Design Insider Threat Hands-on Labs

38
Information Security Education Journal Volume 2 Number 1 June 2015
The common vector pattern(s) used by an insider is fundamentally categorized in one of the following categories: printing
activity, disable defense tools, use of removable media, changes in employee behavior, and remote access and windows
clipboard activity (Crawford et al., 2013). Different mechanisms or tools can be helpful in detecting one of the insider categories,
but only one detection tool or technology can’t be effective in detecting all of the categories together. For example, network
monitoring can be useful for incoming connections from outside the organization but workstation go undetected with network
monitoring. Workstation monitoring can give us more clues about what the actives of the employees are. There are also
hardware mechanisms that can be compromised and that are most of the time overlook by security employees. One of these
devices is Cisco network devices that have a detection capability included which can help detect intruders or malicious traffic,
but most of the time Cisco routers are left with the default or factory configuration. Understanding that network devices process
all traffic in a network and need to be secured is a must to avoid insider attacks (Young et al. 2013).
This paper attempts to develop a training module for each of these types of insider threat and explain in detail the nature of each
one and how to prevent and mitigate them. The goals of these modules are the following:
• Learn about information technology sabotage, insider fraud and IP theft attacks, the consequences of these attacks and the
vulnerabilities exploited by the attackers
• Train about security policy creation to avoid the attacks mentioned before.
Figure 3. Overview IP Theft module
Figure 4. Overview Insider Fraud Module
Figure 2. Overview of information technology Sabotage Module

Information Security Education Journal Volume 2 Number 1 June 2015
39
• Train about the effective application of workstation and network security mechanisms
• Internalize and learn concepts that can be applied in real world scenarios of information technology sabotage, insider fraud and
IP theft.
Information technology Sabotage is the type of crime committed by a former or current employee, contractor, or business partner
who has authorized access to the organization’s data, systems or networks. The crime is committed when the insider misused or
exceeds the level of access to these assets with the intention to harm a specific individual, the organization’s data, reputation,
systems or disrupt daily business operations. An overview of the module is presented in Figure 2.
Theftof Intellectual property according the CERT Insider Threat Center is the most damaging and causes the greatest financial
losses to organizations suffering from these attacks. As an example from a case from the CERT database of insider threat, an
attack where a secret document was stolen cost the victim company almost $ 1 billion in R & D costs. Theft of intellectual
property is defined as the means by which an individual steals intellectual property from an organization using information
technology means. This includes industrial 
espionage where an insider steals secret formulas, patents, or documents to take to
their next company or to a competitor. In 10 years of investigation CERT has classified insiders who commit IP theft as male in 94%
of the cases, scientists/engineers in 44%, and programmers in 10% of the cases.
This module attempts to train and teach the player the following concepts:
• 
Learn about IP theft vector attacks, the consequences of these attacks and the vulnerabilities exploited by the attackers.
• 
Understand the common attack pattern of IP theft attacks and the creation of policies to counteract these attacks.
• 
Train about the effective application of workstation and network security mechanisms
• 
The CyberCIEGE SDK, the Scenario Development Tool (SDT) and the Scenario Definition Language (SDL) will be used to
design the IP theft module. In the design of this module the vector attacks will be presented and the player will experience the
consequences of the attacks if in case he didn’t take the correct preventive mechanisms.
• 
The module will end once a successful attack has been committed or when all the vulnerabilities have been addressed by the
player successfully. An overview of the module is presented in Figure 3.
Insider fraud is the use of IT for the purpose of modification, addition or deletion of the organization’s data (not systems or
programs) with the aim of personal gain. It is also the theft of information that leads to an identity crime (identity theft, credit card
fraud). Identity crime is the misuse of personal identifiers with the purpose of gain something of value or to facilitate other criminal
activities. According to the CERT insider threat center, fraud is the most prevalent crimes in their databases. Fraud crimes do not
cover just the financial sector. The primary motivation for fraud is financial gain. All the cases in the CERT database that involved
organized crime were related to the fraud cases. In organized fraud cases usually the information is sold to an outsider and it is this
person who commits the fraud.
The CyberCIEGE SDK, the Scenario Development Tool (SDT) and the Scenario Definition Language (SDL), is used to design the
insider fraud module. In the design of this module the vector attacks is presented and the player experience the consequences of
the attacks if in case he didn’t take the correct preventive mechanisms.
The module ends once a successful attack has been committed or when all the vulnerabilities have been addressed by the player
successfully. An overview of the module is presented in Fig.4.
One lab is built for each insider threat category and more hands-on labs can setup based on different scenarios.

Download 347,92 Kb.