Sunday, May 10, 2009

Insider Threat Myth Documentation

In my first book The Tao of Network Security Monitoring, published in July 2004, I tried to trace the origin of the "80% myth". In the following section reprinted from pages 31-34, and newly annotated now, I document what this means for insider vs outsider threat. (This section is also posted here at Informit.com.)


OUTSIDERS VERSUS INSIDERS: WHAT IS NSM’S FOCUS?

This book is about network security monitoring. I use the term network to emphasize the book’s focus on traffic and incidents that occur over wires, radio waves, and other media. This book does not address intruders who steal data by copying it onto a USB memory stick or burning it to a CD-ROM. Although the focus for much of the book is on outsiders gaining unauthorized access, it pertains equally well to insiders who transfer information to remote locations. In fact, once an outsider has local access to an organization, he or she looks very much like an insider. [10]

Should this book (and NSM) pay more attention to insiders? One of the urban myths of the computer security field holds that 80% of all attacks originate from the inside. This “statistic” is quoted by anyone trying to sell a product that focuses on detecting attacks by insiders. An analysis of the most respected source of computer security statistics, the Computer Crime and Security Survey conducted annually by the Computer Security Institute (CSI) and the FBI, sheds some light on the source and interpretation of this figure. [11] [Bejtlich: I question saying "most respected" now, but I wrote that in 2004 before we had other reporting.]

The 2001 CSI/FBI study quoted a commentary by Dr. Eugene Schultz that first appeared in the Information Security Bulletin. Dr. Schultz was asked:

I keep hearing statistics that say that 80 percent of all attacks are from the inside. But then I read about all these Web defacements and distributed denial of service attacks, and it all doesn’t add up. Do most attacks really originate from the inside?

Dr. Schultz responded:

There is currently considerable confusion concerning where most attacks originate. Unfortunately, a lot of this confusion comes from the fact that some people keep quoting a 17-year-old FBI statistic that indicated that 80 percent of all attacks originated from the [inside]...

Should [we] ignore the insider threat in favor of the outsider threat? On the contrary. The insider threat remains the greatest single source of risk to organizations. Insider attacks generally have far greater negative impact to business interests and operations. Many externally initiated attacks can best be described as ankle-biter attacks launched by script kiddies.

But what I am also saying is that it is important to avoid underestimating the external threat. It is not only growing disproportionately, but is being fueled increasingly by organized crime and motives related to espionage. I urge all security professionals to conduct a first-hand inspection of their organization’s firewall logs before making a claim that most attacks come from the inside. Perhaps most successful attacks may come from the inside (especially if an organization’s firewalls are well configured and maintained), true, but that is different from saying that most attacks originate from the inside. [12]


Dr. Dorothy Denning, some of whose papers are discussed in Appendix B, confirmed Dr. Shultz’s conclusions. Looking at the threat, noted by the 2001 CSI/FBI study as “likely sources of attack,” Dr. Denning wrote in 2001:

For the first time, more respondents said that independent hackers were more likely to be the source of an attack than disgruntled or dishonest insiders (81% vs. 76%).

Perhaps the notion that insiders account for 80% of incidents no longer bears any truth whatsoever. [13]


The 2002 and 2003 CSI/FBI statistics for “likely sources of attack” continued this trend. At this point, remember that the statistic in play is “likely sources of attack,” namely the party that embodies a threat. In addition to disgruntled employees and independent hackers, other “likely sources of attack” counted by the CSI/FBI survey include foreign governments (28% in 2003), foreign corporations (25%), and U.S. competitors (40%).

Disgruntled employees are assumed to be insiders (i.e., people who can launch attacks from inside an organization) by definition. Independent hackers are assumed to not be insiders. But from where do attacks actually originate? What is the vector to the target? The CSI/FBI study asks respondents to rate “internal systems,” “remote dial-in,” and “Internet” as “frequent points of attack.” In 2003, 78% cited the Internet, while only 30% cited internal systems and 18% cited dial-in attacks. In 1999 the Internet was cited at 57% while internal systems rated 51%. These figures fly in the face of the 80% statistic.

A third figure hammers the idea that 80% of all attacks originate from the inside. The CSI/FBI study asks for the origin of incidents involving Web servers. For the past five years, incidents caused by insiders accounted for 7% or less of all Web intrusions. In 2003, outsiders accounted for 53%. About one-quarter of respondents said they “don’t know” the origin of their Web incidents, and 18% said “both” the inside and outside participated.

