logging in or signing up AD workshop 091203 Charlie Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 32 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 04, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Active Defenses to Cyber Attacks: Active Defenses to Cyber Attacks UW Information School/Agora Workshop 09/12/03 Supported by a research grant from Cisco Systems Critical Infrastructure Assurance GroupAgenda: Agenda Three floating moderators “Three hour tour” format Background (~45 minutes) Open discussion of issues (~1 hour) Attack Scenario (~20 minutes) 9 potential AD actions (~2 hours) ~10-15 minutes each Desired outcome: Desired outcome Get feedback on current outline of Active Defense Get ideas on pros/cons of AD actions Identify avenues of legal/ethical/technical research Identify alternatives and possible changes in laws, public/private CompSec policies Have a fun time!Background: Background Topic discussed in Pre-Agora meeting June 8, 2001 and again in Q1 2003 Current USG interest Ongoing private sector interest Lack of common definitions Potential impact on national & international debateSenate debate: Senate debate "If we can find some way to do this without destroying their machines, we'd be interested in hearing about that. If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize [the seriousness of their actions.] There's no excuse for anyone violating copyright laws.” Utah Senator Orrin HatchInformation Assurance: Information Assurance Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999Attacks (Strategic level): Attacks (Strategic level) Denial of Service Theft/alteration of data Web page defacement Industrial espionage Theft of services/resources “Stepping stones”/anonymity Caching data/malware Violation of copyright (“warez”)Attacks (Tactical level): Attacks (Tactical level) Remote service exploitation Log alteration/"rootkits" Sniffers Covert channel comms Stepping stones Encryption Address forgery/hijacking Distributed attacks Reflected attacksAttack Specifics (example): Attack Specifics (example) Denial of Service Resource consumption Host Processor Memory Network services Network Bandwidth Router Resources (see Host above) Crashing RedirectionYou are here…: You are here… Defenses (Strategic level): Defenses (Strategic level) Firewalls IDS Logging/monitoring Host (e.g., accounts, processes, services) Network (flows, connections, data) Honeypots/Honeynets Augment FW/IDS DeceptionDefenses (Tactical level): Defenses (Tactical level) Topological/Access control changes Sniffing/keystroke logging Scanning Traffic redirection Traffic analysis Honeypots/Honeynets Remote exploitation Denial of ServiceBig loss over time: Big loss over time Warbucks’ lost commissions on stock tradesSmall loss over time: Small loss over time Individual selling used books on AmazonStages of Response: Stages of Response 0 - Unconscious 1 - Involved 2 - Interactive 3 - Cooperative Response 4 - Non-cooperative (AD) Response“Unconscious”: “Unconscious” Stage 0: “Right out-of-the-box” “The firm/system owner/operator takes no active role, either directly or through proxy, to modify, improve, enhance, or alter defensive capabilities inherent in the hardware, firmware, and/or software as delivered from the manufacturer or installer.”“Involved”: “Involved” Stage 1: “Doing Business” “The firm/system owner/operator establishes (either directly or via proxy) a baseline, tailored, day-to-day defensive posture involving only resources directly owned or operated by that owner/operator. The posture is maintained / kept current.” “Interactive”: “Interactive” Stage 2: “We’ve Got a Problem” “The firm/system owner/operator applies measures, in response to warning or evidence of malfeasance, to resources directly owned or operated by them. The measures are beyond the baseline because they cause some loss of flexibility, capability, or ease of use and the owner/operator does not want/intend them to become routine business practice.”“Cooperative Response”: “Cooperative Response” Stage 3: “Reach out …” “The firm/system owner/operator engages other organizations/firms/systems to take measures intended to attribute, mitigate, or eliminate the threat through cooperative efforts beyond the ability of the owner/operator to effect but within the lawful authority of the cooperating other party or parties.”“Non-cooperative Response”: “Non-cooperative Response” Stage 4: “... and Touch Someone.” “The firm/system owner/operator takes measures, with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”Active Defense: Active Defense Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4 Stage 4 has levels, though Less intrusive to more intrusive Less risky to more risky Less disruptive to more disruptive Justification for and defense of your actions may depend on how well you progress through all 4 stagesLevels of Active Defense: Levels of Active Defense 4.1 - Non-cooperative ‘intelligence’ collection External services (finger, netstat, nbtstat) Back doors/remote exploit to access internal services 4.2 - Non-cooperative ‘cease & desist’ 4.3 - Retribution or counter-strike 4.4 - Preemptive defenseWhat Do We Need to Know?: What Do We Need to Know? Are your losses and the potential risk to you at least equal to the benefit gained if you are successful? Who is it? Or “Attribution; the $64,000 question.” What are you contemplating doing? What effect do you intend to achieve? What ‘blow back’ could occur?What Do We Need to Know?: What Do We Need to Know? What