As I stated yesterday I wanted to spend a bit of time talking about how you can detect an insider. This seems like the only reasonable course of action based on attacks recently where a treasure trove of UserIDs and passwords have been dumped. We need to stop thinking that attackers are always going to use malware and start thinking that maybe, just maybe, the attackers are in our network using existing user credentials.
Fortunately, there are some things we can do that are cheap and do not require an expensive Data Loss Prevention (DLP) solution. The first one I want to talk about is auditing file, folder and printer access by users. This is a functionality that is built into every Windows system and can be restricted to sensitive files and directories that you wish to have audited.
For more information please check here.
You can configure it to log every time a user accesses a file or just when someone tries to access a file they do not have permission to access.

Screen shot 2011-06-22 at 10.08.57 AM.png

Alice is up to no good

Screen shot 2011-06-22 at 10.10.41 AM.png

Event details

So with this turned on, what would we look for? Ideally, you would be looking for a pattern of access violations from the existing user accounts in your environment. For example, let’s say that Alice generally accesses shares relating to her job in finance. Monday morning she is trying to access files in the development, HR, and research departments of your organization. Oh! And she is trying to access hundreds of files per minute. This might be an indication that she has taken up a new hobby, or it could be that her account is compromised.
Once again, I would like to stress that we need to start looking for additional creative ways to start detecting attacks outside of our traditional IDS/IPS/AV trifecta of fail.
Tomorrow we will be looking at some ways to analyze network traffic for evil.
PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

About the author