Information Technology Reference
In-Depth Information
2
Related Work
When examining how to develop a model that can encompass the insider threat,
one research area analyzed was attack tree methodologies [7]. Researchers have
proposed that the attack tree is a sucient tool for addressing the outside threat
and assessing the security of a system against a compromise [4,5,8]. In the attack
tree structure the goal of the attacker is the root node with the different ways
to obtain the goals depicted as the leaf nodes.
Traditional attack trees are not capable of capturing the insider threat in an
effective manner [2]. As shown by [3] they do not provide a comprehensive model
for analysis of vulnerabilities. One of the more significant problems is that the
insider may already have the required rights to perform their malicious actions.
Additionally, the focus of the attack tree is on obtaining the goal represented by
the root node. It is inherently dicult to quantify the motives or goals of the
malicious insider in a truly analyzable manner because individual attributes are
not measurable and may vary drastically from person to person.
In this paper, we propose a hierarchical tree approach capable of providing a
complete malicious insider taxonomy by using a systems engineering approach
rather than the goal oriented objectives associated with attack trees. The premise
of our model is that it focuses on activities of the malicious insider and not their
traits or attributes. Randazzo
et al.
demonstrates that malicious insiders do not
share a common profile, so there must be a different tangible way to produce
a taxonomy if measurable results are to be obtained [6]. The solution that we
have chosen to implement is to methodically investigate possible actions through
functional decomposition, which addresses the problems associated with mod-
eling the insider threat using traditional attack trees. By exploring actions and
not the individual or motives, no user is excluded from our model. Additionally,
an action either occurs or it doesn't so the methodology is measurable and an-
alyzable. This systematic approach produces a viable solution to the differences
inherent with individuals and can effectively model their malicious behavior.
3
Methodology
To ensure the model adequately addresses the insider threat, it is necessary to
clearly define the aspects that are being captured. In this context, an insider is
any individual who has been granted any level of trust in an information system.
This description does not limit the insider to specific borders such as Firewalls,
Routers, or a Local Area Network. The system itself could be a conglomeration of
networks. What is important is that once users have been granted any authorized
explicit right to the information system, they are now considered an insider and
are part of the system Protection State.
The Protection State is the manifestation of all trust rights for all users
and objects in the information system. The Protection State encompasses all
activities that are allowed according to organization policy or system access
controls. Any change in privileges will transition it to a new state. The core