At this point the idea that insiders are to blame should be losing steam. Still, the 80% crowd can find solace in other parts of the 2003 CSI/FBI study. The study asks respondents to rate “types of attack or misuse detected in the last 12 months.” In 2003, 80% of participants cited “insider abuse of net access” as an “attack or misuse,” while only 36% confirmed “system penetration.” “Insider abuse of net access” apparently refers to inappropriate use of the Internet; as a separate statistic, “unauthorized access by insiders” merited a 45% rating.

If the insider advocates want to make their case, they should abandon the 80% statistic and focus on financial losses. The 2003 CSI/FBI study noted “theft of proprietary information” cost respondents over $70 million; “system penetration” cost a measly $2.8 million. One could assume that insiders accounted for this theft, but that might not be the case. The study noted “unauthorized access by insiders” cost respondents only $406,000 in losses. [14]

Regardless of your stance on the outsider versus insider issue, any activity that makes use of the network is a suitable focus for analysis using NSM. Any illicit action that generates a packet becomes an indicator for an NSM operation. One of the keys to devising a suitable NSM strategy for your organization is understanding certain tenets of detection, outlined next.

Footnotes for these pages:

10. Remember that “local access” does not necessarily equate to “sitting at a keyboard.” Local access usually means having interactive shell access on a target or the ability to have the victim execute commands of the intruder’s choosing.

11. You can find the CSI/FBI studies in .pdf format via Google searches. The newest edition can be downloaded from http://www.gosci.com.

12. Read Dr. Schultz’s commentary in full at http://www.chi-publishing.com. Look for the editorial in Information Security Bulletin, volume 6, issue 2 (2001). Adding to the confusion, Dr. Shultz’s original text used “outside” instead of “inside,” as printed in this book. The wording of the question and the thesis of Dr. Shultz’s response clearly show he meant to say “inside” in this crucial sentence. [Looking back on this five years later, I am still confused by Dr. Schultz's meaning. If he really meant to say "some people keep quoting a 17-year-old FBI statistic that indicated that 80 percent of all attacks originated from the outside," then why not say "this 17-year-old FBI statistic is the opposite of your claim?"]

13. Dr. Dorothy Denning, as quoted in the 2001 CSI/FBI Study.

14. Foreshadowing the popularization of “cyberextortion” via denial of service, the 2003 CSI/FBI study reported “denial of service” cost over $65 million—second only to “theft of proprietary information” in the rankings.


My biggest regret reading this section involves trying to interpret Dr. Schultz's comments. If anyone can find a copy of an "FBI study" from approximately 1984 that discusses insider vs outsider threat, please let me know!

Reading this section now, I see the primary value as finding documentation that the "80% myth" refers to the idea that "80 percent of all attacks are from the inside." If you agree that an attack is not the same as an "incident," then you can see how Dr. Denning's comment about "the notion that insiders account for 80% of incidents" introduces more problems by talking about incidents and not attacks. If someone wants to throw "risk" in there, you now have a third meaning.

What I find sad is that so many people carelessly cite the "FBI" or "CSI" studies as supporting whatever "80%" claim they want, but if asked to point to the actual study they could never do so. In my first book I at least tried to document what was available at that time.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

15 comments:

James said...

Thanks for the post. BTW any plans up update TAO, I have not read it yet but just ordered it online. Do you think the material and insights in this book are still relevent? If not what would you recommend? I will soon be setting up NSM were I work and will be intergrating various tools, fragmented policies and other resources into a holistic solution. TAO looks to be a good fit to provide the groundwork I need.

John Ward said...

At this point, things change so fast, even a quote from 2004 isn't valid anymore. Its pretty logical to state that the overall statement still holds true about insider threat, especially with the Verizon report posted previously to support it.

P.S., I could have made better charts with BIRT. Perhaps I should tell that to Verizon :)

Vince said...

The 2008 CSI study reverses the perceived insider threat:

"The survey also asks respondents to estimate the percentage of attacks coming from inside
an organization versus those from outside, at least in terms of losses that result. Figure 12
2008 CSI Computer Crime and Security Survey
shows the percentage of losses that respondents attributed to insiders, showing that
considerably more respondents believed that their losses were due to attacks from outside
the organization, jumping from 36 percent last year to just over half this year."

Alex Sverdlov said...

I can argue with that. Yes, insider threat as in "insiders stealing info" is not 80% of all incidents, but insiders are the ones who open attachments, and are led into social engineering schemes. One can hardly penetrate any system, without using an insider as his way in nowadays. So.. yes insider threat is still in the heads.

