1 / 19

Engaging the Adversary as a Viable Response to Network Intrusion

isolde
Télécharger la présentation

Engaging the Adversary as a Viable Response to Network Intrusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada Computer Security Laboratory Assistant professor from Electrical and Engineering Department where Scott leads CSLAssistant professor from Electrical and Engineering Department where Scott leads CSL

    2. April 21, 2005 Leblanc & Knight 2 In a nutshell Also a soldier, need a quote (Build) Contortionist would be required. Soldier is fired if there is not at least one quote. (Build) Our proposal Dont slam the door on the attackerAlso a soldier, need a quote (Build) Contortionist would be required. Soldier is fired if there is not at least one quote. (Build) Our proposal Dont slam the door on the attacker

    3. April 21, 2005 Leblanc & Knight 3 Outline Introduction Information Operations IO Counter-measures Tools Honeypots Conclusion Roadmap on how to learn more about the adversaryRoadmap on how to learn more about the adversary

    4. April 21, 2005 Leblanc & Knight 4 1 - Introduction (Build) This is the traditional approach to security There are problems with this paradigm because: 1) The attacker has the initiative, making it difficult to keep abreast of new threats 2) flawed implementation, because no one is watching the obstacles (Build) Nowhere else do we try to defend without first understanding the threat. (Build) Our focus is on the response. PSEPC (Containment & Eradication) The traditional response has been to plug the holes in the wall Little Dutch Boy.. (Build) This is the traditional approach to security There are problems with this paradigm because: 1) The attacker has the initiative, making it difficult to keep abreast of new threats 2) flawed implementation, because no one is watching the obstacles (Build) Nowhere else do we try to defend without first understanding the threat. (Build) Our focus is on the response. PSEPC (Containment & Eradication) The traditional response has been to plug the holes in the wall Little Dutch Boy..

    5. April 21, 2005 Leblanc & Knight 5 2 - Information Operations (IO) Military definition, applicable everywhere. Other terms have been used by NATO such as: Information Warfare, InfoWar, Network Warfare, etc. There are enough similarities that we will retain use of Information Operations. (Build) Information is powerful, in fact IO is a major combat function: Command, Manoeuvre, Fire Power, Protection and Sustainment. Military definition, applicable everywhere. Other terms have been used by NATO such as: Information Warfare, InfoWar, Network Warfare, etc. There are enough similarities that we will retain use of Information Operations. (Build) Information is powerful, in fact IO is a major combat function: Command, Manoeuvre, Fire Power, Protection and Sustainment.

    6. April 21, 2005 Leblanc & Knight 6 Defensive IO Protection Defensive Counter-Information Operations (IO Counter-measures) - Offensive Counter-Information Operations Sub-set of IO. Defensive IO will include actions taken to minimize the effect of adversary IO on friendly information. To achieve this, Defensive IO have three distinct elements: (Build) Protection: Aims at protecting the most important elements of friendly information Defensive Counter-Information Operations (IO Counter-measures): Responds to attacks and aims to restore friendly information. The measures are implemented by manipulating the environment and ones own systems Offensive Counter-Information Operations: also respond to attacks, but by focussing on the adversary systems. In context using radar: Protection result from the application of radar absorbent paint, Defensive IO Counter-measures would be the deployment of chaff or decoys, while offensive Defensive IO Counter-measures would be the active jamming of the enemy radar receiver. Protection has been the focus. We propose that other two have importance when protection is not sufficient Must know the enemy to properly respond (frequency of radar for length of chaff, jammer to use)Sub-set of IO. Defensive IO will include actions taken to minimize the effect of adversary IO on friendly information. To achieve this, Defensive IO have three distinct elements: (Build) Protection: Aims at protecting the most important elements of friendly information Defensive Counter-Information Operations (IO Counter-measures): Responds to attacks and aims to restore friendly information. The measures are implemented by manipulating the environment and ones own systems Offensive Counter-Information Operations: also respond to attacks, but by focussing on the adversary systems. In context using radar: Protection result from the application of radar absorbent paint, Defensive IO Counter-measures would be the deployment of chaff or decoys, while offensive Defensive IO Counter-measures would be the active jamming of the enemy radar receiver. Protection has been the focus. We propose that other two have importance when protection is not sufficient Must know the enemy to properly respond (frequency of radar for length of chaff, jammer to use)

