UFCFFY-15-M¶

Cyber Security Analytics¶

07: Case Study - Insider Threat Detection¶

Prof. Phil Legg¶

07: Case Study: Insider Threat Detection¶

In this session we will cover:

Case Study: Insider Threat Detection
Q&A about Portfolio Tasks

Case Study: Insider Threat Detection¶

Insider threat is where those who have insider knowledge and/or access utilise this to pose a threat to an organisation. This could be data theft, sabotage or disruption of systems, intellectual property theft, sharing of confidential information, the list goes on...

Chelsea Manning (formerly Bradley Manning) - She is a former United States Army soldier who was convicted by court-martial in July 2013 of violations of the Espionage Act and other offenses, after disclosing to WikiLeaks nearly 750,000 classified, or unclassified but sensitive, military and diplomatic documents [Wikipedia]

Edward Snowden - an American former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and subcontractor. His disclosures revealed numerous global surveillance programs, many run by the NSA and the Five Eyes Intelligence Alliance with the cooperation of telecommunication companies and European governments, and prompted a cultural discussion about national security and individual privacy. [Wikipedia]

Greg Chung - "For years, Mr. Chung stole critical trade secrets from Boeing relating to the Space Shuttle and the Delta IV rocket" ... between 1985 to 2003 ... more than 250,000 pages of documents [justive.gov]

How to detect insider threat?¶

Given an insider threat may have permitted access and/or knowledge, how do we detect them to be a threat?

Are there changes in their behaviour that we can identify and monitor?
What attributes do we have machine data for (e.g., log data), and what attributes do we have human data for? (e.g., conversations, arguments, sightings, etc...).
What about data that intersects both machine and human - e.g, email conversations? social media interactions?
Need to consider both the cyber element, as well as the human/off-line element - both are entwined.

Yeah, but how do we get data about insider threat?!¶

Carnegie Melon University: Insider Threat Test Dataset : Based on their paper "Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data" - multiple generated datasets of varying difficulty.
Email conversations related to insider threat: Enron dataset - also available on Kaggle
We can also generate our own data model - this is what we will use today

In [4]:

import pandas as pd

login_data = pd.read_csv('./example/login_data.csv')
email_data = pd.read_csv('./example/email_data.csv')
web_data = pd.read_csv('./example/web_data.csv')
file_data = pd.read_csv('./example/file_data.csv')
usb_data = pd.read_csv('./example/usb_data.csv')
employee_data = pd.read_csv('./example/employee_data.csv')

In [18]:

display( employee_data.head(10) )
print( "Roles:", employee_data['role'].unique() )

	Unnamed: 0	user	role	email	pc
0	0	usr-uda	Security	usr-uda@lockdown-lockups.com	pc0
1	1	usr-hhe	Security	usr-hhe@lockdown-lockups.com	pc1
2	2	usr-vxr	Finance	usr-vxr@lockdown-lockups.com	pc2
3	3	usr-nba	Finance	usr-nba@lockdown-lockups.com	pc3
4	4	usr-hqt	Finance	usr-hqt@lockdown-lockups.com	pc4
5	5	usr-gwu	Legal	usr-gwu@lockdown-lockups.com	pc5
6	6	usr-nho	Legal	usr-nho@lockdown-lockups.com	pc6
7	7	usr-zay	Security	usr-zay@lockdown-lockups.com	pc7
8	8	usr-wnk	HR	usr-wnk@lockdown-lockups.com	pc8
9	9	usr-gyk	Finance	usr-gyk@lockdown-lockups.com	pc9

Roles: ['Security' 'Finance' 'Legal' 'HR' 'Services' 'Technical' 'Director']

In [19]:

print( "Data Start:" )
display( login_data.head(1) )
print( "Data End:" )
display( login_data.tail(1) )

Data Start:

	Unnamed: 0	datetime	user	action	pc
0	0	2020-01-01 00:21:33	usr-hyo	login	pc205

Data End:

	Unnamed: 0	datetime	user	action	pc
166829	166829	2020-11-30 23:57:32	usr-lnn	logoff	pc64

Let's look at the notebook in more detail...¶

CSA Webpage