Thwart Attacks from Inside the Wire
Intrusion detection is usually outward-facing. What do you do when your intruders are already 'inside the wire' and attacking from within?
When security software vendor eEye had its Web site defaced, the company immediately suspected a "disgruntled employee." Most internal attackers, though, are stealthier. Intrusion detection methods that target internal users continue to emerge. Meanwhile, companies should also use a range of other security techniques to ward off abuses by their own employees.
eEye, which produces Spynet network sniffer, probably had good reason to guess an employee was to blame. According to an account by UK-based VNUnet, a message posted on eEye's Web site read, "Would you trust a security company that cannot even secure themselves?" Also on the defaced Web site, the attacker charged that eEye mistreated its employees, savaged the company's products, and extended the contemptuous nickname "Chief Hacking Officer" to eEye official Marc Maiffret.
The eEye incident happened in December of the year 2000. Studies since then have shown that internal attacks continue to be a major threat. In the 2002 CPI/FBI survey, for instance, 59 percent of organizations surveyed admitted to at least one internal attack. Sometimes, though, internal perpetrators do get caught.
The paralegal stood accused of downloading the trial plan from Orrick's computer system, and of then sending an e-mail to attorneys for defendants in the suit, offering to sell them the plan. After being snared by an FBI undercover agent, who posed as a defense counsel, Farraj pled guilty to conspiracy charges for wire fraud, transporting stolen property interstate, and accessing a computer without authorization.
More typically, internal security breaches are handled inhouse. Companies such as AccessData Development and NTI make forensic software that can be used by law enforcers and corporations alike to track user activity on Windows-based systems after evil deeds have already been done. An open source program known as The Coroner's Toolkit fulfills similar functions on UNIX-based systems.
Obviously, it makes more sense on all sorts of levels to try to prevent internal attacks before they happen. Intrusion detection systems (IDS) constitute one approach that can be useful in prevention, although efforts certaintly shouldn't end there.
"Whenever you have an internal network, employees should also be considered a threat," says one security consultant, Edward P. Yakabovicz.
"You need to be continuously looking at new technologies in intrusion detection, (as well as in) the layered approach and whatever firewalls you use," according to Yakabovicz.
Data from other surveys show that firewalls are still way ahead of IDS in terms of organizational penetration. Firewalls, though, do have limitations. Nir Zuk CTO and co-founder of OneSecure, flatly maintains that "firewalls can't detect intrusion."
Although firewalls can control which traffic is permitted to enter and leave the network, some of the traffic they allow may be nasty in nature. Firewalls can be fooled by IP spoofing, as well as by techniques such as embedding malicious code into innocuous-looking data.
Increasingly, though, firewalls are now being integrated with IDS. To give just one example, the RealSecure IDS is designed to reconfigure either a CheckPoint or Lucent firewall to reject traffic from the attacking source address.
Experts advise deploying combination of host- and network-based IDS. Each carries advantages and disadvantages. Host-based IDS, for example, can continuously monitor system files and system logs in search of suspicious behavior. On the other hand, once a host is compromised, its IDS can be easily commandeered as well, points out Yakabovicz. Network-based IDS are geared to broader-based detection.
Some vendors, including ISS, have been developing so-called "hybrid" IDS, aimed at bringing together best-of-breed technologies from both the hostand network-based worlds.
Beyond protecting the enterprise network from outside interlopers, IDS can be set up to safeguard individual departments such as accounting and marketing, for instance. One technique is to place a network-based IDS between the division's systems and the division router, for example.
To catch internal miscreants, though, the IDS system should be designed to detect "anomalous use" - behavior that differs from "regular" activity on a particular network -- as opposed to "misuse."
By overcoming the inflexibility of signature-based technology, anomalous systems are "truly the way the future is headed," Yakabovicz advises. "You need to have a smarter technology," he adds. For obvious reasons, organizations should devise different rule sets for internal versus external users.
It's also quite possible, though, for external attackers to dupe the network into treating them as company employees. Way back in the late 1990s, a researcher at the University of Virginia coined the phrase "pseudointernal intruder" to refer to this type of miscreant.
"Since 1980, the intrusion detection community has divided intruders into two categories (internal and external) based on the intruder's access to a system. The proliferation of distributed systems with complex networks has necessitated a reexamination of intruder definitions. We define a new category, the pseudo-internal intruder. This new category encompasses intruders without user accounts who circumvent the perimeter defenses of a modern distributed system and attack the system via its network," wrote Brownell K. Combs, who was then a grad student in the university's Computer Science Department.
Outside of IDS and firewalls, other technologies useful in fending off internal attacks can include authentication, encryption, and user provisioning, to name a few.
The good news is that organizations often have greater recourse against internal perpetrators. Employees can be required to agree to policies around security and intellectual property when they first join the company. If they break the rules later on, they can lose their Internet access rights, for instance, or even their jobs.