Insider Threats, System Models, and Attacks

Insider threats are easy to counter. All we need is a concise model of human behavior and its dependencies on outer and inner influences, a surveillance system in place that is able to observe in necessary detail action and influences, and an evaluation system that can draw the necessary conclusions from its input. Neither of the components just described is easy to realise, or desirable to have in the first place. Modelling human behaviour is close to impossible, let alone modelling how it depends on outer and inner factors. A surveillance system is heavily dependent on legal boundaries of what is allowed to be monitored or not, and the amount of data even from legal monitoring can be overwhelming at best. An evaluation system would need to be able to take all the input and models into account, and this is yet another complex task.

In this talk we investigate the notion of insiders and insider threats from different viewpoints. From an organizational viewpoint we derive a definition of how insiders can be characterized. We then develop a theoretical, modular system model that is expressive enough to model real world scenarios, yet simple enough to lend itself for extensions and integration with other techniques. The formal basis enables the development of different analysis techniques to identify possible insider attacks. Finally, we investigate the connection of system models and attacks, and show how to systematically derive attacks from models.