CERT Blogs

CERT Basic Fuzzing Framework 2.5 Released

2012-04-30T15:00:00Z

Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes.

]]> BFF now runs on both OS X and Linux

BFF was originally developed for Linux. With the development of FOE, we gained a fuzzing framework for Windows. BFF 2.5 adds support for Mac OS X using the same underlying python code as on Linux. The main difference is that on OS X we use CrashWrangler as the debugger instead of gdb. An installer for Mac can be found on the BFF download page.

Support for multiple seed files

One of our most-requested features was to allow BFF to fuzz multiple seed files. BFF now applies a machine learning technique to observe the campaign results and can adjust its efforts to focus on the seed files that produce the most unique crashes. This all happens automatically as the campaign progresses. A similar technique is applied to the rangefinder feature introduced in BFF 2.0.

Crashes found during minimization get analyzed as well

After we added the improved crash minimization feature to BFF in our previous release, we noticed that the minimizer was encountering other new unique crashes while doing its thing. In BFF 2.0, those crashes were simply ignored. Now they are processed along with the crashes found using zzuf. In our experience developing BFF 2.5, this has improved our crash yield significantly.

Minimizer tuned for performance

The more crashes BFF finds, the more time it can wind up spending in the crash minimization cycle. Because of this, it's important that the minimization process be as efficient as it can be. We've made some algorithmic improvements to the minimizer to optimize it for speed.

Optional minimization-to-string feature

Say you have a crashing test case, but you really need to get it to a proof-of-concept exploit. The problem is when you load the crash into your debugger you can't easily tell which registers, stack values, or memory locations are under your control. But what if you could change the crashing test case so that it had only the bytes required to cause that crash, and the rest were all masked out with a fixed value, say "x" (0x78)? Then you'd know that if you saw EIP=0x78787878, you may already be a winner. The minimize-to-string option does just that.

The image on the left shows a crashing PDF test case prior to being minimized and the image on the right shows the minimized version filled with mostly 0x78s. Since (a) it tends to be a more time consuming process than simply minimizing to the seed file and (b) it's not strictly necessary to analyze the crash, we have disabled this feature by default. It can be enabled in the BFF configuration file or when running the minimizer in standalone mode.

Callgrind for all unique crashers

When analyzing a crashing test case, it can be helpful to know what functions are being called in the test case. The callgrind tool for valgrind gives you a view of the call tree for a crash. BFF generates callgrind output for every crash it finds.

Basic crash clustering using callgrind coverage analysis

The callsim tool (analysis/callsim.py) takes the callgrind output for each crash and produces a dendrogram showing how the crashes relate to each other relative to their call tree similarity.

Because we want to focus our attention on the salient differences and not the calls they all have in common, we borrowed the Term Frequency - Inverse Document Frequency (TF-IDF) method from the text analysis world. TF-IDF is used to de-emphasize common words appearing throughout a corpus of documents relative to less common words when comparing two documents. We've applied that technique to function calls in order to compare crashing test cases. The result is that crashes appearing next to each other on the tree are likely to be related.

Improved crash uniqueness determination on Linux

We noticed that we could do better on crash uniqueness determination if we checked things like whether or not EIP was in a loaded module. We've also incorporated a blacklist for certain common library functions so that they are ignored when generating a crash signature. This improves our uniqueness determination since many crash backtraces end in libc functions (for example) even though that isn't where the actual problem lies.

Virtual machine upgrades

The DebianFuzz Virtual Machine now includes python 2.7 and gdb 7.2

Getting started with BFF

To get started with BFF, simply follow these steps:

Download BFF 2.5 at http://www.cert.org/download/bff/
Unzip BFF-2.5.zip to c:\fuzz
Unzip DebianFuzz-2.5.zip to a directory of your choice
Open DebianFuzz.vmx with VMware (e.g., Workstation, Fusion, Player, or compatible virtualization software)
Create a snapshot in VMware
Power on the VM

You may need to verify that the shared folder (c:\fuzz -> /mnt/hgfs/fuzz) is enabled in the VM preferences. Other virtualization products may work with some additional configuration. See the README file in BFF-2.5.zip for more details.

We provide the DebianFuzz VM for convenience, but BFF can be installed on other Linux systems as well. Additional information can be found in the INSTALL file in BFF-2.5.zip.

NOTE: We strongly recommend fuzzing in a virtual machine. BFF periodically clears the contents of the temporary directory, and when run on Linux it also activates a software watchdog on that will reboot the machine if a fuzzing campaign stops. Fuzzing may also trigger operating system bugs that could cause kernel panics.

CERT Linux Triage Tools 1.0 Released

2012-04-25T14:21:00Z

As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works.

]]> Background

CERT recently released version 1.0 of the Failure Observation Engine (FOE), a fuzz testing framework for Microsoft Windows platforms, for public download. You can learn more about FOE in David Warren's recent blog post. As FOE accumulates crashing test cases for the application-under-test, it uses MSEC's !exploitable debugger extension to classify the associated application errors by severity. This allows the auditor or developer who is using the tool to determine which bugs to investigate first.

The CERT Basic Fuzzing Framework (BFF), which was initially released for public download in May 2010, is a fuzzing framework designed for use in Linux and Apple OS X. Support for Apple OS X was added in version 2.5 and will be described in an upcoming blog post. When running in OS X, the BFF uses Apple's CrashWrangler tool to assign crash severity in a manner similar to how FOE uses !exploitable on Windows. We were unaware of a similar, lightweight application error classification tool on the Linux platform, so we developed the CERT exploitable GDB extension for this purpose. While the GDB extension is designed to be integrated with future versions of BFF, it can be used as a standalone tool as well.

Inspired by !exploitable and CrashWrangler

MSEC's !exploitable and Apple's CrashWrangler are simple, but powerful, application error classification tools that have enjoyed widespread adoption on their respective platforms. Our team has found their lightweight execution and simple heuristics amenable to our black box fuzzing approach. In order to foster adoption, promote ease of use, and to allow for orthogonal design in our fuzzing frameworks, the CERT exploitable extension is modeled closely after the MSEC and Apple products. Just take a look at some respective output from the tools:

The CERT exploitable GDB extension:

(gdb) exploitable

Description: Access violation on destination operand

Short description: DestAv (7/21)

Hash: 056f8e491910886253b42506ac8d7fa0.056f8e491910886253b42506ac8d7fa0

Exploitability Classification: EXPLOITABLE

Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.

Other tags: AccessViolation (20/21)

MSEC's !exploitable WinDbg extension:

Description: User Mode Write AV near NULL

Short Description: WriteAV

Exploitability Classification: PROBABLY_EXPLOITABLE

Recommended Bug Title: Probably Exploitable - User Mode Write AV near NULL starting at module!function+0x00000000000010a5 (Hash=0x6a652d72.0x71652d0c)

User mode write access violations that are near NULL are probably exploitable.

