Cyber - Threat Analytics: Cyber - Threat Analytics Threat Operations Center
Washington, D.C.
www.cyber-ta.org Marcus H. Sachs, P.E.
SRI International
marcus.sachs@sri.com
703-247-8717
Agenda: Agenda Internet Threats, 2006
New Attack Methods
The Need for a New Approach
The CyberTA Threat Operations Center
In the Beginning: In the Beginning ARPANET was “born” in 1969 as a DoD experiment
A culture of sharing and openness
Government funded, academic focus
Documentation based on Requests for Comments
User communities
Largely government/military/academia
Virtually no talk of commercial or industrial use
Security through obscurity was king
Home users and hobbyists connected via dial-up bulletin board systems, not the ARPANET
And Then There Were Packets: And Then There Were Packets Infrastructure technologies
Interface Message Processors
Packet switching with gateways between networks
Hosts.txt file updated a few times per month
End point technologies
Timesharing mainframes
No personal computers, wireless, or hand-held devices
Data exchange technologies and protocols
FTP, telnet, SMTP, rlogin in use since mid-1970s
Domain Name System introduced in 1980s
Hypertext and World Wide Web proposed in late 1980s
Most Early Protocols Had Known Security Issues: Most Early Protocols Had Known Security Issues Sniffing clear-text passwords (ftp, telnet, smtp/pop, http)
Spoofing (tcp and udp packet sources)
Denial of service (echo vs chargen ports)
Flooding attacks (SYN and RST)
DNS cache poisoning (unvalidated dns responses)
Mapping (traceroute using TTL and ICMP)
Others Created New Problems We Deal With Today: Others Created New Problems We Deal With Today Tunneling (data fields in packet headers)
Sensor evasion (fragmentation reassembly)
Fingerprinting (analysis of responses to crafted packets)
Unsolicited bulk email (forged smtp headers)
Phishing (unvalidated http transactions)
Identity theft (open databases of personal information)
Threat Groups and Actors: Threat Groups and Actors Espionage
State-sponsored or corporate electronic spying
Typically “open source” data collection
Terrorist groups
Covert communications channels
Criminal activity
Credit card theft, child pornography, copyright infringement
Spyware and other unauthorized cyber tracking software
Phishing emails and fake websites
Encrypting files followed by extortion to unencrypt
Insiders
Unauthorized disclosure of intellectual property
Hackers
Worms, viruses, malicious software, website defacements, and adolescent pranks
Where are all the Worms?: Where are all the Worms? We thought that the Internet would get wormier
But in fact it has not!
The trend was clear:
2001: Li0n, Code Red, Nimda
2002: Slapper, Klez
2003: SQL Slammer, Blaster, SoBig
2004: Sober, MyDoom, Witty, Sasser
Since 2004 there have been no new major worm outbreaks WHY?
Where is the MS06-040 or -042 worm?
The Rise of the Bots: The Rise of the Bots Bot = Robot, or autonomous software
Sometimes called zombies or slaves
The latest wave of malicious software introduced to the Internet
Highly complex
Evolving
In many cases hard to detect or remove
Original bots were IRC-based
New vulnerabilities lead to new bots, not new worms
New Frontier: “Zero-Day” Attacks: New Frontier: “Zero-Day” Attacks Find a vulnerability in a common software package or application
Do not notify the software company
Develop a working exploit that takes advantage of the vulnerability and keep the exploit a secret
Subvert a target organization by flooding the victim with zero-day attachments or pointers to infected web sites
Microsoft products are a favorite choice
Internet Explorer in August 2005, April, Aug, and Sept 2006
Windows Meta File (.wmf) in December 2005
Microsoft PowerPoint in July and August 2006
Microsoft Word in May and August 2006
So Who is Attacking Me?: So Who is Attacking Me? 1970s: virtually no attacks
Heck, the networks were hard enough to run, why attack them?
