Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Detecting internal intrusions (was: RE: the value, etc.)

From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Sat, 30 Jan 1999 18:56:31 PST
I will say just briefly that I believe identifying and neutralizing 
internal threats is an operational matter rather than a structural 
matter.

With an external IDS, you are acting structurally - you are watching and 
identifying packets that match this or that criteria within this or that 
threshold.  This is great, and when utilized internally in _large_ 
organizations is very useful (for instance, when dealing with Chinese 
walls that financial institutions invoke to satisfy the SEC from time to 
time).

In a small organization, more thought out (operational) IDS needs to 
take place - simply looking for strange packets is not going to get you 
very far (the guy embezzling money down the hall is most likely _not_ 
trying to LAND the router, nor is he generating weird packets with all 
flags set, etc.)

Rather, the internal attacker is usually only subtly changing their own 
daily behavior in ways that may not set off any alarms at all.  I would 
venture to say that if meaningful internal IDS is to be enacted, it will 
be based on statistical evaluation of file access.  But this will lead 
to all sorts of false positives - and last time I checked, my job 
description didn't include "ground-breaking artificial intelligence 
research"

In this area more than anywhere, you need to gain an intimate knowledge 
of the day to day normal operations of the company and then logically 
think through what the best ways to watch for weird behavior will be - 
because as I said, the weird behavior will _NOT_ be the werid behavior 
the standard IDS is looking for.  Unethical accountants don't generate 
source-routed packets.

Further, when you make your baseline analysis of the users' behavior, do 
not rule out that someone is already in the process of intruding 
internally - make sure you realize that your baseline can _include_ 
previously existing intrusion behaviors.

Unless of course they are just stealing office supplies, in which case, 
all bets are off.

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: