[ISN] Inside the insider threat

From: InfoSec News (isn@private)
Date: Fri Jun 11 2004 - 03:20:21 PDT

  • Next message: InfoSec News: "[ISN] DHS Issues Oracle Warning"

    Opinion by Mudge
    Intrusic Inc. 
    JUNE 10, 2004
    Six years ago, I warned the U.S. Senate that it was possible to "take
    down the Internet in 30 minutes."
    There are still critical weaknesses in central points of the public
    network. Although more distributed now, remote points can still be
    harnessed to cause disruption and confusion in ways similar to
    distributed denial-of-service attacks (DDoS). These methods refer to a
    threat model embodied by the collective Internet. An Internetwide
    outage would affect everyone on the Web, but corporations,
    organizations and governments face even greater threat models that
    encompass much more acute localized pain and risk.
    One of the oldest and least modified over the years has been the
    insider threat -- hackers infiltrating internal networks. This threat
    is more common than insider attacks or destruction. The infiltration
    is achieved in various ways common to network interlopers and
    attackers, and most importantly, it is largely missed by existing
    audit and intrusion-detection systems (IDS).
    Web site defacement, concurrent versions system (CVS) attacks and DDoS
    attacks are rarely instigated by agents once they get inside an
    organization. Such overt attacks too easily reveal them. Once inside a
    network, a hacker's priorities change -- from vandal to spy.
    The insider threat is unaddressed by today's IDSs, which are focused
    on attacks. Attacks are noisy, so they're rarely used by insiders
    intent on remaining invisible inside of a network. Real-world examples
    of insiders include Robert Hanssen, the FBI mole; Aldrich Ames, the
    CIA mole; and the sleeper terrorist cells inside the U.S. that were
    responsible for 9/11. How many lives could have been saved if these
    moles and sleeper cells had been discovered earlier?
    Over the years, I have found critical systems, such as Supervisory
    Control and Data Acquisition/Data Control System components for
    utilities companies and large phone-switching systems for
    telecommunications companies, compromised by insiders who were camping
    out in these networks. Often, the system's critical function was
    unknown to the interloper, whose sights were set elsewhere. But many
    times control of the critical system was the ultimate goal.
    Proprietary source code, microchip design plans and databases full of
    personal information continue to become public, or competitor, domain.  
    Companies and organizations of all shapes and sizes continue to bear
    this risk with little mitigation coming from the expensive network
    security defenses they have deployed.
    So how do antagonists continue to gain access so easily?
    Let's take a closer look at some of the tactics hackers commonly use.
    Sniffing, Trojan horses and application back doors
    Sniffing is the easiest and most profitable method hackers use to
    obtain the legitimate credentials and account information needed to
    gain access to an internal network. The act of sniffing refers to
    placing a system into promiscuous mode, in which network devices
    intercept and read each packet in its entirety. So the network will
    capture not only packets destined for that system, but also packets
    being exchanged among different systems. All information that passes
    along the network line while in promiscuous mode is captured,
    including usernames and passwords.
    Universities and network service providers are prime targets for the
    harvesting of accounts and credentials to access the internal networks
    of corporations because they have high-speed network connections that
    carry substantial amounts of traffic for a multitude of purposes.
    Hackers on the inside use a standard set of techniques to maintain
    invisibility on compromised systems. These techniques alter or replace
    applications, library calls, kernel interfaces, etc. so as not to show
    files, processes and other systems information that might tip off the
    company that its network is compromised (and that someone is most
    likely sniffing the local network interfaces).
    Encryption and communication applications are often modified by
    perpetrators to copy input and output from the controlling terminal
    into hidden sections on the system. Variants of these modifications
    send the copied data out over the network using covert data channels.  
    So while the secure-encrypted communications of the session itself
    might have been protected, the modified endpoint application happily
    stored the correct information for later retrieval and reuse.
    The longer a hacker has control, the more options he has and the more
    value he receives. The hacker Fluffy Bunny, for example, was
    tremendously successful using these techniques and would then go
    public with some of the names and locations of places to which he had
    gained access and control. (It's a shame that most people didn't read
    the detailed descriptions provided around how the compromises were
    Once legitimate credentials are obtained, the need to overtly attack
    is negated. No wonder vulnerability scanners and network IDSs do
    little to thwart this inside corporate networks. Who would want to
    deploy a system that stopped access to systems when legitimate
    credentials are presented? Don't forget that it's very likely any
    attacks or exploits used in compromising the first sniffing system
    happened outside of the network.
    Here is a real-world example of what an insider compromise can yield
    in one day of using a small sniffer/Trojan-horse log file placed on
    the back door of an Internet service provider that will remain
    anonymous: 4,466 username/password pairs for roughly 1,000 remote
    organizations -- 104 root accounts -- one of which was a master
    password for the IT organization of a global company. (Out of the
    thousands, perhaps only 20 of these accounts related to the service
    provider itself.)
    Another method is "island hopping." This approach targets broadband,
    Digital Subscriber Line and dial-up-connected PCs to take advantage of
    virtual private network connections to gain legitimate access to
    internal networks remotely accessed from home systems. There are many
    other ways for hackers to infiltrate networks without alerting
    firewalls and IDSs.
    Attackers have many ways of getting inside corporate networks. The
    insider threat has become an enormous danger to the internal networks
    of corporations, organizations and governments. To properly address
    this threat, organizations need to move beyond traditional
    perimeter-security systems.
    In an upcoming column, Mudge will explore options for companies to
    combat the insider threat.
    Peiter Mudge Zatko is a security expert and chief scientist at
    Waltham, Mass.-based Intrusic Inc., which is a security company
    focused exclusively on the insider threat.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Fri Jun 11 2004 - 04:58:22 PDT