The Pseudo-Internal Intruder A New Access Oriented Intruder Category

Document Sample
The Pseudo-Internal Intruder A New Access Oriented Intruder Category Powered By Docstoc
					The Pseudo-Internal
Intruder: A New Access
Oriented Intruder Category



   Master’s Thesis Presentation

       Brownell K. Combs
          May 7, 1999
Outline

Why are we concerned with intruders and
 what can we do about them?
How does categorizing intruders help
 intrusion detection research?
What is the Pseudo-Internal Intruder?
What can the Pseudo-Internal Intruder do?
How can we defend against it?
How do these defenses work?
The Problem of Intrusions

CSI/FBI 1999 Computer Crime and
 Security Survey (4th Annual Report)
  Approx. $124,000,000 in Financial Losses
  Only 1% Claimed No Security Incident


CERT statistics show 67% increase in
 incidents handled annually from ‘94 to ‘98
Intrusion Detection Systems

Many think that it may never be possible
 to create ‘completely secure’ systems
IDS is the next best thing
Owners of systems want one or more of
 the following:
  recognize presence of an intruder
  prevent them from doing harm
  make similar future intrusion more difficult
  attempt to catch the intruder
IDS Research

Studying Intruders (techniques, habits,
 etc) is an important area of IDS research
Researchers in the field and IDS builders
 in industry must have some scheme with
 which to categorize intruders
These schemes serve as a basic
 framework for discussing and thinking
 about the issue of Intrusion Detection
Intruder Categories

2 main approaches to placing intruders
 into different categories
Intruder oriented: focus on the intruder’s
 access to the system
  Anderson’s classic external/internal scheme
Attack oriented: focus on the attack the
 intruder executes
  Neumann’s modes of compromise scheme
What scheme do we need?

Least amount of category ambiguity for
 IDS Designers and SysAdmins
This best provided by narrowly defined
 categories that are distinct from one
 another
  Example: How useful is it to have an
   ‘external intruder’ category that refers to both
   Internet Hackers and janitors inside the
   building?
Definitions

Physical Configuration - all of the
 hardware used in a distributed system
 included the location of each item
Network Configuration - how all of those
 hardware items are connected and how
 they interact with each other
Net/Phy Perimeter - separation between a
 distributed system’s net/phy configuration
 and the rest of the world.
Sample
Physical Configuration
Sample
Network Configuration
Pseudo-Internal Intruder

A new distinct category for the access
 oriented intruder categorization scheme

P-I Intruder is an intruder without the
 privileges of an authorized user and who
 has circumvented the perimeter defenses
 of a system to attack the system via its
 internal network (network configuration)
Box Diagram of Access
Oriented Categories
3 kinds of P-I Intruders

Insiders with physical access (desktop
 connection, wiring closets, server rooms)
Outsiders with same physical access as
 above (gained through subterfuge or
 force)
Outsiders with special data access
 (personal modems that circumvent
 perimeter defense)
Tools and Techniques

1) Network Assessment Tools
  Active and Passive
2) Packet Sniffers
  Hardware and Software
3) Exploits
  Steps executed in a certain order
4) Denial of Service Attacks
  Network Saturation and Traffic Misdirection
Example Scenario #1:
Industrial Espionage Agent

#1 gains employment with custodial
 services and has access to wiring closets
Connects a hardware sniffer to the
 network for several days
Removes the sniffer and finds it captured
 sensitive communications between senior
 company executives
Mission Accomplished
Example Scenario #2:
Disgruntled Employee

#2 is a basic network user with access to
 multiple desktop connection
Runs a network assesment tool and
 software sniffer off of a shared machine
Finds multiple vulnerabilities and an
 account and password of a SysAdmin
Logs in as SysAdmin (becomes an
 Internal Intruder) and deletes databases.
Mission Accomplished
Defending Against the
Pseudo-Internal Intruder

Three phases:
  Deny intruders access to the system
  Mitigate the consequences of intruders
   gaining access to the system
  Detect, Monitor, and Record any intrusions
Since Pseudo-Internal Intruders require
 access to the internal network, we will
 focus on it when examining these steps
Preventing Intruder Access

Physical Perimeter Security: stop as many
 potential intruders as possible from
 gaining physical access to the system
 (Guards, Gates, Locked Doors, etc.)
Physical configuration control: ensuring
 that unauthorized hardware is not
 introduced to the system and authorized
 hardware is not used for unauthorized
 actions (TEMPEST, Conduit, Metal Cases)
Mitigating Intruder Access

If an intruder cannot read information or
 write (affect a change) to the system then
 the danger of an intruder is diminished
Network configuration control: managing
 the aspects of the network configuration
 to ensure the highest degree of security
  Encrypt Communications, Switched-
   Intelligent hubs and routers, smaller
   segments, etc.
Detecting Intruder Access

Network configuration monitoring:
 continuously observing all aspects of the
 network configuration searching for
 evidence of intruders
If an intruder does gain access to the
 system the most effective response will be
 a human one. Successful monitoring and
 reporting allows a quick response from
 SysAdmins
Case Study - Two Phases

Execute a set of Pseudo-Internal Intruder
 attacks against a testbed system with
 state of practice security measures
  CSI/FBI ‘99 Survey showed only 42 out of
   501 respondents used any intrusion detection
Execute the same set of attacks against
 the testbed system after implementing
 the security recommendations of the
 thesis
Case Study - The Attacks

 1)Packet Sniffer – Software [Laptop]
 2)Network Assessment Tool – Active [Rogue
  Outside Connect]
 3)Exploit – Ping of Death [Laptop]
 4)Exploit (Hacker Program) – WinNuke (Ping
  of Death) [Laptop]
 5)Denial of Service Attack – Ping Flood
  [Laptop]
 6)Denial of Service Attack – Smurf Attack
  [Rogue Outside Connect]
Case Study Phase 1 -
Network Configuration
Case Study - Changes
made for Phase 2

Network divided into 2 segments
All Mission Crit. Communication Encrypted
Network Intrusion Detection Monitoring
 Device placed in Mission Crit. Segment
Network scanned for unknown IP and
 MAC addresses
RMON monitoring utilities used
Case Study Phase 2 -
Network Configuration
Case Study - The Results

Security Changes addressed the
 vulnerabilities discovered in phase 1
  No access control for devices using network
  No network traffic control mechanisms
  No internal network monitoring for intruders
Network Configuration Monitoring and
 Network Configuration Control decrease
 the danger of a P-I Intruder to systems
Conclusions

The Pseudo-Internal Intruder Category
 addresses an area of system security that
 did not exist prior to the proliferation of
 distributed systems
The category provides a platform on
 which to understand and define the
 capabilities of this new type of intruder,
 thereby facilitating the detection and
 defense against such intruders
Access Oriented: Anderson

External: unauthorized users attacking a
 system through external data connections
Internal:
  Legitimate: authorized for part of system
  Masqueraders: unauthorized users logged in
   as legitimate users
  Clandestine: users logged in that have the
   power to turn off some audit logs
Attack Oriented: Neumann

Compromise from outside: come from
 above or laterally at same abstraction
 layer (security and logic flaws)
Compromises from within: obtained with
 privileges of the given layer
Compromises from below: come from a
 lower layer of abstraction (OS, hardware
 based attacks)