Top 10 Network Security Mistakes - #4: Interior Malign

Greetings, Netsec Nerds!  We’re still counting down the Top 10 Network Security Mistakes.

Then, you are jolted from your dream to find a rabid zombie sheep attacking you like a shrieking Chupacabra.

You didn’t see that coming did you?  Nobody expects the Spanish Inquisition

There are more people off your network than on it, so a good amount of attention needs to be directed towards keeping it that way. However, according to a recent study, up to 58% of security incidents may involve internal users. So while there are certainly marauding hordes outside your gates, some insidious operatives may be inside.

How is it that we have to concern ourselves with the potential of attack from the very resources we are trying to protect? Who bites the hand that plugs in the RJ45? How cruel!

Internal Threats come in a few basic flavors (there are many sub-varieties, however, so do not let your brain get boxed in with these generalizations). Let’s take a look.

The Unwitting

These are users, services and/or machines that have acquired a parasite of some sort. The defining characteristic is a lack of specific intent on the part of the attacker. Sure, the attacker meant to infect systems, but they didn’t care who they got to. It’s not personal. 

These infections can come from USB sticks, emails, websites, downloads or any other common place where network nettles can snag your trousers. 

This sort of infection is often used to gather information or used to to attack other resources on the internet. So, they’re going to make someone miserable eventually. 

The Aware

These are basically InfoSec mules. These users know they are introducing something but they might not be quite sure what. These may be people who are targeted and approached by outside entities to assist in some sort of focused operation, or people who knowingly plug an infected machine into a protected network with no concern for the welfare of the organization. 

The Intentional

Enter Spy vs. Spy. I’ll spare you the Snowden/NSA references here. It’s too easy to summon those ghosts. Let’s just say that the focused, determined attacker is the one we need to fear the most.  Hopefully, they are not very experienced and manage to set off some of our tripwires while clunking about our China shop. But, they may be a bit more MI: than that.

The challenge with the intentional attacker is they have so many ways to attack - hacking the human, implants, spear phishing, whaling, hijacking, passive attacks - we could go on, but it is a pretty big list, and I’m sure you have a coffee to get or something. The point is: we have a lot to defend against, and not all of it is easy to find.

Anti-Sheep Armor

How do we defend against these threats? Well, as with most approaches, there are long and short answers. We’re going to go with short here, but feel free to ask questions in the comments below. 

The reason these attacks are so effective is that they exploit the trust (read: lack of controls) often present on internal networks. So, let’s start there. 

Default Segmentation

We covered this previously here. Allowing all your users free access to all your servers and sensitive data is like storing your accelerants near a heat source. Use firewalls to segment your network and use specific rules to allow only necessary traffic to necessary hosts and networks. 

Network Access Control

One great way to prevent casual infection of your network is to limit access to your network. Managed systems generally have a much stronger constitution than the random home PC. There are a lot of considerations before flipping on 802.1x, but knowing that only machines you sort of trust are plugging in may well be worth the trouble.  

Access Abstractions

Another way to limit malware from ravaging your network is to limit or eliminate host-to-host communications. Using a TCP-proxy or service wrappers like F5 APM or Juniper UAC/MAG can help ensure that only validated, authenticated users are interacting with your services. This prevents rote reconnaissance of your network.

Event Correlation

Collecting and correlating them can be extremely effective, but it is not a simple process to implement.  Well, collecting is fairly easy, but building rules and knowing what to look for and how to respond can be quite a challenge. However, automating this can save buckets of human brain cycles, and frankly, improve the likelihood that someone or something is watching. It is easy to start looking at logs. It is hard to continue to doing it when distractions and fire drills crop up. 

A Note on AV:

Too often I hear people say, “We’ll just let the AV handle that.” Antivirus has its place, and it certainly helps mow down generic, low-effort malware. It is not a panacea, however. There are a lot of infections that AV cannot detect or prevent. So, bear in mind it is one tool of many, and it is imperfect. 

That’s That

Remember, there’s a huge difference between Shaun the Sheep and Shaun of the Dead. Choose carefully.

Additional Posts