The Pseudo-Internal
Intruder: A New Access
Oriented Intruder Category
Master’s Thesis Presentation
Brownell K. Combs
May 7, 1999
Outline
Why are we concerned with intruders and
what can we do about them?
How does categorizing intruders help
intrusion detection research?
What is the Pseudo-Internal Intruder?
What can the Pseudo-Internal Intruder do?
How can we defend against it?
How do these defenses work?
The Problem of Intrusions
CSI/FBI 1999 Computer Crime and
Security Survey (4th Annual Report)
Approx. $124,000,000 in Financial Losses
Only 1% Claimed No Security Incident
CERT statistics show 67% increase in
incidents handled annually from ‘94 to ‘98
Intrusion Detection Systems
Many think that it may never be possible
to create ‘completely secure’ systems
IDS is the next best thing
Owners of systems want one or more of
the following:
recognize presence of an intruder
prevent them from doing harm
make similar future intrusion more difficult
attempt to catch the intruder
IDS Research
Studying Intruders (techniques, habits,
etc) is an important area of IDS research
Researchers in the field and IDS builders
in industry must have some scheme with
which to categorize intruders
These schemes serve as a basic
framework for discussing and thinking
about the issue of Intrusion Detection
Intruder Categories
2 main approaches to placing intruders
into different categories
Intruder oriented: focus on the intruder’s
access to the system
Anderson’s classic external/internal scheme
Attack oriented: focus on the attack the
intruder executes
Neumann’s modes of compromise scheme
What scheme do we need?
Least amount of category ambiguity for
IDS Designers and SysAdmins
This best provided by narrowly defined
categories that are distinct from one
another
Example: How useful is it to have an
‘external intruder’ category that refers to both
Internet Hackers and janitors inside the
building?
Definitions
Physical Configuration - all of the
hardware used in a distributed system
included the location of each item
Network Configuration - how all of those
hardware items are connected and how
they interact with each other
Net/Phy Perimeter - separation between a
distributed system’s net/phy configuration
and the rest of the world.
Sample
Physical Configuration
Sample
Network Configuration
Pseudo-Internal Intruder
A new distinct category for the access
oriented intruder categorization scheme
P-I Intruder is an intruder without the
privileges of an authorized user and who
has circumvented the perimeter defenses
of a system to attack the system via its
internal network (network configuration)
Box Diagram of Access
Oriented Categories
3 kinds of P-I Intruders
Insiders with physical access (desktop
connection, wiring closets, server rooms)
Outsiders with same physical access as
above (gained through subterfuge or
force)
Outsiders with special data access
(personal modems that circumvent
perimeter defense)
Tools and Techniques
1) Network Assessment Tools
Active and Passive
2) Packet Sniffers
Hardware and Software
3) Exploits
Steps executed in a certain order
4) Denial of Service Attacks
Network Saturation and Traffic Misdirection
Example Scenario #1:
Industrial Espionage Agent
#1 gains employment with custodial
services and has access to wiring closets
Connects a hardware sniffer to the
network for several days
Removes the sniffer and finds it captured
sensitive communications between senior
company executives
Mission Accomplished
Example Scenario #2:
Disgruntled Employee
#2 is a basic network user with access to
multiple desktop connection
Runs a network assesment tool and
software sniffer off of a shared machine
Finds multiple vulnerabilities and an
account and password of a SysAdmin
Logs in as SysAdmin (becomes an Internal
Intruder) and deletes databases.
Mission Accomplished
Defending Against the
Pseudo-Internal Intruder
Three phases:
Deny intruders access to the system
Mitigate the consequences of intruders
gaining access to the system
Detect, Monitor, and Record any intrusions
Since Pseudo-Internal Intruders require
access to the internal network, we will
focus on it when examining these steps
Preventing Intruder Access
Physical Perimeter Security: stop as many
potential intruders as possible from
gaining physical access to the system
(Guards, Gates, Locked Doors, etc.)
Physical configuration control: ensuring
that unauthorized hardware is not
introduced to the system and authorized
hardware is not used for unauthorized
actions (TEMPEST, Conduit, Metal Cases)
Mitigating Intruder Access
If an intruder cannot read information or
write (affect a change) to the system then
the danger of an intruder is diminished
Network configuration control: managing
the aspects of the network configuration
to ensure the highest degree of security
Encrypt Communications, SwitchedIntelligent hubs and routers, smaller
segments, etc.
Detecting Intruder Access
Network configuration monitoring:
continuously observing all aspects of the
network configuration searching for
evidence of intruders
If an intruder does gain access to the
system the most effective response will be
a human one. Successful monitoring and
reporting allows a quick response from
SysAdmins
Case Study - Two Phases
Execute a set of Pseudo-Internal Intruder
attacks against a testbed system with
state of practice security measures
CSI/FBI ‘99 Survey showed only 42 out of
501 respondents used any intrusion detection
Execute the same set of attacks against
the testbed system after implementing
the security recommendations of the
thesis
Case Study - The Attacks
1)Packet Sniffer – Software [Laptop]
2)Network Assessment Tool – Active [Rogue
Outside Connect]
3)Exploit – Ping of Death [Laptop]
4)Exploit (Hacker Program) – WinNuke (Ping
of Death) [Laptop]
5)Denial of Service Attack – Ping Flood
[Laptop]
6)Denial of Service Attack – Smurf Attack
[Rogue Outside Connect]
Case Study Phase 1 Network Configuration
Case Study - Changes
made for Phase 2
Network divided into 2 segments
All Mission Crit. Communication Encrypted
Network Intrusion Detection Monitoring
Device placed in Mission Crit. Segment
Network scanned for unknown IP and
MAC addresses
RMON monitoring utilities used
Case Study Phase 2 Network Configuration
Case Study - The Results
Security Changes addressed the
vulnerabilities discovered in phase 1
No access control for devices using network
No network traffic control mechanisms
No internal network monitoring for intruders
Network Configuration Monitoring and
Network Configuration Control decrease
the danger of a P-I Intruder to systems
Conclusions
The Pseudo-Internal Intruder Category
addresses an area of system security that
did not exist prior to the proliferation of
distributed systems
The category provides a platform on
which to understand and define the
capabilities of this new type of intruder,
thereby facilitating the detection and
defense against such intruders
Access Oriented: Anderson
External: unauthorized users attacking a
system through external data connections
Internal:
Legitimate: authorized for part of system
Masqueraders: unauthorized users logged in
as legitimate users
Clandestine: users logged in that have the
power to turn off some audit logs
Attack Oriented: Neumann
Compromise from outside: come from
above or laterally at same abstraction
layer (security and logic flaws)
Compromises from within: obtained with
privileges of the given layer
Compromises from below: come from a
lower layer of abstraction (OS, hardware
based attacks)