Detecting Insider Attacks

‚  < ‚  Free Open Study ‚  > ‚  

Detection of insider attacks is extremely difficult. A skilled and patient insider can develop and execute an attack that is indistinguishable from either human error or normal patterns of behavior. Intrusion-detection systems might not be able to determine that a very slow probe is, in fact, an attack.

Network IDSs are generally designed to detect (and possibly block) conventional, external, network-based attacks. IDSs might require extensive modification to the rule sets to detect a stealthy probe. They should be placed at critical junctures around sensitive servers. Even if they are not successful in detecting and preventing an internal attack, the logs produced can be invaluable during a later investigation, especially if the IDS is a separate, standalone system that a potential attacker (even with root or administrator privileges on the network) cannot access or modify.

System IDSs to detect changes in critical data or system files should also be in place.This can consist of specific products that periodically hash system files to detect changes to binaries (the best-known of these is probably Tripwire). It can also consist of data-logging tools such as the data access and auditing facilities included in database management systems or email servers. Again, these tools are not always useful in detecting an ongoing incident, but they can be invaluable in providing evidence during the investigation stage.

Host-Based Intrusion Detection

Host-based IDSs consist of tools designed to detect changes to systems. The best known of these is probably Tripwire. Tripwire is designed for UNIX systems, but similar products (both free and commercial) exist for Windows systems as well.

These systems examine critical system files and construct a cryptographic hash of the files. The hashes are stored offline. Investigators can compare the hashes of the files on the system with this baseline set to determine whether an attacker has modified any files on the system.

Security of the baseline hash set is paramount because an attacker could simply create new hashes of the modified files. The hash set should be copied on removable media and physically secured in a locked container.

If the company is using network-based IDSs to detect insiders, these systems should also be secured. When possible, the engines should communicate to the IDS console on a secured link, outside of the normal network infrastructure. These systems are vulnerable to an attacker who either wants to conceal his or her actions or might want to use the system to gather intelligence about the network.

Unusual access, access during nonworking times, or access by system or unused accounts is often indicative of insider attacks. System accounts that have no normal user associated with them should be heavily logged and monitored . Accounting logs that have been disabled or logs that have unexplained time gaps are also indicators of an attack.

As a challenge, most suspicious occurrences will not be attacks. A previous example was a shell script used to clean up temporary files. When this script ran from the wrong directory and crashed several critical servers simultaneously , the first assumption was that it had to be an insider attack because of the nature of the servers.

Human detection is often the most reliable indicator of an insider attack. Employees should be trained to detect indicators of an attack, including technical indicators such as changed passwords or the last login message that displays when they access their accounts. They should be aware of their work environment and alert to signs of discontent. Correlating technical indicators with the real-life work environment is critical, but it is often extremely hard to implement.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net