The Pseudo-Internal Intruder: A New Access Oriented Intruder Category Master’s Thesis Presentation Brownell K. Combs May 7, 1999
Mar 22, 2016
The Pseudo-Internal Intruder: A New Access Oriented Intruder Category
Master’s Thesis Presentation
Brownell K. CombsMay 7, 1999
OutlineWhy are we concerned with intruders and
what can we do about them?How does categorizing intruders help
intrusion detection research?What is the Pseudo-Internal Intruder?What can the Pseudo-Internal Intruder do?How can we defend against it?How do these defenses work?
The Problem of IntrusionsCSI/FBI 1999 Computer Crime and
Security Survey (4th Annual Report) Approx. $124,000,000 in Financial Losses Only 1% Claimed No Security Incident
CERT statistics show 67% increase in incidents handled annually from ‘94 to ‘98
Intrusion Detection SystemsMany think that it may never be possible to
create ‘completely secure’ systemsIDS is the next best thing Owners of systems want one or more of the
following: recognize presence of an intruder prevent them from doing harm make similar future intrusion more difficult attempt to catch the intruder
IDS ResearchStudying Intruders (techniques, habits,
etc) is an important area of IDS researchResearchers in the field and IDS builders
in industry must have some scheme with which to categorize intruders
These schemes serve as a basic framework for discussing and thinking about the issue of Intrusion Detection
Intruder Categories 2 main approaches to placing intruders
into different categoriesIntruder oriented: focus on the
intruder’s access to the system Anderson’s classic external/internal scheme
Attack oriented: focus on the attack the intruder executes Neumann’s modes of compromise scheme
What scheme do we need?Least amount of category ambiguity for
IDS Designers and SysAdmins This best provided by narrowly defined
categories that are distinct from one another Example: How useful is it to have an
‘external intruder’ category that refers to both Internet Hackers and janitors inside the building?
DefinitionsPhysical Configuration - all of the hardware
used in a distributed system included the location of each item
Network Configuration - how all of those hardware items are connected and how they interact with each other
Net/Phy Perimeter - separation between a distributed system’s net/phy configuration and the rest of the world.
Sample Physical Configuration
SampleNetwork Configuration
Pseudo-Internal IntruderA new distinct category for the access
oriented intruder categorization scheme
P-I Intruder is an intruder without the privileges of an authorized user and who has circumvented the perimeter defenses of a system to attack the system via its internal network (network configuration)
Box Diagram of Access Oriented Categories
3 kinds of P-I IntrudersInsiders with physical access (desktop
connection, wiring closets, server rooms)Outsiders with same physical access as
above (gained through subterfuge or force)
Outsiders with special data access (personal modems that circumvent perimeter defense)
Tools and Techniques 1) Network Assessment Tools
Active and Passive2) Packet Sniffers
Hardware and Software3) Exploits
Steps executed in a certain order4) Denial of Service Attacks
Network Saturation and Traffic Misdirection
Example Scenario #1: Industrial Espionage Agent#1 gains employment with custodial
services and has access to wiring closetsConnects a hardware sniffer to the
network for several daysRemoves the sniffer and finds it captured
sensitive communications between senior company executives
Mission Accomplished
Example Scenario #2: Disgruntled Employee#2 is a basic network user with access to
multiple desktop connectionRuns a network assesment tool and software
sniffer off of a shared machineFinds multiple vulnerabilities and an account
and password of a SysAdminLogs in as SysAdmin (becomes an Internal
Intruder) and deletes databases.Mission Accomplished
Defending Against the Pseudo-Internal IntruderThree phases:
Deny intruders access to the system Mitigate the consequences of intruders
gaining access to the system Detect, Monitor, and Record any intrusions
Since Pseudo-Internal Intruders require access to the internal network, we will focus on it when examining these steps
Preventing Intruder AccessPhysical Perimeter Security: stop as many
potential intruders as possible from gaining physical access to the system (Guards, Gates, Locked Doors, etc.)
Physical configuration control: ensuring that unauthorized hardware is not introduced to the system and authorized hardware is not used for unauthorized actions (TEMPEST, Conduit, Metal Cases)
Mitigating Intruder AccessIf an intruder cannot read information or
write (affect a change) to the system then the danger of an intruder is diminished
Network configuration control: managing the aspects of the network configuration to ensure the highest degree of security Encrypt Communications, Switched-Intelligent
hubs and routers, smaller segments, etc.
Detecting Intruder AccessNetwork configuration monitoring:
continuously observing all aspects of the network configuration searching for evidence of intruders
If an intruder does gain access to the system the most effective response will be a human one. Successful monitoring and reporting allows a quick response from SysAdmins
Case Study - Two PhasesExecute a set of Pseudo-Internal Intruder
attacks against a testbed system with state of practice security measures CSI/FBI ‘99 Survey showed only 42 out of 501
respondents used any intrusion detectionExecute the same set of attacks against
the testbed system after implementing the security recommendations of the thesis
Case Study - The Attacks 1)Packet Sniffer – Software [Laptop] 2)Network Assessment Tool – Active [Rogue
Outside Connect] 3)Exploit – Ping of Death [Laptop] 4)Exploit (Hacker Program) – WinNuke (Ping of
Death) [Laptop] 5)Denial of Service Attack – Ping Flood [Laptop] 6)Denial of Service Attack – Smurf Attack
[Rogue Outside Connect]
Case Study Phase 1 - Network Configuration
Case Study - Changes made for Phase 2Network divided into 2 segmentsAll Mission Crit. Communication
EncryptedNetwork Intrusion Detection Monitoring
Device placed in Mission Crit. SegmentNetwork scanned for unknown IP and
MAC addressesRMON monitoring utilities used
Case Study Phase 2 - Network Configuration
Case Study - The ResultsSecurity Changes addressed the
vulnerabilities discovered in phase 1 No access control for devices using network No network traffic control mechanisms No internal network monitoring for intruders
Network Configuration Monitoring and Network Configuration Control decrease the danger of a P-I Intruder to systems
ConclusionsThe Pseudo-Internal Intruder Category
addresses an area of system security that did not exist prior to the proliferation of distributed systems
The category provides a platform on which to understand and define the capabilities of this new type of intruder, thereby facilitating the detection and defense against such intruders
Access Oriented: AndersonExternal: unauthorized users attacking a
system through external data connections
Internal: Legitimate: authorized for part of system Masqueraders: unauthorized users logged in
as legitimate users Clandestine: users logged in that have the
power to turn off some audit logs
Attack Oriented: NeumannCompromise from outside: come from
above or laterally at same abstraction layer (security and logic flaws)
Compromises from within: obtained with privileges of the given layer
Compromises from below: come from a lower layer of abstraction (OS, hardware based attacks)