Responding to Insider Attacks

Although the methods used in responding to an external attack are still valuable , some special techniques are especially useful in insider attacks. Computer forensics is possibly the most specialized of these. Forensics is discussed further in other chapters, but it has special applicability to insider attacks. First, the computer used in an attack probably belongs to the company, so there is generally no issue about search and seizure. The company might have physical control of the computer (less so when the computer is a laptop). If the investigation is to be conducted without the subject's knowledge, the company can arrange a "black bag" job in which the drive is imaged during the night or weekend and the forensics conducted offsite. The important thing to remember about forensics is that they can be extremely time consuming and often produce circumstantial evidence but not a "smoking gun." They are useful, however, in providing information to be used later in an interview with the subject, even if conclusive evidence is not discovered . Because it might not be clear who is involved (or who might be involved) in an incident, proper evidence handling is especially critical. (This is discussed in more detail in the forensics chapters.) Offsite storage might be wise, especially if the company cannot guarantee a secure evidence-storage facility.

Interviews are also unique to insider attacks; the suspect can be questioned about his actions. Human resources and the legal department should be consulted prior to questioning because the employee might have certain rights under an employment agreement. The choice of interviewers is not a simple one. For example, physical security personnel might be skilled in interviewing most subjects but might not have the technical skills to establish a rapport with a system administrator. If the interview becomes too accusatory or hostile , it is unlikely to produce results. If the incident response team does not have access to a skilled interviewer, bringing in outside assets is probably wise.

Profiling of attacks can be a valuable tool in assisting the investigation. Profiling is discussed in more detail in Chapter 11,"The Human Side of Incident Response," but some dangers are inherent in the profiling process, especially in insider investigations. The people involved might have preconceived notions that might impair their judgment. Because they are closely involved with the investigation and know the people, they might be quick to form opinions that might later turn out to be faulty. Here are some other concerns about profiling:

1. Believing that there is one "hacker" profile and suspecting the insider that most resembles the popular stereotype

2. Coming to a conclusion too quickly and blaming the wrong employee, which can lead to a wrongful termination

3. Constructing the profile without technical input and cooperation

Physical security personnel and physical access logs can be vital tools in the conduct of the investigation. Physical access logs are critical in taking an investigation to the last step ‚ that of placing the person at the computer at the time of the incident. Computer forensics might be capable of identifying the "guilty" computer but cannot, by itself, pinpoint the person.

Depending on the particular composition of the incident response team and the corporate culture, an insider attack might require the team to work closely with operations personnel. Both management and operations will have to be consulted, for example, before taking a critical server offline to conduct forensics. Operations might already have hardware or software in place or might have access to resources that can be vital in the investigation. This includes both trained personnel (who are intimately familiar with the operating environment) and access to the hardware and systems required to conduct monitoring of network traffic. Obviously, if a member of the operations group is suspected, the coordination becomes much more difficult. It might require, for example, that a single trusted person within operations provide access to logs or network traffic. The difficulties of conducting a technical investigation on a live system in which the administrator is suspected cannot be overstated.This person can, at the very least, detect the investigation and delete or modify logs. At worst, the person can retaliate by destroying or corrupting evidence to implicate a third party or even destroying the system under investigation.

Monitoring of employees is a sensitive subject, but an insider attack lends itself to increased monitoring. This can be monitoring of network access, emails, keystroke logging, or even videotaping or actual surveillance by other personnel. Again, both human resources and the legal department should be consulted prior to any extensive monitoring.

Incident response teams should develop (and practice) out-of- band communications. If the network is unavailable because of an attack or if an administrator is suspected in an insider attack, the primary means of communication about the attack should not be email. Even if the administrator is not a suspect, it is important to remember that the person could still monitor the email traffic and tip off the suspect (either wittingly or unwittingly). Company phones might be subject to monitoring by telecommunications personnel. During the conduct of the investigation, team members should consider whether communications methods are secure before passing any sensitive information.

As a general rule, investigating insider incidents requires the incident response team to be much more circumspect during the investigation. An insider investigation is intrusive by its very nature. It will require the team to limit the sharing of information outside and perhaps even within the team. Initial hypotheses about the incident should be very closely held. They might be wrong and might cause misunderstanding. They might alert the attacker, especially if the initial theory is incomplete or inaccurate. They might have legal implications if the wrong suspect is investigated. The fundamental difference between investigating an insider attack and an external attack is that it is never clear who can be trusted during the investigation.

The analysis of network logs (routers, switches, servers, and so on) in insider attacks is similar to that of external attacks, except that the company has more access to the logs and they are generally more reliable. Although some attacks, for example, can spoof IP addresses, the router logs will still show the MAC address. It is much more difficult for an employee to launch a network attack and remain undetected. There are three major considerations in network log analysis:

• First, the logs are essentially useless unless they are time synchronized. When tracing an attack back from one hop to the next , the only common factor is often the time stamp. Companies should use an internal time synchronization server to set the time on all network devices (including workstations, servers, and personal computers).

• Second, the use of dynamic IP addresses within corporate networks is increasing. Often, however, the network logs only identify the subject by IP address. If the DHCP server does not maintain logs of IP leases and those logs are not periodically archived, it might be impossible to determine which workstation was involved.

• Third, a determined and skilled attacker can delete or modify logs. If a system administrator is under suspicion, all logs must be viewed with some degree of skepticism unless it can be verified that the administrator had no access to the system. UNIX logs are especially easy to modify because they consist of simple text files. There are now tools available to modify NT logs, including the deletion and insertion of single records in the log files.