Ranking People Like Domains or IP Addresses?

Real time events or network traffic analysis is interesting to track suspicious behaviors. And, if you add some external sources of information, you could increase even more the capability of detecting real events. Such ranking sources applies usually to IP addresses and domain names. They are plenty of online resources with huge lists of suspicious IP’s/domains (a good starting list is available here). You can of course create and maintain your own private lists. But can we implement the same ranking with “people” (humans)?

From a pure theoretical point of view, people remain the weakest link in the security chain. It sounds logical to “track” them. If in the past, a secretary (no offense, this is just an example) had more chances risks to click on a malicious link in a message than an IT professional, today everybody is facing the same level of risks. Social engineering attacks are really efficient. Who never clicked on an URL just be reading the mail sender? Be honest!

I remembered an cool idea which popped out Craig Balding‘s mind during a previous BruCON edition. If you already attended this conference, you probably know that a wall of sheep is running and displays live unsafe credentials grabbed over the network. While discussing with Craig, he had a great idea to increase the security awareness: Visitors could wear an electronic badge displaying some kind of a “life” counter. Every time they execute a dangerous operation (like sending credentials in clear text or visiting a suspicious URL) their counter decreases by 1. Unsafe people could immediately be identified thanks to their badge. Great idea but difficult to implement due to the technical constraints as well as the visitors privacy (and $$$!).

In corporate environments, things are completely different. If a wall of sheep is usually well accepted in security conferences (visitors must be of course warned!), it seems difficult to do the same in companies. On the other hand, modern security products introduced for a while the concept of “users“. Latest firewalls could be deployed with rules like:

ALLOW 192.168.0.0/24 TO ANY PORT HTTPS;
ALLOW MEMBERS_OF_GROUP("Administration") TO server1 PORT HTTPS;
DENY ANY TO ANY;

Products are linked with users databases (LDAP, Active Directory) and try to increase the value to events/rules by adding usernames or groups. The fact that today people are mobile  makes this feature mandatory. It’s easier to grant them access based on the user instead of his current IP address. When I was a student, after each completed labs, we received some statistics: Per student, the number of compilations, linkings and executions of our applications. Could we imagine the same in corporate environments today? Let’s see how a SIEM with active tables (or temporary tables or whenever you call it) which could be populated with “users” when they have been detected doing unsafe or suspicious actions? We have to distinguish people ranked based on their role (example: system and network administrators) and people ranked because they performed suspicious activities. In the first case, it’s common to implement rules like these:

// Let's create an incident if an admin login failed.
IF EVENT("Failed Login") AND $user IN @admin_list THEN
  CREATE_INCIDENT();

Events can be tracked based on timestamps and users. Usually, people from the human resources department work only during business hours:

// Let's create an incident if a user from the human resources
// department generates activity outside the business hours.
IF $time NOT IN @business_hours AND $user IN @hr_dept THEN
  CREATE_INCIDENT();

When incidents are created and a user exists, temporary tables can be populated for statistics purposes:

// If a user tries to access a denied resource, increment his
// distrust level.
IF EVENT("Access Denied") AND $user NOT IN @while_list THEN
  $suspicious_users{$user}++;

// If an outgoing connection attempt by a user with distrust
// level above 5 is detected, create an incident.
IF $suspicious_users{$user} > 5 AND EVENT("HTTP Connect") AND
$dst_ip IN @suspicious_ips THEN
  CREATE_INCIDENT();

Then the table could be used to extract the top users who triggered alerts and who are potentially the more “dangerous“:

Could this information be useful to prepare some security awareness trainings? I’m afraid that such report would be seen as a violation of the users privacy. Another anecdote: In company X,  people had to swipe their badge to enter the building but the exit was free (they just had to push a button to unlock the door). When the management decided to ask people to swipe their badges to enter and exit the building, it was a small revolution! The first reaction was “The management will use the system to track us!“. Even the unions were involved!

If ranking people sounds interesting from a technical point of view, it can have a negative effect. According to W. Edwards Deming, “ranking people destroys their intrinsic motivation and teamwork“. By publishing lists of users with their “security rank“, you could really introduce big issues inside the organization. This will go in the opposite direction of a security awareness program. Just keep your list of suspicious users in a safe place and use it correctly to increase the detection of your security incidents.