Listen to this Post
In cybersecurity, there is a strong focus on external attackers, but insiders can be even more dangerous. They possess intimate knowledge of the network, equipment, critical systems, and weaknessesāand they already have access. The 1999 “Maroochy” incident, which marked the beginning of OT cybersecurity, is a prime example of a malicious insiderās impact.
However, not all insiders are malicious. Some are well-meaning employees who make mistakesālike creating network loops, misconfigurations, installing incorrect software, or disconnecting critical servers. Rob Hulsebos, an ICS Security Engineer, shares his own experience as an accidental insider threat.
The Incident: A Rogue DHCP Server
Rob developed a custom DHCP server for an industrial application with unique requirements unmet by commercial solutions. One morning, he accidentally started this DHCP server on his desktop for regression testing. Soon, colleagues began reporting network outagesāyet Robās connection remained unaffected.
Two hours later, the network admin asked, āRobā¦ could you be the person running a DHCP server?ā Rob shut it down immediately, but not before 200+ colleagues were impacted.
What Went Wrong?
- His DHCP server assigned IPs in the `192.168.x.y` range, conflicting with the legitimate DHCP server (
10.x.y.z). - Since Robās server was faster, most machines got incorrect IPs, cutting them off from servers, internet, printers, and email.
- Root Causes:
- Admin Rights Misuse: Rob had admin privileges, allowing him to run the rogue DHCP server.
- No Whitelisting: Lack of application whitelisting could have blocked unauthorized DHCP services.
- No Rogue DHCP Detection: Network admins lacked tools to detect and locate rogue DHCP servers.
- Missing DHCP Snooping: Switches without DHCP snooping failed to isolate the rogue serverās port.
You Should Know: Preventing Rogue DHCP Attacks
To avoid similar incidents, implement these security measures:
1. Restrict Admin Privileges
- Use Principle of Least Privilege (PoLP)āusers should only have necessary permissions.
- Windows:
Check local admin group members net localgroup Administrators Remove user from admin group net localgroup Administrators "username" /delete
- Linux:
Remove user from sudoers sudo deluser username sudo
2. Implement DHCP Snooping
- Cisco Switches:
enable configure terminal ip dhcp snooping ip dhcp snooping vlan 10 interface gigabitethernet 1/0/1 ip dhcp snooping trust exit
- Detect Rogue DHCP Servers:
tcpdump -i eth0 -n port 67 or port 68
3. Network Segmentation & Monitoring
- Isolate critical networks using VLANs or firewalls.
- Monitor DHCP Traffic:
Check DHCP leases (Linux) cat /var/lib/dhcp/dhcpd.leases Windows DHCP logs Get-EventLog -LogName System -Source "DHCPServer"
4. Application Whitelisting
- Windows (AppLocker):
Enable AppLocker Set-AppLockerPolicy -XMLPolicy .\policy.xml
- Linux (Integrity Checks):
Monitor critical binaries sudo apt install aide sudo aideinit sudo aide --check
What Undercode Say
Insider threatsāwhether malicious or accidentalāpose significant risks. Robust network controls, least-privilege enforcement, and real-time monitoring are essential. Implementing DHCP snooping, admin restrictions, and whitelisting could have prevented Robās incident. Always assume human error and design networks defensively.
Expected Output:
- Mitigation Steps:
- Deploy DHCP snooping on switches.
- Restrict admin rights via GPO/IAM policies.
- Monitor network traffic for rogue DHCP activity.
- Detection Commands:
– `tcpdump -i eth0 -n port 67 or port 68`
– `cat /var/lib/dhcp/dhcpd.leases` - Hardening Guides:
- Cisco DHCP Snooping
- Microsoft Least Privilege
References:
Reported By: Rob Hulsebos – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ā