1980s: academic attacks
Brain virus, Morris worm
1990s: script kiddies take charge
Web site defacements, parlor tricks with Trojan horses, email viruses, worms
2000s: value-oriented attacks, espionage, and terrorists
Bots, root kits and zero-day vulnerabilities
Technical Terrorists and 4G Warfare: Technical Terrorists and 4G Warfare Most terrorist groups are thought of as low-tech, not capable of cyber destruction
But the next attack may not be directed against the Internet itself
It might very well be directed towards our way of life
Goal might be to disrupt our economy
One way to achieve that goal would be to cause disruptions and havoc in our networks, grids, and communications systems
4th Generation Warfare is here
“Non-state actors” with private funding, training, and goals
Information operations is central to 4G warfare
Recruiting: Recruiting Most terrorist groups recruit for multiple skill sets
Physical strength and endurance
Intelligence
Business and financial capabilities
Technical skills
Many al-Qaeda members have college degrees and advanced training in technical fields
Terrorist groups understand the power of information control and will use it as a weapon
Indications and Warnings: Indications and Warnings Disruption of the Afghanistan center of al-Qaeda in 2001-2002 resulted in a different C2 structure
Internet is a perfect place for new operations
No centralized control
No “legitimacy of the state”
Sympathizers in other countries can “help” via on-line activity
Particularly idealistic youthful hackers
Airplane attacks in 2001 were predicted by intelligence analysts
Is a future terrorist cyber attack also predictable?
International Espionage: International Espionage China is our number one threat
University students on academic visas
“Professional” hacking clubs in China
Titan Rain intrusion set
Source code to Microsoft Windows and Office is available in China
Most of the recent zero-day attacks against Microsoft Office products came from China
Hostile Word File From China: Hostile Word File From China
Organized Crime and Fraud: Organized Crime and Fraud Dangerous combination of
Spammers
Hackers
Professional criminals
US Secret Service, FBI, RCMP, Scotland Yard, and others currently investigating fraud cases totaling in the hundreds of millions of dollars
International crime rings
Use zero-day vulnerabilities in browsers
New attacks involve mirroring a victim’s clipboard in addition to keylogging
The Criminal’s Playground: The Criminal’s Playground The Internet is a “perfect” place for crime
No taxes, therefore no tax evasion
Value in everything online
Anonymous access to vast resources
Criminal tools look and act like lawful tools
No national or political boundaries
Laws and law enforcement are limited
Numerous opportunities for money laundering (PayPal, etc.)
Millions of clueless victims
A Criminal’s Tool Box: A Criminal’s Tool Box “Script kiddies” are frustrated by the complexity of attack tools
Need to bring order to the chaos of exploit development
Too many vulnerabilities
Too many payloads (actions on the target host)
Software developers have common tools and shared libraries
Why not build a framework that pulls it all together for exploit developers?
And make that framework open source – i.e., FREE!
The Ultimate Weapon: The Ultimate Weapon The best weapons are the simplest
New wave of hacking tools are updated as new exploits are found
Lethal when combined with a scanner
Interface is a GUI
Windows/Linux application or web application
Metasploit is most popular
Contains dozens of canned exploits
Makes hacking as easy as a mouse click
No understanding of computer science needed
Gaining in popularity with both attackers and defenders
Pure Evil: Metasploit: Pure Evil: Metasploit 153 Exploits
75 Payloads
Multiple targets
BSD
IRIX
Linux
Mac
Microsoft
Solaris
Point-n-Click Interface
Version 3.0 is latest http://metasploit.com/projects/Framework/downloads.html
The Future of Network Attacks: The Future of Network Attacks DDoS attacks will decrease
New mitigation tools are working
“Real Hackers” don’t DoS
Bot Armies will be used for distributed computing rather than DDoS
Fraud will increase while worms decrease
Too many juicy targets, including critical infrastructures and control systems
Too much value in the Internet to ignore
Watch for VOIP and streaming video fraud
Online gaming community is a valuable target too
Network components will become targets of opportunity
Voice Over IP, Video Over IP: all are potential future targets
In nearly all cases, future attacks will leverage historically insecure protocols and technologies!
