Hunting after Rogue System Administrators with a SIEM System
For security managers looking to improve the perimeter security, the IBM X-Force 2016 Cyber Security Intelligence Index could be pretty disappointing. The statistics showed that 60% of cyber attacks in 2015 were caused by insiders, i.e. employees who have direct access to organizations’ systems. Among them, only 15.5% were classified as negligent users, while other 44.5% were represented by malicious insiders who exploited companies’ weaknesses intentionally.
But who are actually those insiders? A study by the Software Engineering Institute (SEI) revealed that technical staff members committed 75.4% of registered sabotage incidents. Among them, system administrators make up the largest group of culprits responsible for 27.1% of incidents. Now let’s look beyond these numbers to understand which consequences companies face when entrusting their networks to dishonest system administrators.
Why malicious system administrators are so dangerous
Normally, system administrators should keep their eye on a corporate network and stay firmly on guard of a company’s cyber gates. However, it happens that, in reality, a security guard is a vicious perpetrator. Sometimes, even a negative performance review from a manager is enough to make a system administrator turn to the dark side. Here is a vivid example cited by the SEI: “A system administrator rendered their former employer's network unusable in under 30 minutes. The victim organization needed 30 days to recover from the attack. If the insider's replacement had not made additional system backups before the attack, the organization would have never been able to recover its network.”
In addition to these rapid methods, system administrators can also lead a long-lasting war and continuously compromise the corporate network along with causing major data leaks or severe network contamination. Such a slow-moving tactic is a true internal advanced persistent threat: a sysadmin sets multiple ‘landmines’ cold-bloodedly to blast the entire company one day.
It’s worth mentioning that education and professional experience inevitably give system administrators everything needed to:
Perform various types of attacks. With the relevant technical background, system administrators are usually well-versed in everything related to networks and know perfectly all the vulnerabilities and the ways to exploit them. In the worst-case scenario, ingenious system administrators can even set a logic bomb, a piece of code setting off a malicious function when specified conditions are met. The pernicious effect of such an attack is that once triggered it usually leads to an irreversible, overwhelming damage, for example, deletion of critical configuration files from corporate servers and all user accounts.
Abuse broad permissions. Unlike regular employees, system administrators are initially granted broad permissions, so they can literally open any door. This is one of the biggest advantages for malicious admins since they don’t even need to bypass protection systems to freely surf a network.
Camouflage their activities. Rogue system administrators can easily create fictitious accounts and perform their wicked actions without being detected. It’s also possible to use already existing accounts of both regular employees and C-level managers. In this case, all the harmful activities will originate from an unsuspecting employee.
Let external intruders in. To make things even worse, a malicious system administrator can let external hackers enter an enterprise’s network and pump out confidential information or launch phishing campaigns in a team. Once the door is open, an organization will face concurrent insider and outsider attacks that can reach a really impressive scale.
Setting up a SIEM-based defense
Even when a potential danger is clear, companies still find it difficult to mitigate internal threats, especially those highly intricate ones that are prepared by system administrators. Usually, countermeasures include a range of organizational steps that allow reducing the risk of an IT sabotage. Among them, there is an obligatory checkup of an employee’s background, a well-documented system of security control, creation of a super administrator account and a clear segregation of administrative duties (e.g., an OS admin shouldn’t be able to access network devices).
At the same time, it’s reasonable to complement these standard organizational measures with automated network monitoring for an unbiased control over privileged users and detect early signs of sabotage. For these purposes, companies can use SIEM systems that offer their extensive capabilities of capturing both outsider and insider threats.
Not to sound groundless, we offer to analyze a set of possible cases based on potential actions of malicious system administrators coupled with mechanisms ensuring an intensified supervision of a system administrator’s activities within IBM Security QRadar. The solution provides a unified architecture for integrating security information and event management (SIEM), log management, anomaly detection, incident response, and more.
It’s also worth mentioning that to achieve positive results, even such an advanced SIEM solution as QRadar should be first fine-tuned by SIEM experts who adapt a system to a corporate infrastructure and develop custom correlation rules aiming to deal with a particular security issue.
Detecting a system administrator who occasionally leaves a hole in a firewall
To counteract those system administrators who intentionally switch off firewall protection, security administrators can use the opportunity to:
- Send access and audit information from firewalls to QRadar.
- Apply anomaly rules based on the network device traffic to business-critical services and identify when the traffic significantly grows or reduces, which will be the sign of abnormal activities within a network.