Apple's CrashWrangler tool:

exception=EXC_BAD_ACCESS:signal=11:is_exploitable= no:instruction_disassembly=movzbl (%eax,%esi),%ebx:instruction_address=0x00000000969def61:access_type= read:access_address=0x0000000079757675:

Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.

Test case was (null)

While the output from these tools may appear to be similar, the CERT exploitable extension includes some key differences. For example, where MSEC's !exploitable command performs taint analysis of the basic block containing the instruction that caused the application error, the CERT exploitable extension does not look beyond the faulting instruction. The CERT extension is similar to Apple's CrashWrangler in this respect. Additionally, the CERT exploitable extension is written entirely in Python, whereas MSEC's !exploitable is written in C++, and CrashWrangler is written in a mix of Ruby and C. We chose the Python language for the CERT tool to promote modification and enhancement of the code by third parties. It is also important to note that the CERT exploitable extension is designed to work specifically with user space applications on the x86 and x86_64 platforms. For more information on how the code works and some tips on modifying it, see the readme files.

Using the CERT exploitable GDB extension and triage script

The CERT exploitable GDB extension is designed to be relatively simple to invoke. If you have experience using MSEC's !exploitable extension, then using the CERT exploitable GDB extension may seem familiar. First, download the CERT triage tools package and extract it to a directory on a Linux host. Be sure to check the readme files for system requirements.

Once you have the tools extracted, you should be able to run GDB and load the exploitable extension:

$ gdb

(gdb) source exploitable/exploitable.py

(gdb) help exploitable

A GDB Command that determines how exploitable the current state of the

Inferior (the program being debugged) is. Either prints the result to

GDB's STDOUT or pickles the result to a file.

This command is designed to be run just after the Inferior stops on

a signal, before any commands that might change the underlying state

of GDB have been issued. WARNING: This command may change the underlying

state of GDB (ex: changing the disassembler flavor).

Type -h for options. Note specifying incorrect command options may

cause GDB to exit.

Now you are ready to run an application test and use the exploitable extension to classify the output:

(gdb) file exploitable/tests/bin/crashwrite.test

Reading symbols from ./src/exploitable/tests/bin/crashwrite.test...(no debugging symbols found)...done.

(gdb) run

Starting program: ./src/exploitable/tests/bin/crashwrite.test exploitable/tests/bin/crashwrite.test

Program received signal SIGSEGV, Segmentation fault.

0x080483a4 in main ()

(gdb) exploitable

Description: Access violation on destination operand

Short description: DestAv (7/21)

Hash: 056f8e491910886253b42506ac8d7fa0.056f8e491910886253b42506ac8d7fa0

Exploitability Classification: EXPLOITABLE

Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.

Other tags: AccessViolation (20/21)

(gdb)

For more details on installation and usage of the exploitable extension, check out the readme file. In addition to the GDB extension, the CERT triage tools package also includes an example wrapper script called "triage." While the GDB extension classifies a single application error, the triage script runs an application with a set of test cases and classifies each with the GDB extension. This script was developed as proof-of-concept for integration with later versions of the CERT BFF and as an example for integration into other testing frameworks by other developers; however, it can used as-is to classify a set of test cases.

To use the script, you will need to download the CERT triage tools package and extract it to a directory on a Linux host if you haven't already. Again, be sure to check the readme files for system requirements. Once the tools are extracted, run a properly formatted triage command. Here is an example of running the tool against the set of Apple CrashWrangler test cases that are included in the package.

$ python triage.py \$sub `find ./exploitable/tests/bin -type f`

The input syntax for the triage script is somewhat tricky, and the tool isn't particularly robust. This is a side effect of the tool's primary purpose as a proof-of-concept and example wrapper script. Regardless, once you have executed the script correctly you should see this:

... (libc output) ...

EXPLOITABLE: StackBufferOverflow

./exploitable/tests/bin/stack_buffer_overflow.test

EXPLOITABLE: PossibleStackCorruption

./exploitable/tests/bin/variable_length_stack_buffer.test

EXPLOITABLE: DestAv

./exploitable/tests/bin/cpp_crash.test

./exploitable/tests/bin/crashwrite.test

./exploitable/tests/bin/fastMalloc.test

./exploitable/tests/bin/invalid_address_64.test

./exploitable/tests/bin/recursive_write.test

EXPLOITABLE: BadInstruction

./exploitable/tests/bin/illegalinstruction.test

EXPLOITABLE: HeapError

./exploitable/tests/bin/malloc_abort.test

PROBABLY_EXPLOITABLE: BranchAvNearNull

./exploitable/tests/bin/bad_func_call.test

./exploitable/tests/bin/crashexec.test

PROBABLY_EXPLOITABLE: BlockMoveAv

./exploitable/tests/bin/read_and_write_instruction.test

PROBABLY_EXPLOITABLE: DestAvNearNull

./exploitable/tests/bin/nullderef.test

PROBABLY_NOT_EXPLOITABLE: SourceAvNearNull

./exploitable/tests/bin/uninit_heap.test

PROBABLY_NOT_EXPLOITABLE: FloatingPointException

./exploitable/tests/bin/divzero.test

UNKNOWN: SourceAv

./exploitable/tests/bin/crashread.test

UNKNOWN: AbortSignal

./exploitable/tests/bin/abort.test

Failed to triage:

./exploitable/tests/bin/nocrash.test

Customization

While we kept third-party adoption and development in mind, we developed these tools primarily for some specific testing purposes in the CERT Program. The tools have not been exhaustively tested, and have not been tested at all on many Linux distributions! Further, the nuances of various Linux distributions and GDB versions may change how the exploitable extension classifies application errors. If you choose to use the GDB extension, I encourage you to become familiar with the source code and edit it to suit your needs. It is designed to be simple and easy to modify--check out the readme files to get started.

That's all for now--if you have any comments, questions, patches, or other feedback please drop me a line.

CERT Failure Observation Engine 1.0 Released

2012-04-23T20:39:17Z

Hello, this is David Warren from the CERT Vulnerability Analysis team. In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform. To this end, we have worked to create a Windows analog to the BFF: the Failure Observation Engine (FOE). Through our internal testing, we've been able to help identify, coordinate, and fix exploitable vulnerabilities in Adobe, Microsoft, Google, Oracle, Autonomy, and Apple software, as well as many others. Our office shootout post is a good example of this testing.

]]> Why create FOE when other Windows fuzzers are freely available? In our experience, existing fuzzing tools were too difficult for vendors to use or were easy to use but not very effective. With FOE, vendors and QA testers can collect seed files, define how to run the target application in a configuration file, and begin fuzzing quickly.

Mutation Strategies

FOE 1.0 comes with a limited set of mutation strategies, or mutators:

bytemut - randomly change a percentage of bytes per seed file
bitmut - randomly change a percentage of bits per seed file
swap - swap adjacent bytes in a seed file
wave - change every byte index from 0x00 through 0xFF

These strategies are similar to those used in other dumb fuzzers such as zzuf and fuzz. Because these mutators work at a binary level, they work best against binary file formats. Copy, an additional "strategy," doesn't actually fuzz the seed file, but can be useful for testing a new config or triaging known crashing test cases.

Crash Detection

FOE provides two methods for detecting crashes, using the Console Debugger (cdb), or hooking the user mode exception dispatcher, KiUserExceptionDispatcher. In our experience, using the hook can be slightly faster for the non-crashing test case and provides a minimally invasive environment for the target application. Please note that the hook has only been tested with 32-bit Windows XP and Windows Server 2003. Depending on your platform, the installer should automatically provide an appropriate config file. FOE can optionally save "heisenbug" crashes that occur when using the hook, but do not occur when the debugger is attached.

Post-crash

FOE uses the !exploitable debugging extension to perform crash uniqueness determination and preliminary crash triage. Optionally, the crashing test case can be minimized to the smallest difference from the original seed file, similar to BFF. Output for a campaign is collected in a single output directory tree.

Installation

Because fuzzing can fill temporary directories and put the target application in an unusable state, we recommend that FOE be used in a virtual machine. To install, simply unzip and run the Windows installer, which can also download the required dependencies. An .iso image with included dependencies is available for offline, virtual machine installation.

Quick Start

Place seed files in the FOE seedfiles directory
Modify the cmdline and runid options in configs\foe.cfg. Depending on how quickly the target application consumes the input file, you may need to increase the runner and debugger runtimeout values.
Run "foe.py configs\foe.cfg"

Many options can be specified in the configuration file. See the included README and configs\examples for more information. For those who would like to see FOE in action, Jared Allar has created a quick demonstration video. FOE can be downloaded here.

Feedback

If you have any comments or feedback, please email us.

Vulnerability Severity Using CVSS

2012-04-12T02:10:10Z

If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics.

]]> In step with the March 2012 release of a new design for the US-CERT website, Vulnerability Notes now include CVSS metrics. The CVSS specification is managed by a special interest group within the Forum of Incident Response and Security Teams (FIRST). You can read all about CVSS on the CVSS-SIG website. I particularly reccomend the Complete Guide documentation.

Along with announcing the availability of CVSS metrics in Vulnerability Notes, I'd like to explain a few important points about our usage of CVSS:

First, and most important, Vulnerability Notes will provide base, environmental, and temporal metrics. The CVSS documentation recommends that CVSS producers specify base and temporal metrics:

Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically have more pertinent information about the characteristics of a vulnerability than users do. The environmental metrics are specified by users, because users are best able to assess the potential impact of a vulnerability within their own environments.

In practice, I've observed that most CVSS sources only specify the base metric. While this practice is understandable—temporal metrics require effort to maintain over time, and environmental metrics are specific to the CVSS consumer—it creates a serious potential for misuse; or perhaps better stated, misapplication.

It is too easy to look at freely-provided CVSS base metric scores from the National Vulnerability Database (NVD) at NIST or your favorite vulnerability scanner and stop: Severity rating obtained, mission accomplished. Don't do this, you'll likely make a suboptimal vulnerability response decision based on an inaccurate severity rating. Why? The base metrics don't include two very important vectors: Exploitability (which speaks to threat) and Target Distribution (a proxy, if a poor one, for asset value or expected loss). Follow the CVSS documentation and score the temporal and environmental metrics using current information about your environment.

To this end, Vulnerability Notes will provide CVSS temporal and environmental metrics based on information available at the time of publication, with an environment of "the entire internet." You can discard our environmental metrics and provide your own. Please do the same for temporal metrics if you have more recent information.

On to other issues: Multiple vulnerabilities and CVSS metric conflicts.

One Vulnerability Note may cover multiple vulnerabilities. For example VU#913483 lists four distinct vulnerabilities (four CVE IDs) in tape library web interfaces. In such cases, the CVSS metrics will be based on the vulnerability with the highest base metric score. For VU#913483, this would be the default password issues identified by CVE-2012-1844.

Concerning CVSS metric conflicts: we're in close contact with the NVD personnel at NIST, and we're working with them to synchronize the way we score CVSS metrics. The lines of communication are open so that we can resolve any discrepancies quickly and easily. If you have questions about, or disagree with, the CVSS metrics in a Vulnerability Note, you can send email to with the appropriate VU# identifier in the subject.

Lastly, some more information about our use of CVSS is available in the Vulnerability Notes help page.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

2012-03-23T17:12:07Z

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley’s InformIT website at http://www.informit.com/store/product.aspx?isbn=9780321812575.

]]> The CERT® Insider Threat Center has spent the past 10 years collecting and analyzing information about more than 700 insider cybercrimes, ranging from national security espionage to theft of trade secrets. This research is consolidated into nine chapters that is accessible to both technical and non-technical readers.

Authors Dawn Cappelli, Andrew Moore, and Randall Trzeciak systematically address attacks by all types of malicious insiders, including current and former employees, contractors, business partners, outsourcers, and even cloud-computing vendors. They cover three major types of insider cybercrime: IT sabotage, intellectual property theft, and fraud.

As part of the SEI Series in Software Engineering from Addison Wesley, the book offers specific guidance and countermeasures that can be immediately applied by executives, managers, security officers, and operational staff within any private, government, or military organization. The book shares actionable recommendations for the entire organization, from executive management and board members to IT, data owners, HR, and legal departments.

Insiders and Organized Crime

2012-02-15T20:29:24Z

The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists. The reality today is more nuanced; especially as organized crime groups have moved their activities online. The CERT Insider Threat Center recently released a publication titled Spotlight On: Malicious Insiders and Organized Crime Activity. This article focuses on a cross-section of CERT’s insider threat data, incidents consisting of 2 or more individuals involved in a crime. What we found is that insiders involved in organized crime caused more damage (approximately $3M per crime) and bypassed protections by involving multiple individuals in the crime.

]]> As organized crime has made its way online, it has become a significant source of fraud and embezzlement. Several recent news articles have raised awareness of this threat. The online crimes are often committed by individuals inside the organization who are attempting to bypass increasingly sophisticated fraud prevention controls. Analysis of multiple cases of insiders and organized crime has shown that the incidents fall into two primary categories: insiders either formed their own groups to bypass controls, or were recruited by established organized crime groups for a particular task in the commission of a crime.

If you are interested in reading more about insiders and organized crime, including potential countermeasures, check out the article http://www.cert.org/archive/pdf/12tn001.pdf.

References

[Krebs 2009]
Krebs, Brian. Organized Crime Behind a Majority of Data Breaches. http://www.washingtonpost.com/wp-dyn/content/article/2009/04/15/AR2009041501196.html 2009.

[Goldman 2011]
Goldman, David. The Cyber Mafia Has Already Hacked You. http://money.cnn.com/2011/07/27/technology/organized_cybercrime/index.htm 2011.

