Skip to main content

Top 10 Network Security Mistakes - #4: Interior Malign

May 07, 2014

Greetings, Netsec Nerds!  We’re still counting down the Top 10 Network Security Mistakes.

Then, you are jolted from your dream to find a rabid zombie sheep attacking you like a shrieking Chupacabra.

You didn’t see that coming did you?  Nobody expects the Spanish Inquisition

There are more people off your network than on it, so a good amount of attention needs to be directed towards keeping it that way. However, according to a recent study, up to 58% of security incidents may involve internal users. So while there are certainly marauding hordes outside your gates, some insidious operatives may be inside.

How is it that we have to concern ourselves with the potential of attack from the very resources we are trying to protect? Who bites the hand that plugs in the RJ45? How cruel!

Internal Threats come in a few basic flavors (there are many sub-varieties, however, so do not let your brain get boxed in with these generalizations). Let’s take a look.

The Unwitting

These are users, services and/or machines that have acquired a parasite of some sort. The defining characteristic is a lack of specific intent on the part of the attacker. Sure, the attacker meant to infect systems, but they didn’t care who they got to. It’s not personal. 

These infections can come from USB sticks, emails, websites, downloads or any other common place where network nettles can snag your trousers. 

This sort of infection is often used to gather information or used to to attack other resources on the internet. So, they’re going to make someone miserable eventually. 

The Aware

These are basically InfoSec mules. These users know they are introducing something but they might not be quite sure what. These may be people who are targeted and approached by outside entities to assist in some sort of focused operation, or people who knowingly plug an infected machine into a protected network with no concern for the welfare of the organization. 

The Intentional

Enter Spy vs. Spy. I’ll spare you the Snowden/NSA references here. It’s too easy to summon those ghosts. Let’s just say that the focused, determined attacker is the one we need to fear the most.  Hopefully, they are not very experienced and manage to set off some of our tripwires while clunking about our China shop. But, they may be a bit more MI: than that.

The challenge with the intentional attacker is they have so many ways to attack - hacking the human, implants, spear phishing, whaling, hijacking, passive attacks - we could go on, but it is a pretty big list, and I’m sure you have a coffee to get or something. The point is: we have a lot to defend against, and not all of it is easy to find.

Anti-Sheep Armor

How do we defend against these threats? Well, as with most approaches, there are long and short answers. We’re going to go with short here, but feel free to ask questions in the comments below. 

The reason these attacks are so effective is that they exploit the trust (read: lack of controls) often present on internal networks. So, let’s start there. 

Default Segmentation

We covered this previously here. Allowing all your users free access to all your servers and sensitive data is like storing your accelerants near a heat source. Use firewalls to segment your network and use specific rules to allow only necessary traffic to necessary hosts and networks. 

Network Access Control

One great way to prevent casual infection of your network is to limit access to your network. Managed systems generally have a much stronger constitution than the random home PC. There are a lot of considerations before flipping on 802.1x, but knowing that only machines you sort of trust are plugging in may well be worth the trouble.  

Access Abstractions

Another way to limit malware from ravaging your network is to limit or eliminate host-to-host communications. Using a TCP-proxy or service wrappers like F5 APM or Juniper UAC/MAG can help ensure that only validated, authenticated users are interacting with your services. This prevents rote reconnaissance of your network.

Event Correlation

Collecting and correlating them can be extremely effective, but it is not a simple process to implement.  Well, collecting is fairly easy, but building rules and knowing what to look for and how to respond can be quite a challenge. However, automating this can save buckets of human brain cycles, and frankly, improve the likelihood that someone or something is watching. It is easy to start looking at logs. It is hard to continue to doing it when distractions and fire drills crop up. 

A Note on AV:

Too often I hear people say, “We’ll just let the AV handle that.” Antivirus has its place, and it certainly helps mow down generic, low-effort malware. It is not a panacea, however. There are a lot of infections that AV cannot detect or prevent. So, bear in mind it is one tool of many, and it is imperfect. 

That’s That

Remember, there’s a huge difference between Shaun the Sheep and Shaun of the Dead. Choose carefully.

Additional Posts

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 06, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 3)

In parts one and two of this blog series, I provided an overview of SSL web inspection, and dove deeper into how SSL inspection solutions work and met...

See Details

January 29, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 2)

Hardware will vary between vendors and even different models within a vendor’s catalog. Some models/vendors will offload complex CPU tasks (decryption...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

February 26, 2013

Continuous Monitoring and the Federal Government

“Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, th...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.