- Monitor device logging activity and pinpoint abnormalities, e.g. when a device doesn’t send logs for 10 minutes.
- Monitor for suspicious commands (e.g. ‘no logging on’ in Cisco) executed from network devices.
- Use QRadar Risk Manager to follow modifications to a firewall configuration and compare the configuration history to discover who and when left a hole.
Discerning bogus user accounts or extended user privileges
Traditionally, a system administrator should notify security administrators about each instance of a user account created or privilege extended (in a large company, such a transparency can be achieved via daily reports listing all new user accounts or privilege extensions). To timely find out if a sysadmin plays with user accounts or extends some user privileges illegitimately, security administrators can use a SIEM solution to:
- Collect audit logs coming from a corporate Active Directory (AD).
- Implement a correlation rule to monitor the cases of creating a new user with the subsequent deletion of the account within a short period of time, and a rule for creating a user account not followed by a password change.
A security administrator can also complement the steps mentioned above by:
- Mapping administrative and non-administrative user accounts and roles within the SIEM solution's internal lists (reference sets) taking the information from a corporate AD, LDAP or other authentication services.
- Implementing correlation rules to notify a security analyst when a non-mapped user account (e.g. local/service accounts, accounts from non-specific departments) accesses any critical server or utilizes administrative privileges.
Tracing malicious software installment to a server or a workstation
To get prepared for a possible spread of malicious software, security administrators can use at least two methods based on flow monitoring. Though in this case only flow data are in the focus, detecting flow deviations will enable security specialists to investigate further and find a violator.
The first tactic named honeypot aims to catch malicious software in order to enable security specialists to track down the user who has spread it. In this case, a to-do list for a security administrator will include:
- Enabling the AppLocker on the Windows servers and current employees’ workstations. This will allow specifying which users or user groups can run particular applications based on unique identities of files.
- Creating honeypot folders with easily recognizable folder names and granting access to these folders to all users.
- Enabling file system auditing to monitor access to the honeypot folder and data corrupting, and/or implementing a script to check MD5 hashes of honeypot files, then forwarding this data to QRadar.
- Implementing a correlation rule to monitor access to files, detect changes and alert security administrators.
Apart from the honeypot method, security administrators can also ensure permanent network monitoring and a direct data flow to a SIEM solution in order to monitor:
- Communications with known botnet control centers and malicious IP addresses. This information can be subscribed to via IBM X-Force or integrated with a SIEM system from open sources.
- Communications with unusual and potentially malicious countries and regions.
- Communications via unusual ports (for example, 6667/IRC).
- Communications containing specific payloads (e.g., bot control commands).
Detecting data queries to a business-critical database server
To pinpoint system administrators who request data from critical database servers, a security administrator can implement the following scenario:
- Enable database auditing for privileged database administrator accounts on the OS level and disable OS administrative privileges on the OS level for DBAs.
- Direct database audit logs to a SIEM solution.
- Map database users and roles to a SIEM solution’s internal reference sets.
- Implement a correlation rule to monitor users accessing a database they aren’t allowed to access, based on the QRadar reference sets.
- Enable automatic notifications when a non-mapped or database administrator account requests, modifies or deletes information from a business application database (normally, only the application itself should be able to access the data).
Catching a sysadmin’s communication with an unauthorized server
In addition to duty segregation and role-based account management, a security administrator will be able to detect such a violation by:
- Mapping users, their roles and target servers within a SIEM solution.
- Implementing correlation rules that will notify security analysts when administrative users with a specific role access a server they aren’t allowed to access.
Revealing a system administrator who cleans up audit logs or disables auditing
To unmask system administrators who try to cover their tracks, a security administrator has to properly configure auditing on the target platforms and implement dedicated correlation rules to notify security analyst when:
- The audit journal was cleared.
- The audit was disabled.
- The audit policy was changed.
Conclusion
Although the most devastating cyberattacks are performed by external hackers, the risk of insider threats keeps growing at the majority of organizations. And while a company can quickly recover from a one-time incident caused by a negligent employee, damage caused by a malicious system administrator can be overwhelming, immobilizing the entire company and leading to tremendous money losses. To avoid such a bitter result, enterprises can take care of their sensitive data and reputation beforehand and adhere to an uninterrupted monitoring of their network with the help of a SIEM solution. Properly fine-tuned and provided with a set of customized correlation rules, a SIEM system will register even minor network configuration changes, unveil bogus user accounts and unauthorized access to critical network devices. This will allow security managers to detect malicious system administrators timely and block their activity in a corporate network.