    7. April 21, 2005 Leblanc & Knight 7 Computer Network Operations (CNO) CNO represent all aspects of computer related operations, but they have three specific components Defence (CND) Attack (CNA) Exploitation (CNE) CNO transcending all aspects of IO. CND: All aspects of protection, including the monitoring of computer use, analysis of operating characteristics to respond to unauthorized use. Even with complete trust in users, we cannot always trust their processes. Eg, Syncing a virus with a calendar entry. This is considered a core information operation capability, actively practiced by the Canadian Forces. CAN: Directed at the adversary to disrupt, deny, degrade, or destroy information resident on information systems themselves. Uses can vary from computer based attacks, use of viruses, power surges or physical destruction. CNE: Gathering information about the adversary through analysis of their information systems and networks. That analysis can be passive (sniffing) or intrusive. We feel that this could be particularly attractive for the cyber infrastructure to gain information on the adversary.CNO transcending all aspects of IO. CND: All aspects of protection, including the monitoring of computer use, analysis of operating characteristics to respond to unauthorized use. Even with complete trust in users, we cannot always trust their processes. Eg, Syncing a virus with a calendar entry. This is considered a core information operation capability, actively practiced by the Canadian Forces. CAN: Directed at the adversary to disrupt, deny, degrade, or destroy information resident on information systems themselves. Uses can vary from computer based attacks, use of viruses, power surges or physical destruction. CNE: Gathering information about the adversary through analysis of their information systems and networks. That analysis can be passive (sniffing) or intrusive. We feel that this could be particularly attractive for the cyber infrastructure to gain information on the adversary.

    8. April 21, 2005 Leblanc & Knight 8 Operational Objectives Holding Contact with the Adversary Understanding the Adversary Who is attacking? What are they capable of? What are their current mission and objectives? What is the context of the current attack. Preparing the Adversary 1. (build) The natural reaction to attack is to attempt to limit the potential damage on the system or the sensitive information to be extracted. As eluded to earlier, cutting contact is not always the right approach; the information flow stops (think of stepping stones)! By keeping contact we assume risk, this necessitates new tools to allow attacker presence while controlling that presence. There is also a need to keep the attacker unaware of our efforts. We believe these to be two important enabling technologies. It is necessary to accomplish the other two operational objectives. 2. (build) Understanding the adversary frees us from a purely reactive approach to defence. Intelligence -> understanding of motivation and capabilities -> deduction of likely targets -> better deployed defences. Starting with the premise that there are organized groups with a mission that is detrimental to our national interests. Upon attack discovery, we need to know (build) this can be aided by other IO disciplines (link) 3. We can then prepare the adversary for some form of counter-operation. E.g.. Holding contact to identify a target for a computer based or conventional attack. E.g.. Law enforcement action as a counter-operation where the preparation entails protecting the chain of evidence. E.g. IO as counter-operation where false information is fed back to the adversary to effect behaviour in a way to make it more susceptible to an attack. In all cases, we wish to hold contact in order to prepare for a counter-operation.1. (build) The natural reaction to attack is to attempt to limit the potential damage on the system or the sensitive information to be extracted. As eluded to earlier, cutting contact is not always the right approach; the information flow stops (think of stepping stones)! By keeping contact we assume risk, this necessitates new tools to allow attacker presence while controlling that presence. There is also a need to keep the attacker unaware of our efforts. We believe these to be two important enabling technologies. It is necessary to accomplish the other two operational objectives. 2. (build) Understanding the adversary frees us from a purely reactive approach to defence. Intelligence -> understanding of motivation and capabilities -> deduction of likely targets -> better deployed defences. Starting with the premise that there are organized groups with a mission that is detrimental to our national interests. Upon attack discovery, we need to know (build) this can be aided by other IO disciplines (link) 3. We can then prepare the adversary for some form of counter-operation. E.g.. Holding contact to identify a target for a computer based or conventional attack. E.g.. Law enforcement action as a counter-operation where the preparation entails protecting the chain of evidence. E.g. IO as counter-operation where false information is fed back to the adversary to effect behaviour in a way to make it more susceptible to an attack. In all cases, we wish to hold contact in order to prepare for a counter-operation.

    9. April 21, 2005 Leblanc & Knight 9 Network-based IO counter-measures Principles of Operations Operational Objectives for Active Response Combined Operations Repeatable Operations Standing procedures Dedicated resources Computer Network Operations Order-of-Battle Risk Management Operational objectives have already been discussed. Combined means many department working together in an formal arrangement. CNO threats are extra-national or even global in nature. cross geographical, political, cultural and temporal borders. Traditional Cold War based institutions, laws and procedures need to be adapted to the new threat environment. Network based IO counter-measure is not law enforcement operation, counter-intelligence operation, foreign intelligence operations or military operation. The operational capabilities, mandates and legal constraints of RCMP, CSIC, PSEPC, CSE and DND are at play. Combined operations are difficult to organize and control. Mounting ad hoc will not be efficient, given governmental organizations (requiring ministerial approval). Speed is of the essence in such IO counter-measures require a standing combined operations force with dedicated resources. The force can have standing set of operations procedures, train, plan, allocate resources and target operations in a comprehensive way. The continuity offered by the standing force would also be able to maintain the CNO orders of battle. Operational objectives have already been discussed. Combined means many department working together in an formal arrangement. CNO threats are extra-national or even global in nature. cross geographical, political, cultural and temporal borders. Traditional Cold War based institutions, laws and procedures need to be adapted to the new threat environment. Network based IO counter-measure is not law enforcement operation, counter-intelligence operation, foreign intelligence operations or military operation. The operational capabilities, mandates and legal constraints of RCMP, CSIC, PSEPC, CSE and DND are at play. Combined operations are difficult to organize and control. Mounting ad hoc will not be efficient, given governmental organizations (requiring ministerial approval). Speed is of the essence in such IO counter-measures require a standing combined operations force with dedicated resources. The force can have standing set of operations procedures, train, plan, allocate resources and target operations in a comprehensive way. The continuity offered by the standing force would also be able to maintain the CNO orders of battle.