[Wong 2012]
Wong, Arthur. Beware Cyber Crime Gangs: Is Your Bank’s Web Site Safe?. http://www.forbes.com/sites/ciocentral/2012/01/06/beware-cyber-crime-gangs-is-your-banks-web-site-safe/ 2012.

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage

2012-01-26T18:15:42Z

The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an overview of the control and the rationale behind its development. For more details describing the development of the control and the statistical analysis used and applied in this signature please refer to the technical report: http://www.cert.org/archive/pdf/SIEM-Control.pdf

]]> The Insider Threat Security Information and Event Management (SIEM) signature was developed to detect possible malicious insider activity leading to IT sabotage. The goal is to detect the identity of the attacker, what remote connection protocol he or she is using, and whether the activity is occurring outside of normal working hours, based upon empirical data of malicious insider activity. In the absence of a uniform, standardized event logging format, the signature is represented in two of the most visible public formats, Common Event Format (CEF), develop by ArcSight, and Common Event Expression (CEE), developed by MITRE. Because of the limitations of these formats, the SIEM described in the detailed report employs an operational version of the proposed signature in an ArcSight environment.

The CERT® Insider Threat Center database currently contains over 550 cases of actual malicious insider crimes. We focused on the 123 cases categorized as IT sabotage in the development of this control. Insider IT Sabotage is defined as an insider’s use of information technology to direct specific harm at an organization or an individual. The cases in our database reveal that almost all insiders involved in acts of IT Sabotage displayed behavioral indicators prior to committing their crimes. Examples of such behavioral indicators include but are not limited to: conflicts with co-workers or supervisors, improper use of organization information assets, rule violations and/or security violations. These indicators may be used to determine which users warrant targeted monitoring via this signature. Once individuals are identified, you should be able to determine the appropriate user names, account names, host names, and/or host addresses to enter into the signature to make the alert volume more meaningful and manageable.

Prior to applying this signature, you should facilitate proper communication and coordination between relevant departments across the enterprise, especially information technology, information security, human resources, physical security, and legal. This cooperation is necessary to ensure that any measures taken to combat insider threat comply with all organizational, local, and national laws and regulations.

Technical signatures developed by the CERT Insider Threat Center are generally designed to be applied towards a particular user or group of users. These signatures are not intended to be applied to all users across the enterprise, as doing so will generate a large number of false positives.

CNAME flux

2012-01-05T21:15:00Z

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name.

]]> CNAMEs should behave similarly to IP addresses in the DNS – relatively statically. IP addresses have shown departures from the expected consistency in the past. Several years ago, content distribution networks (CDNs) popularized a DNS usage that is known as IP flux. The IP address of resources is changed quickly in the DNS for geographic nearness, load balancing, and redirection in the case of failure. Malicious actors soon caught on, and implemented their own networks using IP flux.

Leigh and I have found that CNAME flux is also in practice to some degree. By using a source of passive public DNS resolutions we have found domains that change their CNAME destination multiple times a day. We consider a domain to be exhibiting flux if it changes destination 8 or more times in one day. For example, the following records of a domain exhibiting CNAME flux were observed on October 2, 2011.

rname	class	type	TTL	rdata
corn.best.stanford.edu	IN	CNAME	10	corn26.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn02.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn15.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn10.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn12.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn19.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn24.stanford.edu
corn.best.stanford.edu	IN	CNAME	10	corn23.stanford.edu

The CNAME here seems to be balancing the load on a particular service by redirecting users to the more available servers, given the naming scheme and short time to live (TTL) of 10 seconds. However, like CDNs, if benign actors gain benefit from a tactic then malicious actors are likely to be able to use the same tactic to their ends.

So far, the domains using CNAME flux amount to a small percentage of the CNAME records observed. There are around 16M domains in our data source that use CNAME records each day, and only 15-200 of those domains exhibit CNAME flux. We measured the incidence of CNAME flux between October 1 and November 30, 2011. The results are presented in this chart.

We can’t say whether or not the practice will become more widespread. But CNAME flux is yet another creative use of one of the few ubiquitous Internet protocols, and creative protocol use tends to cause headaches for security folks.

Preparing for Negative Workplace Events - Managing Employee Expectations

2011-12-15T15:00:00Z

Hello, this is Randy Trzeciak, technical team lead for the Insider Threat Research Team at the CERT^® Insider Threat Center. This blog post is intended to serve as a reminder to organizations about the impact that an organization’s actions can have on employees. Additionally, I want you to ask yourself the following question, what are you doing to manage employee expectations during negative workplace events?

]]> When organizations are faced with difficult decisions, such as downsizing, reorganizations, mergers or acquisitions, the inability to give raises or bonuses, and so on, consider the employees who are impacted by such decisions. If you recall, our MERIT IT Sabotage Model, the one precipitating event that contributes to employees being disgruntled is negative organizational workplace events. When these events occur, it is essential that organizations communicate clearly with their employees as well as attempt to properly manage employee expectations.

While reviewing the cases in our database it became clear that a potential motivator in multiple incidents of insider IT sabotage and theft of intellectual property could be linked to this issue. We found that unmet expectations may have been a contributing factor to a disgruntled employee’s decision to harm an organization. We are not saying that by talking to your employees you are immune to an incident such as a disgruntled system administrator exacting revenge by harming your IT systems, or a scientists taking intellectual property when they leave work. However, you do have a better chance of managing employee expectations by keeping the lines of communication open prior to a negative workplace event.

Also, you may want to consider implementing additional technical controls to protect critical assets in case these negative workplace events occur. Consider monitoring access to critical assets during this time of increased stress. This will allow your organization to detect if critical assets are being accessed, modified, downloaded, emailed, or printed by individuals who are not authorized to do so. Be sure to work with your legal counsel prior to implementing any monitoring strategies to ensure compliance with federal, state, and local laws.

To summarize, in today’s tough economic climate, organizations are forced to make difficult decisions to ensure their financial stability. Consider the impact those decisions will have on your most critical asset, your employees. It is important to consider what you can do to manage employee expectation and how your organization can best use technology to enforce that only authorized individual are able to access your information, technology, and facilities.

Insider Threat Controls

2011-11-16T14:30:00Z

The mission of the CERT^® Insider Threat Lab, sponsored by the Department of Homeland Security Federal Network Security Branch, is to create new technical controls and standards based on our research, as well as to determine lessons learned from our hands-on work doing assessments, workshops, and working with technical security practitioners.

]]> We are pleased to announce two releases by the CERT Insider Threat lab:

1. "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination"

Software Engineering Institute – Technical Note CMU/SEI-2011-TN-024

Our database reveals that many insiders who stole confidential or sensitive (unclassified) information exfiltrated data from their organization using email. Most of these insiders stole the information within 30 days of their departure date from the organization. This control tracks outgoing email by volume and destination from employees who have accounts set to expire on a certain date, as well as queries that retrieve the prior 30 days worth of email traffic for an insider whose account is disabled.