Richard Bejtlich said...

James,

The first Tao book is still relevant. Lots of people are still buying it and many use it as a textbook.

Alex,

A user who falls for a client-side attack is a victim, not a threat. The threat is the person who conducted the attack, i.e., the intruder sitting in Brazil or Romania or wherever. Unless the attacker is also an employee or contractor or other party working for the organization, it's still an outsider threat.

James said...

Thanx for the response, thats what i figured but thought I would ask anyway. Im looking forward to digging into it once it arrives.

Cormier said...

I'm also interested in NSM... I am glad to know that the material is still relevant because as James, I want to buy this book. By following the NSM principles, how much of "man power" would be required to "monitor" let say, a network of over 100 000 hosts?

Anonymous said...

Probable misprint in footnote 11:
www.gosci.com should probably be www.gocsi.com.

Richard Bejtlich said...

Anonymous, thank you for the correction!

I've posted it here for inclusion in the next priting.

http://www.taosecurity.com/tao_nsm_errata.txt

Richard Bejtlich said...

Cormier,

I can't answer that question in a blog comment. I used to consult to answer questions like that because the answer is unique to every organization. If you read the book it will get you started.

Anonymous said...

Since many of you either like to play with words here, or just can't understand... here are some straight forward statements:
- Successful attacks which are initiated from the internal network(usually from an "insider's" workstation)STILL cause the 80%, or even more, of damage in the business.

- Client side attacks are the most widely used and successful attacks NOWDAYS.

- CSI/FBI survey?? Who would tell the FBI that an employee of his stole 1 million credit card numbers due to bad permission configuration or an internal vulnerability, or, or, or, or.

- How many security incidents don't get caught by the best IPSs/IDSs/AVs/(put whichever fancy acronym you like here) out there? MANY! In other words: Asking BT how much they lost due to electronic fraud this year is almost the same as asking me...(ok, i totally exaggerate here just to make me point)


Encourage ppl to secure their internal network so it doesn't become a playground by the ones' you call "script kidies" and don't publish things the way you want to see it in order to sell more, because ppl might make decisions based on your article and lose extra money...

Tuffer said...

Anonymous, just a couple of points on your comments:
"Since many of you either like to play with words here, or just can't understand... here are some straight forward statements:"
& "Encourage ppl to secure their internal network so it doesn't become a playground by the ones' you call "script kidies" "

A straight forward statement maybe but in reality there is nothing strightforward about ensuring the security a 100,000 node network if you have limited reaources. Even with a decent sized security team and budget this is no easy task.
I could regail you with stories from a previous employers (leading security vendors included), the lack of patching and the difficulties of deploying hardware/software, removing admin permissions, build images, network monitoring, user education and policy compliance all in an outsourced environment but I am sure you have a great deal of experience in these areas.

olga-shulman-lednichenko said...

I dont think the FBI data is that reliable. Do you really think so? I agree with anonymous : who would tell the FBI :
"Officer Dick stole a million dollars .. and there is Dick's cubicle?"..

i so see a lot of insider sources, but like someone said here: " a person who got attacked is not a threat - but a victim".. do you disagree?

my account was hacked.. thank God someone fixed it..and wlel, w\you know who - i wouldnt know how to!
sincerely
olga shulman lednichenko

Anonymous said...

When you are credit card transactions processor or a bank or an insurance company etc etc etc (you all know which companies need maximum security), apart that

- it's not honest
- it mustn't and shouldn't(can't afford it? don't do that business) consume a great part of your earnings
- it's a great business risk

it is also illegal in many countries not to secure you 100,000 nodes no matter how difficult it might be in practice...

Finally, an attacked workstation is the victim, yes... but once it became the victim, it's automatically an inside threat for the network.

Inside Threat: Malicious user/code/script/whichever electronic mean which may use a vulnerability of your internal network in order to harm it.

Erik said...

I just stumbled over a document that stated the 80% insider threat myth. The source they used for this statement was an article from 2000, which was supposed to be available at:
http://www.sans.org/infosecFAQ/securitybasics/insider_threat2.htm

But this link doesn’t work and I couldn’t find the article anywhere. So I used the good ol’ WaybackMachine, which gave me this page:

http://web.archive.org/web/20010605225404/http://www.sans.org/infosecFAQ/securitybasics/insider_threat2.htm

The author didn’t supply any source for his 80% statement, but I’m pretty sure he got it from somewhere else (FBI?)