There’s an old saying, “In the land of the blind, the man with one eye is king.” In the land of information security and asset management, attribution is king. You’ve already given an attacker the upper hand if you can’t pinpoint who was where on your network at any given time. You give them a dense fog to masque their attack from within, essentially blinding yourself. This includes VPN and local area networks.

Speeding through the fog with your high beams on can be dangerous, and this is the same when you’re responding to an event. Sometimes in the scurry to respond to an incident, you follow the wrong path and quickly lose your way. This is where attribution of your environment becomes your map and guides you in the right direction, saving time and reducing MTTR.

Attribution Chain

Think about this attribution chain which is commonly found in a standard corporate environment:

  • An employee on your network is a User
  • A User is assigned a laptop
  • The Laptop has a serial number and MAC address
  • The MAC address gets assigned an IP address, the serial number is assigned a username via inventory management
  • The IP address belongs to a Network
  • The Network routes to the Laptop through a WiFi AP or Port

For most administrators, this data could gathered by logging into your mesh of WiFi access points and seeing which hosts were assigned what IP addresses at what time. For those who deployed 802.1x, you can attribute a device to not only it’s switch port, but ultimately it’s user in 1 step. Another option would be sporting a fancy WPA2 Enterprise WiFi network backed by a RADIUS server, which handles authentication, authorization and accounting (also known as a AAA).

Unfortunately, the majority of companies can’t provide any insight into their endpoint attribution.

Note: MAC addresses can be spoofed very easily and as a result cannot always be trusted. Technology like 802.1x combats this by requiring the user to authenticate in order to access the network.
The majority of companies can’t provide any insight into endpoint attribution

Achieving Attribution Bliss

In startup-land, there are usually no IT policies in place governing username conformity or even machine hostnames. Some smaller companies have some sort of outbound monitoring setup like Snort, Bro or Suricata, which can help identify things like data exfiltration or infected devices making calls out to LP’s.

If you look back to the attribution chain at this stage, you’ll know the IP address — the next steps are to find the MAC or Hostname (using DHCP lease logs). When there is no standard convention around endpoint hostnames or usernames, you need to get creative.

Collecting metadata
We LOVE metadata. Specifically, finding new ways to transparently collect this information to keep both business and user safe. A few months back we posted an article on how to ethically mine OS X endpoints for user data. Although a long post, it provides administrators examples of how to access data which they could use to map users to endpoints. All that is left of this puzzle to solve is how to deploy the script and collect the logs.

Directory Services
This is nothing new if you’ve ever logged into a work computer using your corporate username and password. This is frequently implemented via Microsoft Active Directory (AD), OpenLDAP and Apple OpenDirectory. The benefit of directory services is that the end user is authenticating to the device they want to use, which is where the attribution is linked. These events, both logons and logoffs, are recorded in the directory service server for remote monitoring. The downside to this solution is not only the need to manage the directory service itself, but also the need to pre-configure the device with the domain configuration.

Static IP’s
Static IP’s are an effective way to know who is assigned what device on your network based on the IP alone. It uses the devices’ MAC address to assign a set IP address, which can be done by a network administrator at the DHCP server, and does not require any interaction from the user. One huge benefit from using this method is that no matter how many time a device enters and leaves your network, it will always be assigned the same IP, which allows the level of accuracy to increase while you’re investigating an event.

No Hostname? No Problem!

Having all of your users update their hostnames is a logistical nightmare. Believe me, I’ve been through that. That’s why it’s important to think about these things from the start.

A creative solution to this could take advantage of when OS X receives it’s lease and does a reverse DNS lookup. If the device does not have a Hostname set using the scutil-command, it will set the active device to the hostname returned in it’s reverse DNS record, also know as a PTR record. You may see this if you VPN into a not-so-well-configured VPN server in AWS, and your hostname of your local endpoint becomes ip-172–1–1–1.us-east-1.amazonaws.com. The meat and potatoes of this little hack comes from adding both Static IP entries for your users’ endpoints in parallel with DNS PTR records.

For example, let’s take the endpoint with a MAC address of 00:11:22:33:44:55. First, we are going to setup the DNSMasq entry (which can be replaced with any of your desired solutions):00:11:22:33:44:55 192.168.2.1

In the above configuration, we assign the device to a user, which is a known given (we physically hand them the device). This step assigns the device to an IP address, using it’s physical network address (MAC).

Next, we are going to add in a PTR record to our DNS server for this IP address. This reverse lookup will serve as our datastore of attribution, which connects the dots between the IP address and the username which is returned in the record.1.2.168.192.in-addr.arpa. 3600 IN PTR username.mycorp.co.

Lastly, when the device connects to the network, it will attempt to lease an IP from the DHCP server, in which the DHCP server will provide it with 192.168.2.1. When the device writes the IP address locally, it will perform a reverse DNS lookup on the IP address (the PTR record), and update it’s hostname.

Conclusion

These solutions may not be perfect, or work in your specific scenario, but they should be enough to provide you with some stepping stones. Attribution is a very important part of InfoSec, so much so that services like Private Internet Access allow customers to sign up for their services without even providing billing information. That means you can purchase their services using gift cards for stores like Starbucks and Walmart. Doing so removes the attribution between the service user and the billing account of the service provider. The same concepts apply to endpoint security.

Keeping track of devices within your network will set your response plan lightyears ahead if you ever have to investigate an event, which hopefully you never do.

Share this post