2. The first video in the insider threat demonstration series: "Insider Threat Monitoring, Detection, and Response"

Please check back often as we intend to publish new technical controls. In addition, we are would like our readers to help us to create an Insider Threat Community of Interest by sending us feedback on these controls. How did they work for you? How did you fine tune them to meet your specific needs? What did you do to reduce the number of false positives ("good guys") detected by these controls?

We are all in this together, and we need to work together to effectively mitigate insider threats! Please send your feedback using the feedback link. All input is strictly confidential, although we are happy to recognize our sources if you give your consent.

Data Exfiltration and Output Devices - An Overlooked Threat

2011-10-17T17:40:00Z

Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise…paper. Yes, paper. In particular, printouts and devices that allow for extraction of digital information to paper or the management of paper documents. This area is often overlooked in enterprise risk assessments and I thought I would share some information regarding this type of attack.

]]> Our database of over 500 cases contains the following types of cases in which a scanner, copier, printer, or FAX machine were used as part of the insider’s attack:

Device Used	Number of Incidents
Copier	1
Fax	3
Printer	30
Scanner	2

It should be noted that our database contains one instance in which a copier, FAX, and printer were all used in the same attack. More on that later.

Technology in the workplace enables employees to efficiently do their jobs and accomplish the mission of the organization. It is often these technologies that also enable malicious insiders to cause harm to the organization. Management, Information Security, and Information Technology support teams must work to secure both the physical and virtual environments. This typically entails implementing physical protections for servers, workstations, and mobile devices while Access Control Lists (ACLs) restrict access to data. Often times other devices are overlooked and left with little to no protection.

These devices should be included in organizational risk assessments:

printers
scanners
FAX machines
copiers

Printers can allow a malicious insider to extract sensitive company documents and remove the documents from the organization to share with competitors or even start their own business.

In one case, the insider was a disgruntled scientist at a technology component manufacturer. The insider exfiltrated research documents using his access privileges. He downloaded the documents onto his laptop, sent them to his email account, and physically carried the document printouts out of the workplace. He also mailed some of the research documents to the component manufacturer's competitors. The total losses were estimated to be about $3 million. The insider was sentenced to five years probation, fined over $7000, and ordered to perform 200 hours of community service.

In another case, the insider worked with a conspirator to sell physical blueprints and trade secrets to a competitor organization. Although potential losses were estimated to be between $50 million and $100 million, the victim organization was able to prevent the information from being used by the competitor. The insider was sentenced to prison and fined $20,000.

Organizations should carefully monitor printer activity and retain logs of printed documents. These logs should be audited as part of an organization’s continuous log monitoring program. Personnel should be alerted when anomalies occur, such as printing before or after business hours or printing an unusually high number of documents for that particular user.

Companies must also ensure that hardcopy documents are properly disposed of when they are no longer needed. Documents containing proprietary information must be destroyed by those who are authorized to do so. Organizations should consider who has access to hardcopy documents during the document’s lifecycle. The CERT database has cases where janitors took documents containing personally identifiable information (PII) or other sensitive information from the organization. If the documents had been properly managed and disposed of, the risk of malicious insider activity may have decreased.

Scanners also pose a threat to organizations. Documents that are not in digital form or are not accessible in electronic form due to access restrictions can be scanned by a user who has authorized access to a scanner.

In one case, an insider was contracted by a telecommunications company to scan physical trade secret documents into digital form. After scanning the documents, the insider stole some of the electronic files and posted them on a hacking website. The total potential damages were estimated to be $25 million while the insider was ordered to repay over $145,000 in restitution.

An insider was employed by a document imaging company. The imaging company was a trusted business partner of a university. The insider stole 1,700 student transcripts containing the students' PII while digitally archiving them for the university. The insider was never identified, and the monetary impact of the incident was never fully understood.

Companies need to provide commensurate levels of protection to printed documents as they do for digital files. People receiving printouts must have a valid need to know and permission to have access to these hard copies. In the above cases, trusted business partners had access to physical documents to perform a contractual obligation. Contracts with trusted business partners need to stipulate the need for thorough background investigations. In addition, if company sensitive documents are being scanned, a company representative should monitor the process to ensure that the contractor is not mishandling company information.

FAX machines are an older technology that continues to exist in many organizations. These devices can be used by an insider to send documents out of the organization, often without being detected. .

Insiders were employed by a financial institution and used the institution's computer systems to access PII of 68 customers, including the customers' credit card numbers. They then faxed this information outside of their organization to their accomplices. In total, almost $600,000 was stolen through the fraudulent activity. The insider was sentenced to over one year imprisonment, two years of supervised release, participate in a drug/alcohol program and repay over $99,500 in restitution.

In another case the insider was a disgruntled engineer for a product manufacturing company. Fearing his job was in jeopardy, he sent technical drawings to a competitor organization via fax and email. The damage to the victim organization was estimated to be roughly $1.5 million. The insider was sentenced to over two years in prison and ordered to repay $1.3 million in restitution.

In the above examples, the insiders were able to FAX documents to accomplices or competitors. One solution to reduce this threat is to limit access to FAX machines whereby employees in the organization must submit their documents to another individual to review and transmit.

Copiers allow insiders to duplicate company documents without the worry of having to remove original documents from the organization, which could lead to faster detection.

The insider was employed as a mail room supervisor by the victim organization, which was a financial institution. While on site and during work hours, the insider opened the organization’s mail and copied checks that customers had sent in for deposits. The insider sold the copies to an identity theft group, which used the valid account numbers to make fraudulent checks. The insider was arrested, but information regarding the monetary impact was unknown.

Access to copiers needs to be limited when company sensitive information is at stake. In the above example, the insider was able to copy customer checks for identity theft purposes. The insider’s activities should have raised red flags when opened mail was delivered.

Finally, the malicious insider who used all of the methods that we have been discussing, worked as an administrative assistant to a top executive at the victim organization. As part of her job responsibilities, she had access to confidential trade secrets and other proprietary information. She was caught making copies of confidential documents and leaving with them from her workplace and attempting to sell them for money. She handed over some of the copies to buyers, as well as faxed some. The insider also printed out some of the executive's emails which contained confidential project information. The only monetary impact reported was $40,000 restitution ordered to be paid by the insider.

These cases highlight the need for organizations to be more vigilant about all technologies used in the organization. Scanners, copiers, printers, and FAX machines all have a place in an organization. However, incorporating them into enterprise risk assessments as well as polices that govern their use will help to identify and mitigate risks associated with their use.

Our team would like to hear what you are doing to counter this threat. If you have any questions or comments please email us using the feedback link.

Challenges in Network Monitoring above the Enterprise

2011-09-23T14:06:00Z

Recently George Jones, Jonathan Spring, and I attended USENIX Security '11. We hosted an evening Birds of a Feather (BoF) session where we asked a question of some significance to our CERT^® Network Situational Awareness (NetSA) group:

Is Large-Scale Network Security Monitoring Still Worth Effort?