    10. April 21, 2005 Leblanc & Knight 10 Risk Management Access risks Damage or alter information Exfiltrate more sensitive information than expected Push attack to other systems Mount IO counter-counter-measure Denial implications Inability to identify Loss of knowledge on techniques and motivations Loss of ability to influence Encourage adversary to seek other ingress points There is risk whenever we are in contact with the adversary, especially when we consider letting the adversary retain his access to our network resources. Sometimes, the correct response is to tolerate some risk.There is risk whenever we are in contact with the adversary, especially when we consider letting the adversary retain his access to our network resources. Sometimes, the correct response is to tolerate some risk.

    11. April 21, 2005 Leblanc & Knight 11 3 - IO Counter-measures Tools Operational use with very high interaction The attacker must feel that he is in a real production environment High fidelity environment New tools Provide legitimate operational activity Capture attackers activity There are parallels with Spitzners research honeypots, but here we want to use the honeypot for operational purposes. Raise from tactical to operational and strategic levels. Rootkit based tools are in use (Sebek), but they have deficiencies: - Used in quiet environments, we want to automate user activity. High cost of human operators, coming from input devices. deconflicting attack trafic - Detectable in some instancesThere are parallels with Spitzners research honeypots, but here we want to use the honeypot for operational purposes. Raise from tactical to operational and strategic levels. Rootkit based tools are in use (Sebek), but they have deficiencies: - Used in quiet environments, we want to automate user activity. High cost of human operators, coming from input devices. deconflicting attack trafic - Detectable in some instances

    12. April 21, 2005 Leblanc & Knight 12 Characteristics of IO Counter-measures Tools Components and mechanisms undetectable from user with root privileges. Behaviours and communication patterns appear legitimate from vantage point of other host on the network. Able to simulate normal human user at the interface level. Provide means of observing and collecting attacker activity Make de-conflicting attack traffic straightforward.

    13. April 21, 2005 Leblanc & Knight 13 Honeypots Stem from the difficulty in discriminating attacker activity A honeypots value lies in being probed, attacked and compromised. Honeypots have no production value, making discrimination of attacker activity trivial. Credited with many successes. Production systems are a very busy environment. This is the premise behind Honeypots. Georgia Institute of Technology used them to capture exploitation patterns of worms. They can also be used to detect infected systems on the network and poor security practices.Production systems are a very busy environment. This is the premise behind Honeypots. Georgia Institute of Technology used them to capture exploitation patterns of worms. They can also be used to detect infected systems on the network and poor security practices.

    14. April 21, 2005 Leblanc & Knight 14 Honeypot Classifications Spitzner suggests two main purposes Production honeypots: Support operations by helping secure the environment. Research honeypots: Gain information on attackers tools and techniques Production: Detect attacks and detract from operational systems. Do not require much functionality (building intrusion alarm) Research: There to gain information on the attackers tools and techniques, to properly react to attacks in the traditional sense. Production: Detect attacks and detract from operational systems. Do not require much functionality (building intrusion alarm) Research: There to gain information on the attackers tools and techniques, to properly react to attacks in the traditional sense.

    15. April 21, 2005 Leblanc & Knight 15 Honeypot Levels of Interaction Low interaction are aimed at detection, and there are complete solutions available (BOF, Specter). the risk is low because of strict data control can be in place Medium are a trade-off that can be useful for capturing a worms payload. It is in high that the most information can be gathered, but this comes at a high risk.Low interaction are aimed at detection, and there are complete solutions available (BOF, Specter). the risk is low because of strict data control can be in place Medium are a trade-off that can be useful for capturing a worms payload. It is in high that the most information can be gathered, but this comes at a high risk.

    16. April 21, 2005 Leblanc & Knight 16 IO Counter-measure example IO Counter-measures tool installed as part of baseline

    17. April 21, 2005 Leblanc & Knight 17 IO Counter-measure example Intrusion Detected.

    18. April 21, 2005 Leblanc & Knight 18 IO Counter-measures example Machine is physically isolated IO Counter-measures tool is activated Attacker is monitored and prepared

    19. April 21, 2005 Leblanc & Knight 19 5 - Conclusion Reactive-oriented defence policy is insufficient. Defence must include an understanding of the adversary. First response should not always be to break contact IO Counter-measures to gain information Principles of Operations for Network-based IO counter-measures Operational Objectives Key Research Areas include tools Obfuscate attacker behaviour observation Simulate normal human user behaviour

    20. April 21, 2005 Leblanc & Knight 20

More Related