170 likes | 348 Vues
The Essence of. Active Response. Sergio Caltagirone April 14, 2005. To Build A Castle…. Where We’re At…. Where We Want To Be…. Some Attempts…. Clifford Stoll vs. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM , vol 31, 1998, pp. 484-497.
E N D
The Essence of Active Response Sergio Caltagirone April 14, 2005 Sergio Caltagirone
To Build A Castle… Sergio Caltagirone
Where We’re At… Sergio Caltagirone
Where We Want To Be… Sergio Caltagirone
Some Attempts… • Clifford Stoll vs. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497. • DoD vs. Electronic Disturbance Theater (1998) http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/ • Conxion vs. E-Hippies (2000) http://www.nwfusion.com/research/2000/0529feat2.html • FBI vs. Russian Hackers (2001) a.k.a. ‘Invita’ Case http://www.wired.com/news/politics/0,1283,47650,00.html Sergio Caltagirone
Why Do We Want To Do That? • Response is not a choice… • Insufficient Protection on Imperfect Systems • A Policy Is Necessary (even if not utilized) • Vulnerable Systems • Air Traffic Control • SCADA Systems • Nuclear Power Safety • Economic and Socially Critical Systems Sergio Caltagirone
Problem Statement Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response? Sergio Caltagirone
Active Response Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set. • Time bound • Automatically or not • Purposeful • Subjective timeline • Mitigation NOT Elimination Sergio Caltagirone
Some Actions At Our Disposal • Notify authorities • Disconnect – Strategic Separation • Control the borders • Get ISP to do dirty work • Use ping/finger/traceroute/honeypots • Hack-back / Passive Strike-back • First strike Sergio Caltagirone
A Potential Taxonomy • Internal Notification: Using the organizational structure to notify the appropriate persons of an active defense situation • Internal Response: Applying active defense actions within an organization's boundaries • External Cooperative Response: Employing the assistance of other entities outside of an organization to mitigate a threat • Non-cooperative Intelligence Gathering: Using external services (finger, nmap, netstat) to gather intelligence on the attacker • Non-cooperative ‘Cease and Desist’: Shutting down harmful services that do not affect usability on a network or host. • Counter-strike: An offensive action designed to deny an attacker the ability to continue an attack. • Preemptive Defense: With knowledge of a forthcoming attack, execute active response actions to preempt (and disable) the upcoming attack Sergio Caltagirone
Evaluating a Response • Legal • Civil, Criminal, Domestic, International • Ethical • Teleological, Deontological • Technical • Traceback, Reliable IDS, Confidence Value, Real Time • Risk Analysis • Measure ethical, legal risk effectively? • Unintended Consequences • Attacker Action, Collateral Damage, Own Resources Sergio Caltagirone
Process Model Sergio Caltagirone
Formal Decision Model Escalation Ladder AR Policy Asset Evaluation Action Evaluation Score(Action) − Score(Threat) − Success(Action) Asset Identification Goal Identification Risk Identification { } Threat Identification Action Identification Utility Modifier Risk Identification Action Classification Success Ordering Contingency Plan Sergio Caltagirone
Conclusions • Need for Response – Why we need it • Definition – What it is • Taxonomy – What it is comprised of • Issues – What is wrong with it • Process Model – What we do • Decision Model – How we decide Sergio Caltagirone
Resources – Questions ? • http://www.activeresponse.org - serg@activeresponse.org • Sergio Caltagirone and Deborah Frincke, “The Response Continuum,” to appear in the 6th IEEE Information Assurance Workshop, West Point, NY. June 15-17, 2005. • Sergio Caltagirone, "Criminal Law Perspectives of Contemporary Issues in Computer Security," University of Idaho, Moscow, ID, Technical Report CSDS-DF-TR-05-28, 2005. • Sergio Caltagirone, "Evolving Active Defense Strategies," University of Idaho, Moscow, ID, Technical Report CSDS-DF-TR-05-27, 2005 • Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005. • Sergio Caltagirone and Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311. Sergio Caltagirone