‚ < ‚ Free Open Study ‚ > ‚ |
Detection of insider attacks is extremely difficult. A skilled and patient insider can develop and execute an attack that is indistinguishable from either human error or normal patterns of behavior. Intrusion-detection systems might not be able to determine that a very slow probe is, in fact, an attack. Network IDSs are generally designed to detect (and possibly block) conventional, external, network-based attacks. IDSs might require extensive modification to the rule sets to detect a stealthy probe. They should be placed at critical junctures around sensitive servers. Even if they are not successful in detecting and preventing an internal attack, the logs produced can be invaluable during a later investigation, especially if the IDS is a separate, standalone system that a potential attacker (even with root or administrator privileges on the network) cannot access or modify. System IDSs to detect changes in critical data or system files should also be in place.This can consist of specific products that periodically hash system files to detect changes to binaries (the best-known of these is probably Tripwire). It can also consist of data-logging tools such as the data access and auditing facilities included in database management systems or email servers. Again, these tools are not always useful in detecting an ongoing incident, but they can be invaluable in providing evidence during the investigation stage.
Unusual access, access during nonworking times, or access by system or unused accounts is often indicative of insider attacks. System accounts that have no normal user associated with them should be heavily logged and monitored . Accounting logs that have been disabled or logs that have unexplained time gaps are also indicators of an attack. As a challenge, most suspicious occurrences will not be attacks. A previous example was a shell script used to clean up temporary files. When this script ran from the wrong directory and crashed several critical servers simultaneously , the first assumption was that it had to be an insider attack because of the nature of the servers. Human detection is often the most reliable indicator of an insider attack. Employees should be trained to detect indicators of an attack, including technical indicators such as changed passwords or the last login message that displays when they access their accounts. They should be aware of their work environment and alert to signs of discontent. Correlating technical indicators with the real-life work environment is critical, but it is often extremely hard to implement. |
‚ < ‚ Free Open Study ‚ > ‚ |