The Pseudo-Internal Intruder: A New Access Oriented Intruder Category Masters Thesis Presentation Brownell K. Combs May 7, 1999

Outline zWhy are we concerned with intruders and what can we do about them? zHow does categorizing intruders help intrusion detection research? zWhat is the Pseudo-Internal Intruder? zWhat can the Pseudo-Internal Intruder do? zHow can we defend against it? zHow do these defenses work?

The Problem of Intrusions zCSI/FBI 1999 Computer Crime and Security Survey (4th Annual Report) yApprox. $124,000,000 in Financial Losses yOnly 1% Claimed No Security Incident zCERT statistics show 67% increase in incidents handled annually from 94 to 98

Intrusion Detection Systems zMany think that it may never be possible to create completely secure systems zIDS is the next best thing zOwners of systems want one or more of the following: yrecognize presence of an intruder yprevent them from doing harm ymake similar future intrusion more difficult yattempt to catch the intruder

IDS Research zStudying Intruders (techniques, habits, etc) is an important area of IDS research zResearchers in the field and IDS builders in industry must have some scheme with which to categorize intruders zThese schemes serve as a basic framework for discussing and thinking about the issue of Intrusion Detection

Intruder Categories z2 main approaches to placing intruders into different categories zIntruder oriented: focus on the intruders access to the system yAndersons classic external/internal scheme zAttack oriented: focus on the attack the intruder executes yNeumanns modes of compromise scheme

What scheme do we need? zLeast amount of category ambiguity for IDS Designers and SysAdmins zThis best provided by narrowly defined categories that are distinct from one another yExample: How useful is it to have an external intruder category that refers to both Internet Hackers and janitors inside the building?

Definitions zPhysical Configuration - all of the hardware used in a distributed system included the location of each item zNetwork Configuration - how all of those hardware items are connected and how they interact with each other zNet/Phy Perimeter - separation between a distributed systems net/phy configuration and the rest of the world.

Sample Physical Configuration

Sample Network Configuration

Pseudo-Internal Intruder zA new distinct category for the access oriented intruder categorization scheme zP-I Intruder is an intruder without the privileges of an authorized user and who has circumvented the perimeter defenses of a system to attack the system via its internal network (network configuration)

Box Diagram of Access Oriented Categories

3 kinds of P-I Intruders zInsiders with physical access (desktop connection, wiring closets, server rooms) zOutsiders with same physical access as above (gained through subterfuge or force) zOutsiders with special data access (personal modems that circumvent perimeter defense)

Tools and Techniques z1) Network Assessment Tools yActive and Passive z2) Packet Sniffers yHardware and Software z3) Exploits ySteps executed in a certain order z4) Denial of Service Attacks yNetwork Saturation and Traffic Misdirection

Example Scenario #1: Industrial Espionage Agent z#1 gains employment with custodial services and has access to wiring closets zConnects a hardware sniffer to the network for several days zRemoves the sniffer and finds it captured sensitive communications between senior company executives zMission Accomplished

Example Scenario #2: Disgruntled Employee z#2 is a basic network user with access to multiple desktop connection zRuns a network assesment tool and software sniffer off of a shared machine zFinds multiple vulnerabilities and an account and password of a SysAdmin zLogs in as SysAdmin (becomes an Internal Intruder) and deletes databases. zMission Accomplished

Defending Against the Pseudo-Internal Intruder zThree phases: yDeny intruders access to the system yMitigate the consequences of intruders gaining access to the system yDetect, Monitor, and Record any intrusions zSince Pseudo-Internal Intruders require access to the internal network, we will focus on it when examining these steps

Preventing Intruder Access zPhysical Perimeter Security: stop as many potential intruders as possible from gaining physical access to the system (Guards, Gates, Locked Doors, etc.) zPhysical configuration control: ensuring that unauthorized hardware is not introduced to the system and authorized hardware is not used for unauthorized actions (TEMPEST, Conduit, Metal Cases)

Mitigating Intruder Access zIf an intruder cannot read information or write (affect a change) to the system then the danger of an intruder is diminished zNetwork configuration control: managing the aspects of the network configuration to ensure the highest degree of security yEncrypt Communications, Switched- Intelligent hubs and routers, smaller segments, etc.

Detecting Intruder Access zNetwork configuration monitoring: continuously observing all aspects of the network configuration searching for evidence of intruders zIf an intruder does gain access to the system the most effective response will be a human one. Successful monitoring and reporting allows a quick response from SysAdmins

Case Study - Two Phases zExecute a set of Pseudo-Internal Intruder attacks against a testbed system with state of practice security measures yCSI/FBI 99 Survey showed only 42 out of 501 respondents used any intrusion detection zExecute the same set of attacks against the testbed system after implementing the security recommendations of the thesis

Case Study - The Attacks y1)Packet Sniffer – Software [Laptop] y2)Network Assessment Tool – Active [Rogue Outside Connect] y3)Exploit – Ping of Death [Laptop] y4)Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop] y5)Denial of Service Attack – Ping Flood [Laptop] y6)Denial of Service Attack – Smurf Attack [Rogue Outside Connect]

Case Study Phase 1 - Network Configuration

Case Study - Changes made for Phase 2 zNetwork divided into 2 segments zAll Mission Crit. Communication Encrypted zNetwork Intrusion Detection Monitoring Device placed in Mission Crit. Segment zNetwork scanned for unknown IP and MAC addresses zRMON monitoring utilities used

Case Study Phase 2 - Network Configuration

Case Study - The Results zSecurity Changes addressed the vulnerabilities discovered in phase 1 yNo access control for devices using network yNo network traffic control mechanisms yNo internal network monitoring for intruders zNetwork Configuration Monitoring and Network Configuration Control decrease the danger of a P-I Intruder to systems

Conclusions zThe Pseudo-Internal Intruder Category addresses an area of system security that did not exist prior to the proliferation of distributed systems zThe category provides a platform on which to understand and define the capabilities of this new type of intruder, thereby facilitating the detection and defense against such intruders

Access Oriented: Anderson zExternal: unauthorized users attacking a system through external data connections zInternal: yLegitimate: authorized for part of system yMasqueraders: unauthorized users logged in as legitimate users yClandestine: users logged in that have the power to turn off some audit logs

Attack Oriented: Neumann zCompromise from outside: come from above or laterally at same abstraction layer (security and logic flaws) zCompromises from within: obtained with privileges of the given layer zCompromises from below: come from a lower layer of abstraction (OS, hardware based attacks)