Personnel Abuse Case Studies In order to guide R & D activities and other policies, a large amount of accurate data on the purpose, means, skilled level, success, etc. of internal personnel is needed. 9. There are a variety of different measures, and these measures should be parallel to implement participants, and the "deep security strategy" is very important. Be sure to implement a variety of different measures at the same time, and get as much as possible from a large number of detectors and protection. The sensing and information of the system can be coordinated and associated with this information. Participants specifically pointed out that under the specific issue of "internal personnel", it can also be said that there is no "fragile" - because the internal personnel have legal identities, which is completely different from external attacks. Therefore, people should not expect internal staff problems to be completely solved - charged, can only pass the ぁ ぁ ⒓ 煊 φ blade 〖  侍 侍 磷 〖〖稹? / P>

(2) Internal threats and vulnerabilities

"Internal threats and vulnerabilities" and "prevention", "detection" and "response" will be discussed later are the focus of the first Rand Conference. In each part, the Land Conference identified the corresponding project. . In order to discuss internal personnel threats, the researchers will gradually make the "internal person threat" clarity.

Figure 2 Information system security incident

Figure 2 reflects the difference between the Accident, Attack and a Special Event (Event), and portrays the attacker from the perspective of motivation, access, skills, and tools, revealing the detection technology when an event occurs. A role that is actuated. As shown in the figure, a particular threat consists of four parts.

motivation

Implementation opportunities

Vulnerability in the target information system

Use vulnerability skills

Any threat analysis should at least be carried out under a constraint mechanism, that is, to determine when the risk is not overwhelming (ie, the threshold).

The Working Group of the Land Conference portraits in the three visities threatened:

It is possible to "reach" (i.e., exposure or risk). The degree of key components and sensitive data and the cost associated therewith.

The frequency and intensity of the event, as well as the cost of detecting.

Internal staff threatens the impact of business and technology.

Internal personnel threats at least with the following roles, each of the risks of each role is different:

Authorized user

CERT staff

Network administrator

System maintenance personnel

System administrator

Building maintenance personnel

Information security official

Building security personnel

Based on the above understanding, the Land Conference identified the following research activities related to "internal personnel threats and vulnerabilities":

Make the results of the internal personnel attacks with specific internal staff threaten, develop response configuration control tools

When an internal person's abuse is detected, there should be a corresponding method to determine the nature and harm of the threats represented by the event. Based on these properties and hazards, it is possible to use tools to move the system from the system as an event response, thereby minimizing the hazard.

Develop internal staff trust model

"Internal Person" is in fact containing a variety of roles to determine the trust of each role and make these different trust levels as machine readable formats.

Develop tools that make illegal results can be mapped with users

Is it caused by internal person when the system is detected? If so, how can I track the specific user? The tools required to develop here are used to solve this problem.

"Signature" to determine illegal results

When the abuse occurs, we need the "indicator" of the event, otherwise, there is no level of confirmation threat. Therefore, the "signature" of illegal results should be developed based on case studies and abuse of possibilities. (3) prevention

The Rand Conference is recommended to develop a series of components in terms of the prevention measures threatened by internal staff:

Create an authentication component

Certification is one of the most traditional, most basic security measures, but many certification techniques do not apply to complex systems or systems with complex interactions, and internal personnel even fully capable of destroying the certification component, so creation for internal personnel. Threats of certification parts appear extremely. This component must be applied to multi-level processing environments, and must be bundled with the user's key and token, and the part is capable of encompassing a behavior such as logout and recovery. Its performance and operational standards must meet the needs of users, such as the ability to achieve 1000 transaction per second.

Develop access control parts

For internal threats, access control mechanisms are very basic means. However, different contemplates, we need more refined access control to reduce the vulnerability of internal threats, such as for each file, every transaction or each package. - Of course, this particle size is also expensive. In addition, access control can be operated between different platforms. The goals of research also include reducing the cost of access control management and maintenance and the development of new types of access control mechanisms to reduce the vulnerability facing credible internal personnel. In addition, what person controls access control is the first one is an internal personnel, and this problem has to be handled.

Develop a two-way trusted path for the security system

Even if the integrity and authentication issues of a system have been resolved, malicious users can also obtain system privileges through other means - such as malicious users, can steal login names and passwords by deceiving graphical user interfaces. A possible solution is to create a true trusted path to this security system, which is a very foundation part of a security architecture.

