Novel Insider Threat Techniques: Automation and Generation of Ad Hoc Digital Evidence

It is well-known that in today's information systems the vast majority of threats are coming from outside. In order to mitigate the effects of those threats several countermeasures have been proposed. Conversely, the same approach has not been adopted against insider threats, since such menaces come from the inside. Indeed, insiders are not considered enemies and so less attention have been focused on them. Also, what is worst is that who acts from the inside have remarkably more access rights to information if compared to the external attackers. In this work we show how to perform some actions on behalf of someone else that is unaware of the actions are being carried out. If those actions are illicit or illegal, this can become a serious problem that can result in the indictment of who will be considered responsible. Moreover, in order to validate our proposal, we consider the adoption of two different techniques. The first one is to automate as much as possible the actions to be performed by an insider. The second one is to prepare ad hoc digital evidence to thwart an investigation aimed at establishing the dynamics of the malicious activity. Clearly, the combination of these two techniques will amplify and magnify the effects of the nasty activity and will result also in a more difficult identification of the guilty party. Finally, this paper illustrates some typical scenarios where the proposed approach can be easily adopted and shows that recent technologies and devices can be more and more powerful tools in the hands of malicious insiders.

[1]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[2]  M. Smid,et al.  Key escrowing today , 1994, IEEE Communications Magazine.

[3]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[4]  Orin S. Kerr Computer Records and the Federal Rules of Evidence , 2001 .

[5]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[6]  Claudio Soriente,et al.  Taking advantages of a disadvantage: Digital forensics and steganography using document metadata , 2007, J. Syst. Softw..

[7]  Elisa Bertino,et al.  An Efficient Time-Bound Hierarchical Key Management Scheme for Secure Broadcasting , 2008, IEEE Transactions on Dependable and Secure Computing.

[8]  Dawn M. Cappelli,et al.  Combating the Insider Cyber Threat , 2008, IEEE Security & Privacy.

[9]  Alfredo De Santis,et al.  Do You Trust Your Phone? , 2009, EC-Web.

[10]  Giuseppe Cattaneo,et al.  On the Construction of a False Digital Alibi on the Android OS , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.

[11]  Giuseppe Cattaneo,et al.  Automated Construction of a False Digital Alibi , 2011, ARES.

[12]  Giuseppe Cattaneo,et al.  Automatic, Selective and Secure Deletion of Digital Evidence , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[13]  Giuseppe Cattaneo,et al.  A Novel Anti-forensics Technique for the Android OS , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[14]  Giuseppe Cattaneo,et al.  The Forensic Analysis of a False Digital Alibi , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[15]  Takayuki Sasaki,et al.  A Framework for Detecting Insider Threats using Psychological Triggers , 2012, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[16]  Gail-Joon Ahn,et al.  Enhancing directory virtualization to detect insider activity , 2012, Secur. Commun. Networks.

[17]  Daniel A. Menascé,et al.  Countering Network-Centric Insider Threats through Self-Protective Autonomic Rule Generation , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[18]  William R. Claycomb,et al.  Insider Threats to Cloud Computing: Directions for New Research Challenges , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[19]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.

[20]  Giuseppe Cattaneo,et al.  How to Forge a Digital Alibi on Mac OS X , 2012, CD-ARES.

[21]  Carly L. Huth The insider threat and employee privacy: An overview of recent case law , 2013, Comput. Law Secur. Rev..

[22]  Balachander Krishnamurthy,et al.  Privacy awareness about information leakage: who knows what about me? , 2013, WPES.

[23]  Ted E. Senator,et al.  Use of Domain Knowledge to Detect Insider Threats in Computer Activities , 2013, 2013 IEEE Security and Privacy Workshops.

[24]  Lilian Mitrou,et al.  Insiders Trapped in the Mirror Reveal Themselves in Social Media , 2013, NSS.

[25]  Sadie Creese,et al.  Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[26]  Alessio Merlo,et al.  Improving energy efficiency in distributed intrusion detection systems , 2013, J. High Speed Networks.

[27]  Nicola Gobbo,et al.  A Denial of Service Attack to GSM Networks via Attach Procedure , 2013, CD-ARES Workshops.

[28]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[29]  William R. Claycomb,et al.  A Method For Characterizing Sociotechnical Events Related to Insider Threat Sabotage , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[30]  James B. D. Joshi,et al.  An adaptive risk management and access control framework to mitigate insider threats , 2013, Comput. Secur..

[31]  Alessio Merlo,et al.  Towards energy-aware intrusion detection systems on mobile devices , 2013, 2013 International Conference on High Performance Computing & Simulation (HPCS).

[32]  Giuseppe Cattaneo,et al.  Automated Production of Predetermined Digital Evidence , 2013, IEEE Access.

[33]  Christian W. Probst,et al.  Reachability-based Impact as a Measure for Insiderness , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[34]  Francesco Palmieri,et al.  A Denial of Service Attack to UMTS Networks Using SIM-Less Devices , 2014, IEEE Transactions on Dependable and Secure Computing.

[35]  Bob Toxen The NSA and Snowden: securing the all-seeing eye , 2014, CACM.

[36]  Alfredo De Santis,et al.  Hierarchical and Shared Key Assignment , 2014, 2014 17th International Conference on Network-Based Information Systems.

[37]  Yuval Elovici,et al.  CoBAn: A context based model for data leakage prevention , 2014, Inf. Sci..

[38]  Alessio Merlo,et al.  On energy-based profiling of malware in Android , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).