The Future of�Computer Security Research: The Future of Computer Security Research As attack tools get more complex, research funding and efforts must increase
Cyber security funding will always compete with the physical threat mitigation community
Chemical, Radiological, Nuclear, Biological are hot
Cyber threats are “invisible” and hard to quantify
Governments, private companies, universities, and citizens must look toward the future
Our economic survival is at stake
Research collaboration must mirror attack community collaboration levels
Our Challenge: Our Challenge Current tools to detect attacks and defend our networks are based on 1990s threat models
Anti-virus
Worm detection
DDoS prevention
Scan, probes, and other flow-based tools
New tools and analysis techniques need to be developed to detect and mitigate the new attack methods
We Need To:: We Need To: Create a centralized threat coordination and Internet monitoring center
Including research and operational partners
Distribute sensor data repositories across the consortium partnership
Develop methods of sharing meta data while ensuring privacy and anonymity
Develop new ways to visualize emerging threats and to understand their meanings
Next-Gen Threat Analysis Centers: Next-Gen Threat Analysis Centers Must support highly automated threat diagnosis and prioritization
Must scale to alert volumes and data sources covering millions of IP addresses
Must be able to rapidly distribute actionable information back to user communities
Must be able to fuse data from multiple sources, most of which are not related
Must also be sensitive to data privacy and anonymity concerns
Cyber-TA Project Directions: Cyber-TA Project Directions Internet-scale collaborative sharing of sensitive information to support analysis and correlation
Real-time malware focused alert correlation analysis
Rapid threat warning dissemination that leverages new collaborative data analysis capabilities
Open-source software releases, capability demonstrations, and commercial integration
Cyber-TA Research Directions: Cyber-TA Research Directions Some existing repositories collect millions of data elements per day
Latency could be an hour or more
Little or no client-side correlation
Cyber-TA seeks to
Reduce detection and correlation latency
Produce client-side meta data that will supplement local sensor alert data
Discover new analysis methods to assist in identifying new malware and threat tools
Ops Center Analytical Capabilities: Ops Center Analytical Capabilities Current threat operations centers primarily focus on reactive measures such as
IP blacklists
Port statistics and analysis
Historical trends
New threat operations centers need to adopt innovative techniques such as
Sensor meta-data sharing and analysis
Publishing consensus-based signatures
Sharing honeynet and malware collections
Sharing botnet command and control data
Dynamic updates to firewalls and IPSs
Detecting changes to DNS, BGP, and other mechanisms
Using application crash analysis tools for early detection of zero-day attacks
Ops Center Usage Scenarios: Ops Center Usage Scenarios Where the degree of trust between organizations is unknown
Consensus-based release of sensor data and analysis facilitated by
Out-of-band trust relationships
Exchange of encryption keys
Secure multi-party computation schemes
Data distribution between “natural competitors” or non-sharing parties
Can enemies share technical data anonymously?
CTA Threat Operations Center: CTA Threat Operations Center Alert repository database service
Analysis and data coordination center
Programmable interfaces for data feeds
Public and private web portal
Data visualization
Host technology demonstrations and briefings
Capable of supporting limited real-world operations with a few hours notice
High Level Deployment Scenario: High Level Deployment Scenario Immediate priority is to improve protection of DoD deployed networks
Secondary are CONUS and OCONUS WANs such as NIPRNET and SIPRNET
Later: domestic ad-hoc networks in support of emergency response scenarios
Recommend deployment of a prototype CTA system in a mature AOR within six months of successful demonstration in CONUS
Roadmap for Deployment: Sensors: Roadmap for Deployment: Sensors Use devices already in place as sensors
Firewalls
Intrusion detection systems
Routers and switches
Host-based intrusion prevention systems
Deploy a script that “scrapes” the needed data from the local sensor logs
Extractions become part of CTA system
Advantage: no new hardware devices or “bumps in the wire”
Disadvantage: no control over signatures or configuration
Cyber-TA will use both old and new sensor systems
Roadmap for Deployment: C2: Roadmap for Deployment: C2 Initial C2 will be internal to SRI
SRI researchers in Menlo Park
Research partners in other USA locations
Prototype operations center and analysis in Washington, D.C.
Later we plan to leverage existing DoD C2 relationships
JTF-GNO
RCERTs, ACERT, AFCERT, NAVCIRC, MARCERT, NSIRC
Long term goal is to transition technologies and lessons learned to the JTF-GNO and components
Operations Center Personnel: Operations Center Personnel SRI Staff (Washington, D.C.)
Site Director
Deputy Director and Project Coordinator
Web Site Administrator
Database Administrator
Network Administrator
Consultants (Outside of Washington)
DShield
Graduate Students (Local University)
Two or three CompSci/InfoSec students
Equipment Block Diagram: Equipment Block Diagram LCD Monitor LCD Monitor Sensors Mixnet Server Room Demo Room SRI-WDC Frame Room Other servers
Web Site: Web Site It’s not pretty, but stay tuned.....
Contact Information: Contact Information Marcus H. Sachs, P.E.
1100 Wilson Blvd, Ste 2800
Arlington, VA 22209
marcus.sachs@sri.com
703-247-8717
http://www.cyber-ta.org
http://cyberta.dshield.org