Inside the insider threat

Six years ago, I warned the U.S. Senate that it was possible to "take down the Internet in 30 minutes."

There are still critical weaknesses in central points of the public network. Although more distributed now, remote points can still be harnessed to cause disruption and confusion in ways similar to distributed denial-of-service attacks (DDoS). These methods refer to a threat model embodied by the collective Internet. An Internetwide outage would affect everyone on the Web, but corporations, organizations and governments face even greater threat models that encompass much more acute localized pain and risk.

One of the oldest and least modified over the years has been the insider threat -- hackers infiltrating internal networks. This threat is more common than insider attacks or destruction. The infiltration is achieved in various ways common to network interlopers and attackers, and most importantly, it is largely missed by existing audit and intrusion-detection systems (IDS).

Web site defacement, concurrent versions system (CVS) attacks and DDoS attacks are rarely instigated by agents once they get inside an organization. Such overt attacks too easily reveal them. Once inside a network, a hacker's priorities change -- from vandal to spy.

The insider threat is unaddressed by today's IDSs, which are focused on attacks. Attacks are noisy, so they're rarely used by insiders intent on remaining invisible inside of a network. Real-world examples of insiders include Robert Hanssen, the FBI mole; Aldrich Ames, the CIA mole; and the sleeper terrorist cells inside the U.S. that were responsible for 9/11. How many lives could have been saved if these moles and sleeper cells had been discovered earlier?

Over the years, I have found critical systems, such as Supervisory Control and Data Acquisition/Data Control System components for utilities companies and large phone-switching systems for telecommunications companies, compromised by insiders who were camping out in these networks. Often, the system's critical function was unknown to the interloper, whose sights were set elsewhere. But many times control of the critical system was the ultimate goal.

Proprietary source code, microchip design plans and databases full of personal information continue to become public, or competitor, domain. Companies and organizations of all shapes and sizes continue to bear this risk with little mitigation coming from the expensive network security defenses they have deployed.

So how do antagonists continue to gain access so easily?

Let's take a closer look at some of the tactics hackers commonly use.

Sniffing, Trojan horses and application back doors

Sniffing is the easiest and most profitable method hackers use to obtain the legitimate credentials and account information needed to gain access to an internal network. The act of sniffing refers to placing a system into promiscuous mode, in which network devices intercept and read each packet in its entirety. So the network will capture not only packets destined for that system, but also packets being exchanged among different systems. All information that passes along the network line while in promiscuous mode is captured, including usernames and passwords.

Universities and network service providers are prime targets for the harvesting of accounts and credentials to access the internal networks of corporations because they have high-speed network connections that carry substantial amounts of traffic for a multitude of purposes.

Hackers on the inside use a standard set of techniques to maintain invisibility on compromised systems. These techniques alter or replace applications, library calls, kernel interfaces, etc. so as not to show files, processes and other systems information that might tip off the company that its network is compromised (and that someone is most likely sniffing the local network interfaces).

Encryption and communication applications are often modified by perpetrators to copy input and output from the controlling terminal into hidden sections on the system. Variants of these modifications send the copied data out over the network using covert data channels. So while the secure-encrypted communications of the session itself might have been protected, the modified endpoint application happily stored the correct information for later retrieval and reuse.

The longer a hacker has control, the more options he has and the more value he receives. The hacker Fluffy Bunny, for example, was tremendously successful using these techniques and would then go public with some of the names and locations of places to which he had gained access and control. (It's a shame that most people didn't read the detailed descriptions provided around how the compromises were conducted.)

Once legitimate credentials are obtained, the need to overtly attack is negated. No wonder vulnerability scanners and network IDSs do little to thwart this inside corporate networks. Who would want to deploy a system that stopped access to systems when legitimate credentials are presented? Don't forget that it's very likely any attacks or exploits used in compromising the first sniffing system happened outside of the network.

Here is a real-world example of what an insider compromise can yield in one day of using a small sniffer/Trojan-horse log file placed on the back door of an Internet service provider that will remain anonymous: 4,466 username/password pairs for roughly 1,000 remote organizations -- 104 root accounts -- one of which was a master password for the IT organization of a global company. (Out of the thousands, perhaps only 20 of these accounts related to the service provider itself.)

Another method is "island hopping." This approach targets broadband, Digital Subscriber Line and dial-up-connected PCs to take advantage of virtual private network connections to gain legitimate access to internal networks remotely accessed from home systems. There are many other ways for hackers to infiltrate networks without alerting firewalls and IDSs.

Attackers have many ways of getting inside corporate networks. The insider threat has become an enormous danger to the internal networks of corporations, organizations and governments. To properly address this threat, organizations need to move beyond traditional perimeter-security systems.

In an upcoming column, Mudge will explore options for companies to combat the insider threat.

Peiter Mudge Zatko is a security expert and chief scientist at Waltham, Mass.-based Intrusic Inc., which is a security company focused exclusively on the insider threat.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon