The Pseudo-Internal Intruder: A New Access Oriented Intruder
Download
Report
Transcript The Pseudo-Internal Intruder: A New Access Oriented Intruder
The Pseudo-Internal
Intruder: A New Access
Oriented Intruder Category
Master’s Thesis Presentation
Brownell K. Combs
May 7, 1999
Outline
Why are we concerned with intruders and
what can we do about them?
How does categorizing intruders help
intrusion detection research?
What is the Pseudo-Internal Intruder?
What can the Pseudo-Internal Intruder do?
How can we defend against it?
How do these defenses work?
The Problem of Intrusions
CSI/FBI 1999 Computer Crime and
Security Survey (4th Annual Report)
Approx. $124,000,000 in Financial Losses
Only 1% Claimed No Security Incident
CERT statistics show 67% increase in
incidents handled annually from ‘94 to ‘98
Intrusion Detection Systems
Many think that it may never be possible
to create ‘completely secure’ systems
IDS is the next best thing
Owners of systems want one or more of
the following:
recognize presence of an intruder
prevent them from doing harm
make similar future intrusion more difficult
attempt to catch the intruder
IDS Research
Studying Intruders (techniques, habits,
etc) is an important area of IDS research
Researchers in the field and IDS builders
in industry must have some scheme with
which to categorize intruders
These schemes serve as a basic
framework for discussing and thinking
about the issue of Intrusion Detection
Intruder Categories
2 main approaches to placing intruders
into different categories
Intruder oriented: focus on the intruder’s
access to the system
Anderson’s classic external/internal scheme
Attack oriented: focus on the attack the
intruder executes
Neumann’s modes of compromise scheme
What scheme do we need?
Least amount of category ambiguity for
IDS Designers and SysAdmins
This best provided by narrowly defined
categories that are distinct from one
another
Example: How useful is it to have an
‘external intruder’ category that refers to both
Internet Hackers and janitors inside the
building?
Definitions
Physical Configuration - all of the
hardware used in a distributed system
included the location of each item
Network Configuration - how all of those
hardware items are connected and how
they interact with each other
Net/Phy Perimeter - separation between a
distributed system’s net/phy configuration
and the rest of the world.
Sample
Physical Configuration
Sample
Network Configuration
Pseudo-Internal Intruder
A new distinct category for the access
oriented intruder categorization scheme
P-I Intruder is an intruder without the
privileges of an authorized user and who
has circumvented the perimeter defenses
of a system to attack the system via its
internal network (network configuration)
Box Diagram of Access
Oriented Categories
3 kinds of P-I Intruders
Insiders with physical access (desktop
connection, wiring closets, server rooms)
Outsiders with same physical access as
above (gained through subterfuge or
force)
Outsiders with special data access
(personal modems that circumvent
perimeter defense)
Tools and Techniques
1) Network Assessment Tools
Active and Passive
2) Packet Sniffers
Hardware and Software
3) Exploits
Steps executed in a certain order
4) Denial of Service Attacks
Network Saturation and Traffic Misdirection
Example Scenario #1:
Industrial Espionage Agent
#1 gains employment with custodial
services and has access to wiring closets
Connects a hardware sniffer to the
network for several days
Removes the sniffer and finds it captured
sensitive communications between senior
company executives
Mission Accomplished
Example Scenario #2:
Disgruntled Employee
#2 is a basic network user with access to
multiple desktop connection
Runs a network assesment tool and
software sniffer off of a shared machine
Finds multiple vulnerabilities and an
account and password of a SysAdmin
Logs in as SysAdmin (becomes an Internal
Intruder) and deletes databases.
Mission Accomplished
Defending Against the
Pseudo-Internal Intruder
Three phases:
Deny intruders access to the system
Mitigate the consequences of intruders
gaining access to the system
Detect, Monitor, and Record any intrusions
Since Pseudo-Internal Intruders require
access to the internal network, we will
focus on it when examining these steps
Preventing Intruder Access
Physical Perimeter Security: stop as many
potential intruders as possible from
gaining physical access to the system
(Guards, Gates, Locked Doors, etc.)
Physical configuration control: ensuring
that unauthorized hardware is not
introduced to the system and authorized
hardware is not used for unauthorized
actions (TEMPEST, Conduit, Metal Cases)
Mitigating Intruder Access
If an intruder cannot read information or
write (affect a change) to the system then
the danger of an intruder is diminished
Network configuration control: managing
the aspects of the network configuration
to ensure the highest degree of security
Encrypt Communications, SwitchedIntelligent hubs and routers, smaller
segments, etc.
Detecting Intruder Access
Network configuration monitoring:
continuously observing all aspects of the
network configuration searching for
evidence of intruders
If an intruder does gain access to the
system the most effective response will be
a human one. Successful monitoring and
reporting allows a quick response from
SysAdmins
Case Study - Two Phases
Execute a set of Pseudo-Internal Intruder
attacks against a testbed system with
state of practice security measures
CSI/FBI ‘99 Survey showed only 42 out of
501 respondents used any intrusion detection
Execute the same set of attacks against
the testbed system after implementing
the security recommendations of the
thesis
Case Study - The Attacks
1)Packet Sniffer – Software [Laptop]
2)Network Assessment Tool – Active [Rogue
Outside Connect]
3)Exploit – Ping of Death [Laptop]
4)Exploit (Hacker Program) – WinNuke (Ping
of Death) [Laptop]
5)Denial of Service Attack – Ping Flood
[Laptop]
6)Denial of Service Attack – Smurf Attack
[Rogue Outside Connect]
Case Study Phase 1 Network Configuration
Case Study - Changes
made for Phase 2
Network divided into 2 segments
All Mission Crit. Communication Encrypted
Network Intrusion Detection Monitoring
Device placed in Mission Crit. Segment
Network scanned for unknown IP and
MAC addresses
RMON monitoring utilities used
Case Study Phase 2 Network Configuration
Case Study - The Results
Security Changes addressed the
vulnerabilities discovered in phase 1
No access control for devices using network
No network traffic control mechanisms
No internal network monitoring for intruders
Network Configuration Monitoring and
Network Configuration Control decrease
the danger of a P-I Intruder to systems
Conclusions
The Pseudo-Internal Intruder Category
addresses an area of system security that
did not exist prior to the proliferation of
distributed systems
The category provides a platform on
which to understand and define the
capabilities of this new type of intruder,
thereby facilitating the detection and
defense against such intruders
Access Oriented: Anderson
External: unauthorized users attacking a
system through external data connections
Internal:
Legitimate: authorized for part of system
Masqueraders: unauthorized users logged in
as legitimate users
Clandestine: users logged in that have the
power to turn off some audit logs
Attack Oriented: Neumann
Compromise from outside: come from
above or laterally at same abstraction
layer (security and logic flaws)
Compromises from within: obtained with
privileges of the given layer
Compromises from below: come from a
lower layer of abstraction (OS, hardware
based attacks)