]]> One of the foundational principles behind most organizations' network security practices is still "defense in depth," which is implemented using a variety of security controls and monitoring at different locations in an organization's networks and systems. As part of a defense-in-depth strategy, it has become commonplace for organizations to build enterprise security operations centers (SOCs) that rely in part on monitoring the extremely large volumes of network traffic at the perimeter of their networks. There has been a recent trend toward increased investment in (and reliance on) network monitoring "above the enterprise" in order to simplify sensor deployments, decrease cost, and more easily centralize operations. At the same time, the idea of a well-defined defensible perimeter is being challenged by cloud computing, the insider threat, the so-called advanced persistent threat problem, and the prevalence of socially-engineered application-level attacks over network-based attacks. For an opinion piece about how things have changed, read Rik Farrow's article in the USENIX magazine ;login:.

The purpose of the BoF was to revisit some of the assumptions behind approaches to large-scale network monitoring at this level. We also wanted to lead a discussion about the challenges we face in monitoring, especially in light of these changes. We considered the following questions.

What problems do we confront when monitoring at the supra-enterprise level?

We discussed a number of challenges, many of which are the result of networks not being architected with "monitorability" as a priority. We also discussed the following factors:

Bandwidth
Encryption
Everything in HTTP[S]
NAT, proxies, tunneling
Carrier-grade NAT/IPv4 islands
Lack of knowledge of policy and assets
Legal restrictions

What data can we expect to remain unencrypted?

We can expect that as more and more traffic is encrypted, we'll still be able to see the following data that must remain unencrypted in order for an IP network to function properly:

IP headers (traffic summaries) - Packets have to be routed by the public infrastructure, which means that IP headers will remain unencrypted for the foreseeable future. This will enable various traffic analysis techniques. However, it's worth noting that tunnels (including IPv6) and anonymizing networks like Tor will affect what we see.
DNS queries and responses - While DNSSEC deployment will mean that DNS responses will be digitally signed, we can expect that the content will remain unencrypted. This will enable analysis that will support the identification of new malicious domains and the detection of the use of DNS by malware.
BGP and related routing protocols - Just as we can expect IP headers to remain unencrypted, we can expect BGP to remain in the clear.

In addition, there is other "global metadata" that can be combined with monitoring data and used for analysis. This metadata includes registration data (i.e., "whois" data), gTLD zone files, public certificates for certificate authorities, website reputation data, and RBL lists.

What can you still analyze at the supra-enterprise level?

Using traffic analysis techniques, we can see phenomena that appear as changes in traffic patterns. We identify these variations by developing indicators for the following:

Worms, DDoS, floods, large-scale scans
Trends
The scale and scope of global attacks (e.g., all banks, etc.)
Detection based on locality (e.g., identifying traffic from a particular country)

A literature search on intrusion detection using traffic analysis will identify a variety of papers. For example, there are a number of papers in RAID proceedings. Some examples can also be found in the FloCon^® proceedings, available at the CERT FloCon site.

Using a combination of traffic analysis, DNS, and (selective) content capture, we can develop heuristics that can function as indicators for the following:

Spear phishing, spammers and botnets
Malicious domains with DNS analysis (We have published a blog entry about this topic, and the USENIX Security proceedings also include a related paper.)

In general, analysis based on a broad view of network traffic remains invaluable as part of incident analysis. It provides a way to understand the traffic associated with a particular incident and to identify activity occurring elsewhere in the network that matches a particular pattern.

A broad view of DNS and our network's traffic also enables a whole class of analysis we might call "indicator expansion"-various ways in which we can take a single indicator of malicious activity, like a single IP on a watch list, and find additional IPs also associated with the malicious activity of interest. This expansion can be based on a behavioral detection algorithm; for example, heuristics for enumerating the IPs of all the bots in a botnet. We can also often expand our watch list by leveraging DNS or other global metadata to associate an IP with a DNS name or a real-world entity, and to then map that entity back to additional IP addresses that we can add to our watch list.

How are attacks changing?

One thing we can say for sure is that attacks are moving up the application stack. In addition to targeting ports, servers, and hosts, they now target applications like web browsers and PDF viewers, as well as users themselves. The goal is to be able to monitor the users and the assets they control. It's not entirely clear what we can rely on being visible at this level in the future.

There are several big questions that need to be answered in order to formulate a strategy for supra-enterprise monitoring:

What kind of selective content capture should we doing?
At what point do we need a different monitoring approach (on hosts, systems, etc.)?
How does the picture change at lower levels, (e.g. enterprise and below)?

What are some monitoring techniques that can still work?

During the BoF session, we discussed the following techniques:

Re-routing suspicious traffic to a place it can be monitored. This could include selective full-packet capture.
Leveraging routers and switches to generate traffic summaries (NetFlow/CFlowD, SFLow, etc.)
Intelligent sampling

What about "the cloud?"

We discussed how "the cloud" is a problem because we can no longer rely on being able to distinguish individual virtual host endpoints within a cloud infrastructure. This could be solved by ensuring that NAT does not happen before the monitoring point. One thought: assign IPv6 addresses to everything, no more NAT.
Will Google, Amazon, and other vendors invest in the infrastructure required to do monitoring? Should this come standard with hosting services?
Will cloud providers provide flow or monitoring data? Should this be standard practice? What about other monitoring options for your servers?
Monitoring requirements could be incorporated into providers' terms of services agreements.
What about cloud-to-cloud attacks? Could attackers provision E2C machines to attack users on that platform?

See part one and part two of the article "Monitoring Cloud Computing by Layer," written by one of our CERT NetSA colleagues, for a list what's needed to monitor "the cloud."

What about mobile?

We finished the session up with a brief discussion of mobile. We have the same endpoint issue as the cloud in a world of 3G devices. In the case of 4G, we can expect that it will be common to assign IPv6 addresses to the mobile device endpoints.

Final Thought

At the end of the session, one of the participants suggested ironically that as data moves to "the cloud" and users move to mobile devices using third-party networks, a larger percentage of the traffic that remains on corporate networks might actually be illegitimate, malicious, and otherwise unrelated to business purposes.

Continuing the discussion...

We hope to continue this discussion about exploring the ways that supra-enterprise network monitoring is changing, what techniques can be effective, and where new approaches are needed.

Please join us in January for FloCon 2012 Austin, Texas. We will be moderating a panel discussion. In the meantime, we'd like to continue the discussion on the FloCommunity mailing list.

The CERT Insider Threat Database

2011-08-15T14:00:00Z

Hi, this is Randy Trzeciak, technical team lead for the Insider Threat Outreach & Transition group at the Insider Threat Center at CERT. Since 2001, our team has been collecting information about malicious insider activity within U.S. organizations. In each of the incidents we have collected, the insider was found guilty in a U.S. court of law.

