by Andrew P. Moore
Lead Insider Threat Researcher
CERT Insider Threat Center
A 2016 study on cybersecurity and digital trust found that 69 percent of organizations surveyed experienced an attempted or successful theft or corruption of data by insiders in the last 12 months. Despite the impact of insider threat--and continued mandates that government agencies and their contractors put insider threat programs in place--a number of organizations still have not implemented them. Moreover, the programs that have been implemented often have serious deficiencies. One impediment to organizations establishing an insider threat program is the lack of a clear business case for implementing available countermeasures.
Modeling and simulation can not only help understand the nature of the problem better, but also test the efficacy of countermeasures in a safe and convenient virtual environment. This blog post is abstracted from a special issue on insider threat modeling and simulation that I co-edited for a September 2016 issue on Computational and Mathematical Organizational Theory. Specifically, this blog post highlights the results of a two-day workshop on how a range of modeling and simulation methods can be used to further understand complex insider threat problems.
The Insider Threat Modeling and Simulation Workshop
In 2014, the SEI brought together experts in academia, research, and government for a workshop that aimed to explore how a range of modeling and simulation methods can be utilized to further our understanding of complex insider threat problems. In particular, we focused on methods that involved the execution of an explicit, abstract model of an organization in contrast to the emulation of a computer system or pilot testing within an organization.
Our aim was to highlight the varied modeling and simulation approaches and how they can be used to help understand the insider threat problem. Specifically, our researchers aimed to understand three issues:
the role of modeling and simulation to better understand insider-threat-related problems and mitigation
how different modeling and simulation methods can be used individually and in combination
the role modeling and simulation methods can play in making insider threat a scientific discipline
A malicious insider threat is a current or former employee, contractor, or business partner who holds or held authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.
An unintentional insider threat is a current or former employee, contractor, or business partner who holds or held authorized access to an organization's network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization's information or information systems.
As the rest of this post details, the workshop participants made some intriguing progress on the insider threat problem using five methods.
Modeling and Simulation Methods Considered
The modeling and simulation methods that we explored include the following:
Agent-based modeling (ABM) - ABM is an object-oriented approach to simulate the actions and interactions of autonomous agents within a larger ecological context. Agents can represent a variety of objects from individual actors (i.e., people) to collective communities and organizations (i.e., corporations or countries) that have endogenous and frequently heterogeneous features. Ecological context provides an environment in which exogenous stimuli (produced by the environment or other agents) can influence and drive individual agent behaviors. A common goal of ABM, regardless of the scale of the agent, is to understand the emergent behavior of the larger system of which they are a part (Gilbert 2008). While the origins of ABM trace back to the late 1940s with the Von Neumann machine and the notion of cellular automaton, the first formal models were not developed until the 1970s. An explosion of the field followed in the 1990s, made possible by software platforms built on increasingly powerful computers that supported real-time visualizations (Cioffi-Revilla 2014). ABMs show that even relatively simple interaction rules can generate a broad range of complex behaviors that correspond with real-world observation (Epstein and Axtell 1996). A variant of ABMs, agent-based dynamic-network models, have been successfully used to model issues of behavior adaptation and information diffusion across multiple groups--making them particularly valuable for addressing issues related to insider threat and security (Lanham 2015; Lanham et al. 2011).
Game theory (GT) - GT has been characterized as "the study of mathematical models of conflict and cooperation between intelligent rational decision makers" (Myerson 1991). While early discussion of two-person games goes back at least as far as the 1700s, GT did not exist as a unique field until John von Neumann's descriptions of the foundations in his book in 1944, Theory of Games and Economic Behavior (Leonard 2010). The 1950s saw the field expand into the logical side of decision science by many scholars in the areas of economics, political science, psychology, computer science, and biology.
System dynamics (SD) - SD is a method based in continuous mathematics for modeling and analyzing the holistic and dynamic nature of problematic behavior by analyzing the underlying feedback structure of that behavior (Sterman 2000). SD was developed by Jay Forrester in the mid-1950s as a method derived from control theory to graphically portray a system of differential equations used to endogenously model soft factors, such as policy, procedural, administrative, or cultural factors along with hard, strictly technical factors. From its beginnings as a means to help corporations improve industrial processes, its use broadened in the 1970s and 1980s to areas of urban and environmental dynamics. With the development of powerful, user-friendly simulation platforms in the 1990s, its use expanded further to both public and private sector problems involving policy analysis and design.
Bayesian belief network (BBN) - BBNs are probabilistic, directed acyclic graphs where the nodes represent random variables and edges represent conditional dependencies among the random variables. Efficient algorithms exist to support the automatic application of Bayes Theorem through the network to calculate the probability that a certain event will occur or condition will exist. While the foundational work by Thomas Bayes was performed in the 1700s, it was not until Judea Pearl and Richard Neapolitan's writings in the 1980s that BBNs became a field of study (Neapolitan 1990; Pearl 1985, 1988). BBNs have been applied to modeling knowledge in computational biology, medicine, bio-monitoring, document classification, information retrieval, semantic search, image processing, data fusion, decision support systems, engineering, gaming, law, and risk analysis.