Development attribute binding part

Every particular behavior should be associated with individuals. To this end, watermark or fingerprint technology will play an important role. However, it should be pointed out that the internal personnel may access such a mechanism directly to make the mechanism fail. A possible solution is to use strong encryption in the attribute binding mechanism.

(4) Test

The Land Conference is a research project that is recommended to start the inspection of internal personnel threats.

Develop profile to develop into a technology

A "user profile" contains feature information that can be distinguished from other users (Note "Users" can involve processes, commands, functions, etc.).

This profile can include such information: the files and processes typically accessed; the time period usually used after logging in; keystroke mode, and many other properties. With such a contour may develop an abnormality detection for illegal behavior that has not been encountered before the incident, and the previously applicable signature-based approach is unknown.

Abuse of detection applications

Many people who have cared for "internal staff" usually only pay attention to the improper access to data. And another useful internal personnel abuse warning is improper use of the process and the application in the system. This should not be ignored.

Provide ability to track the use of system objects

It is very necessary to develop audit traces for the use path of the mobile phone or program. Once the internal personnel are suspected, the user can investigate the access to the system object via the audit trace.

Automatically identify key information

Contemporary information systems often collect gigabit data and information, many of the static lists and processes of many key files can be seen in an eye. This study involves automatically identifying key information in a system.

Develop system design principles to make detectability become one of the main features of the system

It is very difficult to detect the abuse of an internal personnel. If there is an architecture and a system is specifically considering the detectionability of abuse when designing, then this work will become easy.

To be able to detect unauthorized changes related to physical access

An important feature of internal personnel is that they usually hold physical access to the system equipment (levels do not wait). Therefore, they can cause physical changes in the system, such as installing another temporary client or host computer, changing the cable or modem's plug on the network, which is extremely dangerous. Therefore, it is very important to detect this physical change in real time. (5) response

Land Conference In terms of response to internal personnel, it is recommended to start research projects:

For system-enhanced systems, such as systems using encryption mechanisms, develop corresponding monitoring technology,

File or data encryption has been adopted in many information systems, which adds a small difficulty in monitoring abuse, especially when internal personnel can access those confidentiality enhancement mechanisms. Therefore, it is necessary to develop new mechanisms to effectively monitor the system of confidentiality.

Organized automatic system response function in the system

Internal personnel can cause huge damage between a moment, so it should detect events in a short time range, thereby rapidly block or mitigating the degree of damage, which means that the automatic response process is to be used. The problem is: How do I not cause side effects while maintaining a validity? In particular, if the internal person knows such an automated system in use, he can use the system itself (for example, he can weaken the performance of the system) by triggering the automatic response function). If the system developer creates a response related ability in the system, the initiation of automated responses will be very easy. But what is the ability to respond to those? Is it easy to implement? In order to introduce these capabilities in commercial ready-made systems, the government and military needs to provide those incentive mechanisms? These problems are thinking and resolved during the study.

Develop data association tools, including computer law enforcement tools and visualization tools for internal abuse

In order to respond to a potential or fact that has occurred abuse events, it is necessary to associate and analyze the data from multiple source heads, and to capture and store related data for computer law enforcement, but also to visualize complex modes. In this way, a comprehensive understanding can be achieved in an abuse event, which is conducive to it. But now this tool is extremely lacking.

Provides the ability to monitor non-network components

Not all information system components are online or gainful to query related data. Phone records, attendance cards, various hardware settings, etc. are associated with responses, but data from these source is difficult to associate and fuse, and now they need to be able to collect these data in real time.

Consider the applicable fraud

"The soldiers are not distilled", fraudulent technology in military operations - no matter whether it is offense or defense - long-term play a key role. In internal personnel threat research, fraud technology helps to understand all aspects of internal personnel from more perspectives, especially the intention of malicious internal personnel, intent, and people in understanding and using system equipment. The focus of this study is to properly use spoofing techniques to obtain an understanding of malicious internal personnel attributes.

Designing Internal Personnel Threat R & D Projects is the first Land Conference, but these research projects are not very mature, but the initial ideas, and some research and development projects have implemented difficulties, such as research on fraudulent technology (this The study is more meaningful in the background of the military). But we can see that all of these projects have been deeply thought-in, and each project has studied the background, research objectives, project review standards, the special meaning of internal threats, and the possible problems in the study. Description (Because of the limit, this article has not been described in detail), more importantly, these R & D projects transform the concept of "internal personnel threats" in the air into the actual object of the touch. This is more meaningful than these items itself.

转载请注明原文地址:https://www.9cbs.com/read-94464.html

New Post(0)