]]> Over the past year, our team has received feedback from practitioners on the front-line of insider threat prevention, detection, and response. This feedback shows that while malicious insider activity is a great concern, non-malicious (accidental) activity is just as problematic. Controls need to be put into place for this non-malicious activity. Additionally, we received feedback from individuals in organizations that have locations outside the U.S. They want to know how insider activity exhibited in U.S. cases compares to insider incidents in organizations outside the U.S. Based upon this feedback, we have begun collecting information about incidents involving accidental insider activity, such as accidental data disclosure, or accidental disruption of a critical service due to the unintentional actions of an employee (e.g., clicking on an infected attachment in an email message).

To date, we have collected approximately 700 cases of insider activity that resulted in the disruption of an organization’s critical information technology (IT) services; the use of IT to commit fraud against an organization; the use of IT in the theft of intellectual property or national security espionage; as well as other cases where an insider used IT in a way that should have been a concern to an organization. This data provides the foundation for all of our insider threat research, our insider threat lab, insider threat assessments, workshops, exercises, and the models developed to describe how the crimes tend to evolve over time.

The following are the sources of information used to code insider threat cases:

Public sources of information
- Media reports
- Court documents
- Publications
Non-public sources of information
- Law enforcement investigations
- Organization investigations
- Interviews with victim organizations
- Interviews with convicted insiders

Below are the descriptions of the types of information we collect about each incident. These descriptions should provide some insight into how we use the information for analysis and for drawing conclusions about potentially problematic insider activity.

Information about three entities is needed when coding insider threat cases: the organization(s) involved, the individual perpetrator (subject), and the details of the incident. The figure below shows the primary relationships among these three entities.

Organization Data

Multiple organizations can be involved in a single incident. An organization that is negatively impacted by an incident is designated as a “victim organization.” Incidents may also involve a victim organization’s trusted business partner.

Organization Attributes

Organization Subcategory	Attributes
Organization descriptors	Name, address, relation to insider
Organization type	Victim, beneficiary, other
Organization description	Description of the organization, including the industry sector of the organization.
Based in the U.S.	Location of the organization; based in the United States
Organization issues	Work environment; layoffs, mergers, acquisitions, and other workplace events that may have contributed to an insider’s decision to act.
Opportunity provided to insider	Actions taken by organization that may have contributed to the insider’s decision to take action, or failure by the organization to take action when observables were available.

Subject Data

Details about an insider may be limited, especially in cases involving sensitive information or those where the insider is not prosecuted. Whenever possible, we collect demographic information about the insider, which can be used to generate insider profiles and incident statistics.

Subject Attributes

Subject Subcategory	Attributes
Descriptors	Name, gender, age, citizenship, residence, education, employee title/type/status, departure date, tenure, partner relationship, access, position
Motives and expectations	Motives (financial, curiosity, ideology, recognition, external benefit), unmet expectation (promotion, workload, financial, usage)
Concerning behaviors	Tardiness, insubordination, absences, complaints, drug/alcohol abuse, disgruntlement, coworker/supervisor conflict, violence, harassment, poor performance, poor hygiene, etc…
Violation history	Security violations, resource misuse, complaints, background deception
Consequences	Reprimands, transfers, demotion, HR report, termination, suspension, access revocation, counseling
Mental history	Evaluated, delusional, treatment, depression, psychiatric diagnosis/medication, suicidal, violence
Substance abuse	Alcohol, hallucinogens, marijuana, amphetamines, cocaine, sedatives, heroin, inhalants
Planning and deception	Prior planning activities, explicit deceptions

Incident Data

Information about a specific incident is collected to describe individual actions taken to set up the attack, vulnerabilities exploited during the attack, steps taken to conceal the attack, how the incident was detected, and the impact the attack had on the victim organization. When available, data is collected on actions taken by the organization in response to the actions, events, and conditions that may have contributed to an insider’s decision to carry out an attack.

Incident Attributes

Incident Subcategory	Attributes
Case summary	Incident dates, duration, critical infrastructure sector, prosecution
Conspirators	Accomplice identifier, type of collusion, relationships to insider
Information sources	Origination, type
Incident chronology	Sequence of date, place, event
Investigation and capture	How identified and caught
Case outcome	Indictment, subject’s story, sentence, case outcome
Recruitment	Outside/competitor induced, insider collusion, outsider collusion, acted alone, reasons for collusion
IT accounts used	Subject’s, organizations', system administrators', database administrators', co-workers', authorized third party, shared, backdoor
Outcome	Data copied/deleted/read/modified/created/disclosed, used in ID theft, unauthorized document created, system blocked
Impact	Description, financial
How detected	Software, information system, audit, nontechnical, system failure
Who detected	Self reported, IT staff, other internal; customer, law enforcement, competitor, other external
Log files used	System files, email, remote access, ISP
Who responded	Incident response team, management, other internal
Vulnerabilities exploited	Sequence of exploit description, vulnerability grouping
Technical methods	Technical methods used to set up and/or carry out the attack (e.g., hardware device, malicious code, modified logs, compromised account, sabotaged backups, modified backups)
Concealment methods	Concealment methods used to hide technical and non-technical methods

We hope you found this entry helpful in understanding the type of data the CERT Insider Threat Center collects, analyzes, and uses. If you have any questions or comments related to our coding process, email us using the feedback link.

Theft of Intellectual Property and Tips for Prevention

2011-07-21T17:29:00Z

One of the most damaging ways an insider can compromise an organization is by stealing its intellectual property (IP). An organization cannot underestimate the value of its secrets, product plans, and customer lists. In our recent publication, An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases, we took a critical look at the technical aspects of cases in which insiders who stole IP from their organization. Insiders commit these crimes for various reasons such as for the benefit of another entity, to gain a competitive business advantage, to start a competing organization or firm, or for the personal financial gain. By understanding the specific technical methods that insiders use to steal information, organizations can consider gaps in their network implementation and can identify ways to improve controls that protect their IP.

]]> Technical discussions of IP theft are helpful for operational staff to understand how an insider can compromise their organization. Additionally, organizations should always attempt to better understand the human behavioral elements of insider crimes. The report, A Preliminary Model of Insider Theft of Intellectual Property details two preliminary models of behavior associated with insider theft of IP.

The table below identifies types of assets that were attacked in a sample of 50 cases from our 85 total theft of IP cases.

It is clear that trade secrets and internal business information are the most frequently attacked assets. Included in the trade secret and internal business categories, we see assets such as future product designs, customer/price lists, and internal policies not intended for public consumption. These results might seem surprising, especially the relatively low number of customer information items stolen. Personal information such as social security numbers or health records is generally considered to be personally identifiable information (PII) rather than intellectual property. Theft of PII is classified as insider fraud in our database and is thus out of scope for this analysis.

We also found that in more than half of the theft of IP cases we analyzed, use (or misuse) of the network was the primary method of exfiltration. In 32 cases where the network was the primary vehicle for getting the data out of the organization, approximately 50% involved insiders using their corporate email accounts to send data off to personal email accounts, competitors, and foreign governments. Organizations should strongly consider reviewing the monitoring capabilities they use with respect to email, particularly those being sent to suspect recipients. Conversely, the least utilized network channels involved more technically complex crimes, such as setting up covert channels over ssh or other improperly blocked/filtered channels outside the network to move data off of internal servers.

