NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
| Hi-index | 0.00 |
When prosecuting crimes, the main question to answer is often whohad a motive and the possibility to commit the crime. Wheninvestigating cyber crimes, the question of possibility is oftenhard to answer, as in a networked system almost any location can beaccessed from almost anywhere. The most common tool to answer thisquestion, analysis of log files, faces the problem that the amountof logged data may be overwhelming. This problems gets even worse in the caseof insider attacks, where the attacker's actions usually will belogged as permissible, standard actions---if they are logged atall. Recent events have revealed intimate knowledge of surveillanceand control systems on the side of the attacker, making it oftenimpossible to deduce the identity of an inside attacker from loggeddata. In this work we present an approach that analyses the accesscontrol configuration to identify the set of credentials needed to reacha certain location in a system. This knowledge allows to identify aset of (inside) actors who have the possibility to commit an insiderattack at that location. This has immediate applications inanalysing log files, but also non-technical applications such asidentifying possible suspects, or, beyond cyber crimes, picking the"best" actor for a certain task. We also sketch an online analysis that identifies where an actor can be located based on observed actions.