search menu icon-carat-right cmu-wordmark

Insider Threats Related to Cloud Computing--Installment 8: Three More Proposed Directions for Future Research in Detail

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 8 of a 10-part series on cloud-related insider threats. In this post, we discuss three more areas of future research for cloud-related insider threats: identifying cloud-based indicators of insider threats, virtualization and hypervisors, and awareness and reporting.

Identifying Cloud-Based Indicators of Insider Threats

Identifying indicators of insider threats is another subject of ongoing work, which is described in the report Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data. However, many indicators suggested for cloud-based insider threats are simply reworded versions of malicious behavior indicators for non-cloud systems (e.g., access outside normal work hours, abnormal search patterns, obtaining back-door access to company data). While these indicators should not be discounted, identifying indicators unique to cloud environments could significantly improve the likelihood of detecting cloud-based insider attacks.

For instance, some technical indicators of rogue administrators at the cloud provider could be the following: violating SLAs, improperly managing virtual machines, using suspicious software, or performing similar activities across different platforms and customer systems. Non-technical indicators might include those that indicate a lack of concern for company policy or the protection of others' data (e.g., carelessness, indifference towards customer concerns).

Researchers should be careful to identify a wide-range of potential indicators. Ilgun et al., in their paper State Transition Analysis: A Rule-Based Intrusion Detection Approach, identify four types of intrusion detection methods that also apply to insider threat detection: threshold, anomaly, rule-based, and model-based. Each method has advantages and limitations, as noted by Greitzer and Hohimer in their article Modeling Human Behavior to Anticipate Insider Attacks.

For instance, threshold-based methods can be foiled by remaining within set limits; anomaly-based methods can be manipulated by clever insiders; rule-based methods are limited to a strictly defined set of criteria and eliminate the detection of novel attacks; model-based methods are expressive enough to encompass different behaviors but often focus on audit records alone. Additionally, we find model-based methods difficult to implement as specific detection methods without becoming too rule-based. The combination of different methods form a more holistic picture of insider behavior that can reduce false positives and increase the chances of finding clever and/or novel insider threat attacks in the cloud.

Virtualization and Hypervisors

Examples of virtualization and hypervisor exploits, as described in the presentations Subverting Vista Kernel for Fun and Profit and Cloudburst: A VMware Guest to Host Escape Story highlight the need for work on enforcing virtual machine isolation. These attacks are technically sophisticated and practically necessitate some level of insider access to the system being attacked. Indeed, it is difficult to imagine accidental data loss due to hypervisor vulnerabilities. Potential new research could include new technologies that could more completely implement virtual machine segmentation, perhaps using hardware-enforced mandatory access controls and process separation.

Awareness and Reporting

In May 2012, the FBI released a news story titled Economic Espionage: How to Spot a Possible Insider Threat, which included a list of insider threat warning signs and potential contact information. In fact, many of the insiders described in CERT's database were detected via reporting by others (e.g., co-workers, customers, management). Improving insider threat awareness and reporting programs is critical to improving the ability of others to identify signs of potential insider activity and increasing employee confidence in raising concerns to the appropriate authorities. Exploring which types of awareness campaigns are most effective for specific audiences as well as developing measurably improved reporting mechanisms will give organizations a better chance of detecting attacks as soon as possible.

Coming up next: We'll discuss two final areas of future research on cloud-related insider threats.

About the Author