This management framework and a policy to manage the
This chapter describes the preliminary concepts and presents
current approaches for insider threats detection. The chapter begins with the
definition and some background of insider threats. Next, it presents the
related works on the detection of user misbehaviour.
2.1 Insider threats:
An insider to an enterprise can be identified as a user who is
granted a privileges to act within a specific environment he can use it.
Insider threats include users misusing those privileges, potentially causing
violations of confidentiality, data or system integrity, system survivability,
identity management, accountability, denials or distribution of services, and
anything else can be classified as abuse of trust. 4
Another suggested definition of insider must be defined with
respect to a set of rules that is part of a security policy:
“A trusted entity that is given the power to violate one or
more rules in a given security policy… the insider threat occurs when a
trusted entity abuses that power.” 5
2.2 Types of insiders:
The insider threats can be categorized based on the intent of the
insider into many types non-malicious insiders, users that do actions, that can cause harm to an organisation, without
ill intent (include user error, for example executing commands in a production
environment believing it is testing environment or losing a company hard drive
or using non-approved tools to accomplish tasks)6. The second type is malicious users or
employees who are aware of their actions and the negative impact to the organisation,
and continue that course of action. The last type is compromised insiders it’s
a situation where the user credentials have been guessed or captured as part of
a targeted attack in this case the entity behind the account is not an employee
– the use of legitimate credentials would show up as if it were an employee.
2.3 Privilege vs non Privileged Insider
knowledge come from experience, the aware of environment and projects.
will understanding of environments, have privilege that can be abuse.
that can be used directly to exploit the system.
But it can
be limited by implementing good separation of duties.
serious and the impact maybe disaster even if separation of duties is implemented
the privileges will overcome it.
Table 1 Insider vs
2.4 Problems in Managing the Risk of Insider
A commonly accepted risk management framework and a
policy to manage the risk of insider threats do not exist. Risk is defined as
(probability of an event) times (consequences of the event).
of insider threats can cause high impact to enterprise both in long and short
terms this can include disruption of business process, loss of reputation, and
2.5 Type of Insider Attacks
There are three insider attacks can be
considered the misuse of access, access
control failure, and bypassing defences 7. Any type of insider attack has technical and
non-technical approaches to mitigate them:
• access misuse : here the insider has privileges
required to complete his job and those privileges misused, there is no
technical approach to prevent this form of attack because the insider access
is legitimated on the other hand the
process of detection is hard.
• The Bypassing of defence: the insiders located
within the perimeter of enterprise, this give them many advantages over outside
attacker for example enterprise implement firewall as first layer of defence
the insider located under the firewall layer so this layer of defence is
already bypassed. To remediate this problem the detection of employee and staff
behaviour and or anomalous must be implemented.
• Access control failure: The insiders take the
advantage of technical issues or the misconfiguration of access control technique
2.6 Approaches for Insider Threat Mitigation
There are different technical approaches can used
to mitigate insider threat
2.6.1 Implementation of Policies in Enterprise
Information security policy is a set of policies
issued by an enterprise to ensure that all information technology users within
the domain of the enterprise or its networks comply with rules and guidelines
related to the security of the information and assets owned by enterprise 8.
The implementation of security policy is IT
personnel or sometimes this job assigned to expert team to design complete and
accurate policy that help in securing the enterprise business process and
enterprise assets and set consequences in case of violation. The best policy in
the case of insider threat must contain monitoring and enforcement procedure 8.
The research done by Oliver and et al. indicate
that the good implementation of information security policy in enterprise that clearly
identify the role of employees, what the enterprise expect from them and how
they should perform can help in mitigation and control the insider threat 9 .
2.6.2 Access Control
The access control is used to prevent insider from
attacking enterprise, and focus on protect and limit the access to electronic
resources, this technic build base on two factors: authorization, at this point
the user credentials is checked and a decision is made wither the requested
access will granted or not (if a user credential is sufficient to the requested
type of access) and authentication to identify the user identity to system 10.
The perfect access control grants the user the
required privilege to perform his tasks, this access constrained with rules
like granting the least privilege required, separation of duties between the
users and the ability to scale the privilege 10.
The researches emerged many important access
control technologies: Discretionary
Access Control (DAC), Mandatory
Access Control (MAC), Role-Based Access
Control (RBAC), Task Based Access
Control (TBAC), and Attribute-Based Access
Control (ABAC), etc. The traditional
access control technologies include DAC and MAC.
are given permissions to resources by an admin or root.
is given based on user’s identity.
to system resources are based on the role given to a user by the
are assigned to tasks and users can only obtain the permissions
during the execution of tasks.
