Introduction • Background on Cyber Disasters • Characteristics • Internal Threats Explained • Threat Sources • Threat Detection • Cyber Disaster Prevention • Active Deception • Delaying • Attack Deflection
Characteristics of a Cyber Disaster • Computers and networks fail to perform as expected or designed due to an external (usually software) influence (worms and viruses are often the cause) • Critical network services are slow or unavailable • System failures may be widespread or even pandemic • Failures occur very quickly
Cyber Disaster – Real World Example SQL Slammer • First encountered Jan 25th, 2003 • Self-replicating worm, transmitted as a single packet of data • Caused SQL Servers to stop functioning • Flooded networks with infection packets • Affected over 200,000 computers • Required < 15 minutes to infect every vulnerable computer on the Internet
SQL Slammer Impact Infected database servers became unusable, as did their data Computer networks were clogged with infection attempts (DoS) • Most of South Korea’s ISPs were “down” for several hours • 13,000 Bank of America ATMs failed
Traditional Security Coverage Perimeter Security HIDS & AV “Micro-Perimeter” Security
HIDS & AV Infected Laptop …are targets for rapidly propagating threats… Security exposures that bypass perimeter defenses… …bringing your network to a halt and creating costly cleanup. …that take over your network in minutes… Where Traditional Security Fails
Solution Characteristics • Defenses are added to the unprotected interior network, not hosts or the network perimeter • These defenses operate properly even against attacks that have never been seen before • Threats are “compartmentalized” to the single infected computer – surgical mitigation • The solution does not require a network rearchitecture – not an “in-line” product • The system does not impact network performance and cannot cause a network failure
Common Types of Threats • Worms - malicious code designed to reprogram some aspect of a computer. Worms are self-propagating. • Viruses – malicious code designed to reprogram some aspect of you, the user. Viruses are not self-propagating – they require user interaction to execute.
Damage Potential • Denial of Service – usually through self-replication, but can be programmed. • Deletion of Data – Either overt or subtle. • Transmission of Data – random or targeted emailing of selected files. • Installation of Backdoors – these allow covert access to your computer from a remote location.
Network Entry • Mobile Computers – infected laptops or PDAs that bypass perimeter security. • VPN Connections – remote computers are often not as secure outside corporate security systems. • Wireless LANs – drive-by hacking or unintentional connections to corporate access points due to coverage issues.
Detection – Two Primary Methods Signature-based Systems – Usually requires prior knowledge of the exploit. Matches network packets against a library of known threats. Not ideally suited to detecting previously unknown threats because of the delay in acquiring and deploying new signatures. Behavioral/Anomaly-based Systems – Detects threats based on their network behavior. Better suited to detecting previously unknown threats due to lack of dependence on signatures.
Unique Solutions “Activate” unused IP address space Very effective Day-zero threat identification Active Deception Use protocol methods to slow or stop an attack Attack Deflection Forcibly redirect attack packet to harmless location
Unused IP Space – “Network Radar” Leverage unused IP address space to create an early warning system of threat activity
Active Deception Create “Virtual Decoy Devices” with real IP and OS personas to camouflage valuable network resources
Delaying Technique 1. Bad Guy sends synchronization packet to a virtual decoy 2. Security device sends acknowledgment with Window = 0 and MSS = 10 Limits 3. Bad Guy receives acknowledgement and conforms to limits Use legitimate protocol parameters to slow or stop an attack 4. Response is ignored, forcing Bad Guy to wait 4 minutes with no response 5. Bad Guy sends TCP Window Probe to see if we’re still there 6. Security device sends acknowledgement (with same limit) and forces another 4 minute wait…
1. Infected Laptop communicates with computer on the network 2. Security device detects behavior and changes MAC address on infected PC 3. All traffic from infected laptop is sent to the security device and examined. 4. The infected laptop is determined to be a malicious threat and is blocked (compartmentalized) from the network Attack Deflection This strategy “compartmentalizes” infected devices, preventing them from communicating on the network.
Summary There are numerous ways for threats to bypass traditional security mechanisms to reach your LAN Worms and viruses usually meet little resistance once inside a network The damage potential from these attacks can be very serious Detecting day-0 RPTs on LANs is best performed using behavioral detection techniques. There are several ways to defend against these threats, including active deception, protocol-based delay tactics, and attack deflection.
Thank YouIf you would like more information about these technologies, you may download a white paper about this subject from:www.miragenetworks.com