Network analysis (NA) - NA, a part of network science that draws on the mathematics of graph theory, considers distinct entities, represented by nodes, and the interconnection among those nodes, represented by edges. While the study of networks was introduced in the 1700s for understanding complex relational data, its application in the area of sociology, called social network analysis, emerged in the 1930s to study interpersonal relationships (Moreno 1934). Social network analysis was formalized mathematically in the 1950s and became pervasive in the social sciences by the 1980s (Freeman 2004). Application of social network analysis to organizations grew at the end of the twentieth century, as did the methods on which they were based. A new discipline called dynamic network analysis has emerged as a means to model multiple types of nodes and links for the analysis of more complex properties of organizations over time (Carley 2003). Dynamic network analysis combines the specification of multi-dimensional networks--as in (Carley 2002; Contractor et al. 2011)--with ABM simulation to address temporal issues of network dynamics as in (Carley 2006).
The ultimate result of our workshop and follow-on collaboration was the publication of four papers in the special issue:
Each of the papers combined at least two of the modeling and simulation methods together to address the insider threat problem in some unique way. The following describes a number of ways in which the five methods complement one another.
Individual versus context. The insider threat problem requires considering attributes of both the individual and the context in which that individual acts. ABM and SD complement each other in this respect. ABM focuses on an individual level--on interaction rules among potentially heterogeneous individuals that can create complex emergent behaviors. SD, on the other hand, focuses on system features at an aggregate level and is particularly useful at analyzing how these features can drive system behaviors. Of course, what is aggregate at one level of abstraction may be considered an individual at a higher level of abstraction, so there is interplay between the two approaches that often depends entirely on scale. Some tools even directly support the development of combined ABM and SD models, for example, Anylogic, Ventity, and NetLogo. However, these tools are not a necessity. For instance, the Sokolowski et al. paper in the Special Issue uses a combination of SD and ABM in the presentation of the authors' model without direct tool support.
Actor rationality. GT provides a powerful method for establishing a benchmark for beginning to understand complex decision making. Of course, the logical preferences and utility-maximized decision making of rational actors are not always representative of real-world actors with limitations of attention, memory, and information processing capability driven by emotions, reflex, and unconscious motivations. The rational actor analysis performed in GT complements (and is complimented by) the bounded rationality of actors traditionally assumed by ABM and SD modelers. SD and ABM support limiting the scope of agent decision making to information ecologically available to the agent. This limited scope promotes making decisions as real-world actors do, by considering the context in which those decisions are actually made. ABMs can also serve as a convenient means to visualize the emergent behavior of actors driven by specific GT rules of interaction. This approach is taken in the Casey et al. paper in this Special Issue.
Risk calculation and feedback. An important capability of insider threat programs is the ability to detect increasing levels of insider threat risk at individual and organizational levels. BBNs provide an important means for detecting increased risk and whether that risk comes from conditions in the organization, situational features of the individual, and/or the individual's social and online behaviors. BBNs can be used to update insider risk related variables based on the probabilities of important indicators of that risk. Such insider risk updates can occur even when the probability of an insider attack is very low (Hubbard 2009, p. 227). BBNs can clearly be used to calculate initial parameter values in each of the other modeling and simulation approaches. The acyclic aspect of BBNs, however, means that the values calculated do not provide feedback to previously calculated variables. Other approaches, like SD, are based directly on such feedback mechanisms and thus provide complimentary methods that provide an update of the prior values on which a BBN is based. This multi-method approach is taken in the Sticha and Axelrad paper in the Special Issue.
Execution of multi-dimensional networks. Similar to GT, NA in its most fundamental form is not executable. However, just as with GT, NA can be used in combination with ABM to provide a means to execute and visualize network behaviors over time. This approach is taken by the Carley and Morgan paper in this Special Issue. In fact, the approach taken in this paper uses a tool, called Construct, developed by the author group to conduct multi-dimensional network analysis on an evolving multi-agent network model of an organization.
Wrapping Up and Looking Ahead
These modeling and simulation approaches detailed in this post and the Special Issue can help understand the more difficult aspects of insider threat and help test solutions to those problems prior to using them within an operational environment. Clearly, there are different modes of interoperation among the various tools that support elaboration, investigation, and mitigation of the insider threat problem. Those listed above are just a few of the interactions possible. Future work could elaborate and illustrate other potential modes.
We welcome your feedback on this work in the comments section below.
I would like to thank my co-editors: Kirk Kennedy and Thomas Dover of the FBI Behavioral Analysis Units, the participants in our 2014 workshop, and especially the authors of the papers that make up the Special Issue on Insider Threat Modeling and Simulation.
In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse engineering of binaries with a focus on malicious code analysis. Recall that Pharos is a framework created by our CERT team that builds upon...