Table 2 access control and granting access
2.6.3 Monitoring or Detection
the domain of insider threat detection monitoring and detection can used
alternately, monitoring contain all the technic used to insider attacks
researches indicate that insider threat that works within their privileges can
cause large damage this damage can be detected by observing the pattern of user
behaviour, misuse detection, anomaly detection.
detectors analyse system activity, looking for events or sets of events that
match a predefined pattern of events that describe a known attack. The basic
idea is to use the knowledge of known attack patterns and apply this knowledge
to identify attacks in various sources of data being monitored. Therefore,
misuse detection based IDSs attempt to detect only known attacks based on
predefined attack characteristics.
Signature based Approach
based approach of misuse detection works just similar to the existing
anti-virus software. In this approach the semantic characteristics of an attack
is analysed and details is used to form attack signatures. The attack
signatures are formed in such a way that they can be searched using information
in audit data logs produced by computer systems.
detectors identify abnormal unusual behaviour on a host or network 7. They
function on the assumption that attacks are different from legitimate activity and
can therefore be detected by systems that identify these differences. Using
statistical method for anomaly detection is one of the oldest techniques
applied in IDS research. In this approach, the normal user behaviour is first
defined based on what is acceptable within the system usage policies.
2.6.4 Integrated Approaches
Many researches integrate different approaches to
test their effectiveness in mitigation of insider threats.
2.6.5 Predictive Modeling
work has been done to predict threatening insider activity. Altheby proposed a
prediction-detection model based on knowledge (that insiders accumulate in
their work) and dependencies among different objects and documents pertaining
to the organization 11.
2.7 Related Work
definition of trust : “Trust is a
subjective expectation an agent has about another’s future behaviours based on
the history of their encounters”12.
defined by the likelihood of situation and its consequences if it occurs 13.
In this type of access control system administrator
is responsible of creating roles and assign permission to roles, RBAC provide
the map between user and permission.
Figure 1 RBAC model
2.7.4 Related work on RBAC Extended with Risk and Trust
In spite of the benefits an enterprise can
gain from implantation of RBAC, it can’t stop users that are not behaving as
expected. Because of that many approaches have integrated trust.14
In the research done by Sudip and Indrajit
they propose to extend the RBAC with trust, each user have trust interval that
indicate to witch role he will be assigned. This model changes the nature of
RBAC systems where the users must be assigned in to role depending on their
functionality in enterprise not their trustworthiness 14. Another research by Fujun and et al. that
enhance the RBAC in this model the role is assigned based on a context
information in addition to trustworthiness 15.another research propose approach similar
to the last one but they add the risk of
the operation to the loop If the risk of the action will be taken is less than
the trust level, the user will grant the access.
In 16, each role is assigned a minimum level of
confidence and each user a clearance level. Based on these values, the risk
associated with a user activating a role is calculated. Objects and actions are
assigned a value according to their importance and criticality. However, this
work does not mitigate insider threats as the trust levels of users is a static
value that does not depend on users’ behavior. In addition, Ma et. al 16 do not consider role hierarchy in their
work and do not present experimental results.
Other studies aims to eliminate the risk
exposure, one of them proposed to use the risk analysis to assign permissions
to the role, permissions assigned by system admins, then we notice the roles
will organized depends on risk values 17 . another one propose a model that edit
policies to remediate the risk exposure, this model add headache to the system
administrators as the status of policy is unknown, and the attempts to modify
it may leads to errors 18.
Another model was consider cost assignment
for permissions, this cost depends on the risk of operation, the users within
the same role may not be able to activate the same role, if there is authorized
role permit the user access then the cost is reduce, if there is no authorized
role the cost will increased, if the user budget can cover the cost he will
grant the access, this model was not practical as the users with large budget
can abuse it and try to access unauthorized resource without being noticed 19.
Table 3 Comparison Trust
As a conclusion of related works all the models
required set of values and administration efforts in separation of duties, none
of them analysis the way the role activation will mitigate the insider threat
and how the role will be revoked if the access behavior start to be risky.
Additional limitation current approaches can’t detect the inference of
Another point this research focus on
privileged users detection such as IT personnel and system administrators,
whose responsible of setting roles and implementing policies. Privilege
insiders usually abuse their roles so there is a need to monitor their behavior
to detect the action taken some time the detected action may seem malicious
activity while in reality it’s part of the user tasks. So detection of behavior
only is not the suitable solution.