Our study indicated that the most common method of physical exfiltration of data was removable media. Prior to 2005, the most common removable medium was writable CD. However, recent incidents indicate that removable USB mass storage devices like thumb drives and external hard disks are now more popular. USB devices have a much greater storage capacity than CDs, which makes it easier for insider to move their entire desired data set at once.

What can organizations do about these problems? First, they can always consider the role of best practices and established standards in defending against insider attacks. Insider attacks frequently exploit policies or controls that are covered in accepted best practices for IT system security. Second, organizations should always consider more than just the technical aspects of the crime. In a recent report Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data, we examined the importance of creating technical indicators for behavioral actions so that we can gain a more complete understanding of how to defend against insider crimes. Organizations should pay specific attention to these technical vulnerabilities while they attempt to understand what controls are practical to put in place for removable media in the organization. If removable media is necessary to keep operations moving, an organization may want to establish technical measures to limit which machines allow use of removable media, take an inventory of authorized media, and implement some measure of physical security to prevent removal or introduction of new uninventoried devices from the facility. When considering network security, organization should attempt to identify suspicious email communications (particularly with attachments) to direct competitors, foreign governments, or other illegitimate recipients of corporate mail. Organizations should consider using a log aggregation and indexing tool to look for patterns in behavior that might warrant further investigation. This is especially true during major organizational events that may cause stress among employees, such as mergers, downsizing, acquisitions, or reorganizations. These events could possibly influence employee behavior in a negative way, and a heightened awareness of security might be necessary.

If you have questions, comments, or cases to share, please contact us using the feedback link. We are interested in hearing more about what your organization has done about these problems and how well the approaches have worked. Operational feedback helps direct our work, so your contributions and feedback are valuable. All responses will remain confidential, and no data that you share will ever be released or included in future reports.

Insider Threat Deep Dive: Theft of Intellectual Property

2011-06-27T17:47:07Z

This entry is part of a series of “deep dives” into insider threat. The previous entry focused on IT sabotage.

Hi, this is Chris King. From our research, we realized that malicious insiders do not all fit into a single category. We found that there are individuals who steal or commit fraud for financial gain, others who steal intellectual property because of a sense of entitlement or to obtain a position with a competitor, and some who want to exact revenge against an organization because they are angry. We noticed a pattern in the ways insiders acted and were able to separate them into three main categories of crime: IT sabotage, theft of intellectual property (IP), and fraud. This update focuses on theft of IP.

]]> We define theft of IP as cases in which an insider uses IT to steal intellectual property from an organization. This category includes cases of industrial espionage in which insiders steal company information to take to their next job, or they take trade secrets to a competitor. In 10 years of research, we have collected almost 90 incidents where an insider was found guilty of theft of IP. Of those cases, the insiders were almost entirely male (94%) and usually held technical positions such as scientist/engineer (44%) or programmer (10%). The following are some samples of theft of IP cases:

A technical service representative at a medical equipment company sought a job with a competing organization. The insider complied with her recruiter's request to send her current employer's customer lists, lab results, and manufacturing processes through email, postal mail, and commercial carriers in exchange for the new position.
The founder of a company that held a patent for a specific technology began to work for a software development company that used that technology. Over the course of 3 years, the insider accessed confidential business documents that were directly related to the patent infringement litigation that his company was preparing to initiate. He downloaded the documents to his laptop and then quit his job at the software development company. His company then filed a patent infringement lawsuit against the software development company.
A chemist at a paint manufacturer went on a business trip to work with one of the paint manufacturer's foreign subsidiaries. During the trip, the insider negotiated employment with one of the paint manufacturer's competitors and then resigned from his job. When representatives from the paint manufacturer analyzed the insider's laptop, they discovered 44GB of trade secret information. The insider was arrested when he attempted to leave the country. At the time of his arrest, he had a USB drive that contained the trade secret information.

In an analysis of theft of IP incidents, we discovered there are primarily two types of individuals who steal IP - the "entitled independent" and the "ambitious leader." The entitled independent is an insider who mainly acts alone to steal IP from an organization to take to a new job or side business. These insiders believe that they own the information they worked on during their employment, and they believe that they are entitled to the IP they created. The ambitious leader is an insider who recruits other insiders to help steal information for a larger purpose. The theft of IP in these cases is either to start a new business, to work with a competing organization, or to sell the information to a competing organization. For more information on how we developed these two models, see A Preliminary Model of Insider Theft of Intellectual Property.

Although only 12% of the cases in the CERT^® insider threat database can be defined as theft of IP, this is one of the most damaging types of insider attacks. Of our cases, the average potential damages for this type of incident were $29M-$42M, with some of the trade secrets valued at $1B in R&D costs. In these cases, 52% of insiders stole trade secret information, 30% stole sensitive internal documents (billing, customer lists, etc), and 20% targeted source code.

Even though these high-value assets are protected, it is the trusted insiders who are working on these products that often steal them. The insiders' authorized access to the system or designs they work on complicates efforts to protect an organization's IP.

We have developed some countermeasures for this type of crime. For more technical detail, see An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases. For more general information, see the Common Sense Guide to Prevention and Detection of Insider Threats. A few technical preventative measures are presented here:

Many theft of IP cases in our database involved the use of removable media. Organizations should consider having some metric of employee use of removable media. Understanding who requires removable media and for what purposes can help an organization determine what may constitute normal and healthy business use.
Of the cases in which an organization's network was used to perpetrate the theft, most involved email and remote access over VPN. Given that several cases included sending email to a direct competitor, organizations should consider either tracking or blocking email to and from competitors. Our cases did not explicitly show insiders using sophisticated concealment methods, such as proxies. However, we did find that insiders periodically leverage their personal, web-based email as an exfiltration method.
According to our theft of IP models, most insiders steal IP within 30 days of leaving an organization. Organizations should consider a more targeted monitoring strategy for users who have already given notice that they will be leaving. Further, organizations should consider inspecting available log traffic for any indicators of suspicious access, large file transfers, suspicious email traffic, after-hours access, or use of removable media. Central logging appliances and event correlation engines may help craft automated queries that reduce an analyst's workload for routinely inspecting this data.
Organizations should consider reviewing access termination policies associated with employee exit procedures. Several cases in our database provided evidence that insiders remotely accessed systems by using previously authorized accounts that were not terminated upon the employee's exit. Precautions against this kind of incident would seem to be common sense, but this trend continues to manifest in newly cataloged cases.
As part of an employee's exit interview, organizations should consider reminding the employee of the contents of the intellectual property agreements that they signed, and even consider asking them to sign a statement saying that they have not taken any intellectual property with them.

Also consider using the security guidance published by NIST.