Firewall Wizards mailing list archives
Detecting internal intrusions (was: RE: the value, etc.)
From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Sat, 30 Jan 1999 18:56:31 PST
I will say just briefly that I believe identifying and neutralizing internal threats is an operational matter rather than a structural matter. With an external IDS, you are acting structurally - you are watching and identifying packets that match this or that criteria within this or that threshold. This is great, and when utilized internally in _large_ organizations is very useful (for instance, when dealing with Chinese walls that financial institutions invoke to satisfy the SEC from time to time). In a small organization, more thought out (operational) IDS needs to take place - simply looking for strange packets is not going to get you very far (the guy embezzling money down the hall is most likely _not_ trying to LAND the router, nor is he generating weird packets with all flags set, etc.) Rather, the internal attacker is usually only subtly changing their own daily behavior in ways that may not set off any alarms at all. I would venture to say that if meaningful internal IDS is to be enacted, it will be based on statistical evaluation of file access. But this will lead to all sorts of false positives - and last time I checked, my job description didn't include "ground-breaking artificial intelligence research" In this area more than anywhere, you need to gain an intimate knowledge of the day to day normal operations of the company and then logically think through what the best ways to watch for weird behavior will be - because as I said, the weird behavior will _NOT_ be the werid behavior the standard IDS is looking for. Unethical accountants don't generate source-routed packets. Further, when you make your baseline analysis of the users' behavior, do not rule out that someone is already in the process of intruding internally - make sure you realize that your baseline can _include_ previously existing intrusion behaviors. Unless of course they are just stealing office supplies, in which case, all bets are off. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Detecting internal intrusions (was: RE: the value, etc.) John Kozubik (Feb 01)