INSIDER ATTACKS
Barbarians inside the gates: addressing internal security threats
It should be noted that this overview is by no means exhaustive, and the threats vary from enterprise to enterprise.
Technology service attacks
Mike Kemp
Mike Kemp, consultant, NGS Software A common misconception concerning network security is that the infrastructure is at considerable risk from external attackers. Although there is always the opportunity that an enterprise environment may be targeted by a skilled, and above all, patient external attacker, enterprises face a significant challenge in identifying and reacting to, insider attacks. This article focuses on the range of insider based attacks that the enterprise environment may be vulnerable to, as well as methods of responding to an attack and mitigating the risks in the first instance. Statistical data varies considerably regarding the levels of attacks that are carried out by insiders as opposed to those that are perpetrated by external attackers. It is now a largely accepted truism however, that the ratio of insider attacks to external attacks is on the rise. This is not to say that individuals employed in some capacity by enterprises have become less trustworthy over the years, but rather that external defences have grown in sophistication and there is now a much wider understanding of external network threats. Insiders pose a significant challenge for even the most security conscious network professional however as they often possess a knowledge of, and physical access to enterprise systems, proprietary software and database and network resources. In many enterprise environments an insider can bypass electronic and physical security by legitimate (or semi-legitimate) means without raising undue concerns amongst network or security staff. No matter what controls are applied, a legitimate insider is uniquely placed to employ valid user credentials in order to compromise the integrity and security of the enterprise. Only by understanding the potential threats, as well as some of the motivations and modus operandi of internal attackers
June 2005
can organizations adequately defend against them. Before exploring these areas of attack however, it is advisable to assess just what assets your organization possesses, how these assets are controlled, and how quickly the infrastructure as a whole can react to change. These simple points can present a significant challenge, especially to those enterprises that employ thousands of network devices, servers, workstations and snippets of custom code. With improved understanding of the network, assets and their associated threats, security professionals are better equipped to secure the enterprise environment.
Observe your enemies, for they first find out your faults Just as with their external counterparts, insiders have a range of attack vectors at their disposal. Although it is beyond the scope of this article to define all the potential attack vectors that an enterprise may be exposed to, some of the more common are explored below. These include: • Technology service attacks. • Abuse of trust. • Internal network attacks.
In any enterprise environment a number of technologies are deployed in order to connect users and data. Often it is these technologies that will be targeted and attacked by insiders. Examples of these services include, Web, database mail and file servers, as well as others such as remote access services and wireless access points. As with external attacks, internal attack vectors can come in a variety of forms.
“
For internal servers the configuration may well be
”
more lax.
Many popular database servers ship with a variety of default accounts that if not disabled can provide an attacker with access to data they may not typically be entitled to view and manipulate, as well as equipping them with the ability to escalate their level of privilege. File servers may not have adequate permissions assigned to individual directories and files, and in doing so may allow an attackers to browse and write information that they are not legitimately entitled to access. For internal servers of all kinds the configuration may well be more lax than those that are external facing, with for example, the presence of potential dangerous CGI scripts in internal Web servers than any competent security practitioner would remove from an external server. It should be noted that unlike their external
Network Security
11
INSIDER ATTACKS counterparts, internal attackers will often possess a detailed knowledge of the infrastructure environment, and even if they do not this can be far more easily remedied internally than externally. A failure to secure the internal infrastructure as vigorously as the external facing infrastructure can often result in a relatively simple compromise that can be easily avoided. Granted, securing the infrastructure can create a number of difficulties in some enterprises where individuals are used to having a particular level of access, and used to doing things the way they have always been done, but if the reasons for the security improvements (as well as the attendant monitoring that should also be employed) are outlined, most legitimate system users will accept and embrace any changes made.
Abuse of trust In most explorations of the insider threat landscape, an important facet is often overlooked, namely those insiders that directly abuse their positions of trust. In many discussions of insider attacks, the example of a disgruntled programmer inserting a logic bomb into the infrastructure is detailed. However the true scope of abuse of trust attacks extends far beyond this and can encompass a variety of known attack vectors such as social engineering. Examples include the physical installation of illegitimate monitoring equipment (to the chagrin of many network professionals, physical key loggers are easily obtainable and require no specialist knowledge to install in seconds), the installation of illegitimate network devices such as wireless access points, and social engineering attacks. Insiders will ultimately be in a better position to assess potential areas of attack than external attackers. Even if this is not accomplished by direct network attacks, insiders can access and abuse resources that may be off limits to external attackers such as network maps, and physical back ups, and even ‘casual’ conversations with 12
Network Security
network and security staff. Most members of organizations trust their coworkers, and this trust can be readily exploited by an insider with a suitably Machiavellian bent. An example of this can be the transmission of a suitably innocuous email that contains either an adapted Trojan or key logger that has been adjusted specifically to bypass any anti-virus or filtering solutions that are known to exist within the enterprise. This class of attacks can be particularly difficult to counteract. However as will be highlighted later in this article, a number of mitigation techniques exist that are reliant upon understanding the motivations and methodologies of internal attackers, and counteracting them.
“
A wily internal attacker can successfully compromise a fellow worker’s account
”
credentials. Internal network attacks
As with the other attack vectors outlined in this article, internal network attacks encompass a broad range of potential areas. Many attacks involve the circumvention of legitimate and unencrypted network traffic thanks to either the installation of a network traffic sniffer or the direct compromise of one of the target systems (or the systems that lie in between such as network routers). Obviously these attacks are easier to accomplish for those users who are already inside the infrastructure as the problematic task of overcoming perimeter defences will not need to be undertaken.
Network attacks can also encompass such illegitimate activities as port scanning and vulnerability probing. Using slow scans over a protracted period of time it may be possible for a suitably knowledgeable internal attacker to disguise their illegitimate activities as normal network traffic. Better still, if a wily internal attacker can successfully compromise a fellow worker’s account credentials or system then they can often accomplish any network scanning or exploitation activity they desire without the finger of blame being pointed in their direction. Internal network attacks can be difficult to guard against. However general mitigation strategies can help including the encryption of any sensitive network traffic, system hardening and careful and thorough monitoring of user activities.
Addressing and mitigating risks Before beginning to address the threats by insiders it is a valuable exercise to understand the methodologies of attackers. In August 2004, the US Secret Service and the CERT Coordination Center published an incisive white paper entitled ‘Insider Threat Activity: Illicit Cyber Activity in the Banking and Finance Sector’ (available online at http://www.cert.org/archive/pdf/bankfin040820.pdf ). Although primarily concerned with the activities of inside attackers within the financial sector it does provide a fascinating insight into some of the methodologies employed. The findings can be distilled as follows: • Most incidents required little technical sophistication. • Actions were planned by perpetrators. • Most perpetrators were motivated by financial rewards. • No common profile was shared by attackers. • Most attacks occurred ‘on the job.’ Although these were the methodologies of those attackers that were
June 2005
INSIDER ATTACKS successfully counteracted and so may not provide an accurate representation of the actions of more skilled and determined insiders, they provide some clues as to how to mitigate the threats facing enterprises from insiders. When considering mitigating the risks of insider attack there are a number of potential areas that will need to be addressed:
Conduct a network audit and system hardening First and foremost is to conduct a thorough network audit and system hardening. This process will allow legitimate network and security staff to form a detailed map of the infrastructure and address any issues that arise as a result of this inquiry. This process can be a time consuming task, however the rewards in reducing the number of internal security incidents can be significant.
Construct an enterprise wide security policy Another important step in mitigating the risks posed by internal attacks in to carefully construct an enterprise wide security policy that addresses usage and security issues as well as the standard secure configuration of servers and workstations within the enterprise. It is of significant importance that a methodology is in place to assess whether the environment is compliant with policies, and that regular policy auditing is in place. Beyond policy audits however there are a number of steps that can be taken in order to combat insider threats.
“
Part of the monitoring process should be the establishment of user
”
profiles.
Additionally monitoring should focus on those users that have a legitimate level of access to particularly valuable resources. Even low-level administrative staff can pose a threat to an enterprise if they are able to escalate their system privilege. Part of the monitoring process should be the establishment of user profiles. These should constitute a baseline for various classes of user, taking into account the typical usage characteristics including what resources are accesses, from where, for how long and what activities are carried out. Developing these baselines can allow network professionals to quickly identify potential anomalies and take action accordingly. Monitoring should also encompass attempts to bypass authentication systems and also ensure that users are adhering to a well-developed acceptable use policy.
Surveillance and monitoring
Develop an incident response plan
Surveillance and monitoring (if not already present) should be introduced in order to detect both suspicious user activity and violations of usage policy. Although monitoring is a useful tool it is only useful if correctly applied. Every enterprise has data that is considered of the highest importance and sensitivity, and it is this data that should be monitored the closest.
Developing a policy and monitoring strategy is just one aspect of mitigation techniques for insider threats, it is also of significant importance to have a well-developed incident response plan. As part of this plan there should be a clear separation of duties and an adherence to best practices for forensic preservation and recovery. In addition to this it may be necessary to have a
June 2005
carefully planned interview and interrogation strategy for those internal users suspected of attack. This stage should not be taken lightly as the actions of the staff responsible for the interview will dictate whether the incident can be handled effectively without a potentially innocent party being aggrieved. It should be remembered that although internal attacks pose a significant threat to many enterprise environments, the majority of internal users do not pose a deliberately malicious threat. Just as with counteracting external threats it is possible to become paranoid and overzealous, it is the case that in attempting to address internal threats, legitimate users can become disenfranchised. Legitimate internal users are amongst the best defence for any enterprise. If users are aware of the threats that they face, as well as what is, and is not, acceptable and non-suspicious activity they can often be an excellent source of information concerning their disgruntled and malicious colleagues. Accusations should always be treated with scepticism but if they are based on a firm understanding of policy violations, they can be invaluable in helping to secure the enterprise. Legitimate internal users form an important part of an enterprise defence strategy, and their usefulness should never be underestimated in attempting to mitigate the risks posed by the internal attacker.
About the author Michael Kemp is an experienced technical author and consultant specialising in the information security arena. He is a widely published author and has prepared numerous courses, articles and papers for a diverse range of IT related companies and periodicals. Currently, he is employed by NGS Software Ltd where he has been involved in a range of security and d ocumentation projects. He holds a degree in Information and Communications and is currently studying for CISSP certification.
Network Security
13