are your personal and organizational risks? Who can help? Who are you going to call if you do this? Who/what is the target? How do you know? Who defines what active defense is for you? Was there another way? Or “Creative Response versus Active Defense”Best Practice is to Think Ahead: Best Practice is to Think Ahead Risk Mitigation Strategy: Early, early, early Pre-arranged ‘moves’ with your ISP Business interruption insurance Before-the-fact discussions with the Law Pre-arranged responses within Time things out Range of response options for the CEO Who provides the oversight of this decision?Other Points: Other Points If this hurts your head, be glad you’re not in Congress Dark Noise: It’s there and it’s useful People with the power of nation states Roles of government Can it provide recourse? Can it ever get fast enough? Agora as mentorUnintended consequences: Unintended consequences Xerox PARC, 1978 Researchers use worms to automate tasks on Alto network Innocuous code corrupted >200 systems crash, reboot, crash… Morris worm in 1988 also buggy Even Nachi isn’t perfectOudot’s reaction to Blaster: Oudot’s reaction to Blaster Used “honeyd” to pretend to be vulnerable Windows box Opened fake worm port (4444/tcp) Captured worm payload using tftp Provided prototype cleanup code (that worked!) SysAdmins at UW polled: 76 respondentsOpen Discussion: Open Discussion Attack Scenario: Attack Scenario Players Warbucks Financial Services Target Medical Center at the University of Hard Knocks Francis X. Hackerman C_primeWarbucks Financial Services: Warbucks Financial Services Boutique stock services for high $$$ clients Real-time quotes from their web site CRM system used in-house Voice over IP comms Laptops for ul/dl data and email All systems tightly integrated for speed, flexibility, customized serviceHard Knocks U: Hard Knocks U Large State U w/four campuses Combined Academic/Clinical Med Center (Target Medical Center) TMC has Computerized Physician Order Entry (CPOE) system connected to Electronic Medical Record (EMR) system TMC used as DDoS agents HKU used as stepping stone, cache and DDoS handler (on different campuses)Francis X. Hackerman: Francis X. Hackerman CISO of Warbucks Recent graduate of HKU School of Information Management Was notorious hacker in High School Considers himself a highly skilled “hired gun” when it comes to computer networksC_prime: C_prime Security Engineer at Hard Knocks University Senior member of incident response team Represents HKU on Higher Ed ISAC Her background includes mathematics, programming, system administrationAttack: Attack Attacker owns 2000-3000 hosts world-wide (stepping stones, DDoS agents) Attacker choses to take out all services at Warbucks via massive rolling DDoS attack (100-300 hosts at a time) Warbucks’ network is inoperative - difficulty tracing attack sources, but notes some at TMC, HKU, many other .edus, etc. HKU IRT was already investigating intrusions to hosts on their net (have isolated malware) Possible consequence of a disruptive AD action towards TMC’s network is death of a patientResponse: Response Hackerman and C_prime both go through Stages 1 to 3 DDoS traffic cannot be entirely blocked by their upstream network provider DDoS network too large/dynamic to contact all sites involved Explore options at Stage 4…Action A: Action A C_prime finds a sniffer log on a compromised TMC system. This log exposes an account and password on a host in Canada (used as a cache and stepping stone by the attacker). She has the ability to enter the Canadian system with root privilege, and could periodically run operating system commands to monitor use and/or copy files off the system.Action B: Action B Using this same password, she could also shut this host down temporarily or semi-permanently, requiring administrator intervention. This could disable some/all of the DDoS network (can’t be sure…) Consequence: Host goes downAction C: Action C C_prime identifies means of controlling (even disabling) DDoS agents on other hosts. This knowledge could be used to shut down just the DDoS agents on all affected hosts at once during a DDoS attack. Consequence: DDoS agents stoppedAction D: Action D Hackerman scans the entire network at TMC, identifying all nodes (IP address, operating system type, all services enabled, versions of services.) Sends results to TMC network contact. Gets no reply.Action E: Action E Hackerman’s scan finds a router vulnerable to a one or more remote DoS attacks. Has the option of using exploits to disable this router. Consquence: Outage would affect all hosts on TMC’s network that share this router. (Possible result: Patient dies)Action F: Action F Hackerman scans just the identified DDoS agents at HKU & TMC (identifying operating system type, all services enabled, versions of services). Finds they are vulnerable to a remote exploit. Could use this means to enter and disable network access to these hosts. Similar to what RIAA/MPAA were proposing for copyright violators Consequence: Host losses network access (Similar to E)Action G: Action G Hackerman’s scan shows a large number of Windows desktops vulnerable to various DCOM flaws. Could modify publicly available exploits/worms to affect only systems on the HKU, TMC networks, shutting them down. Consequence: Many hosts go down (Similar to E)Action H: Action H Another alternative for Hackerman could be to use DCOM exploits to take over control of one or more systems on TMC’s network, using them to sniff traffic of the intruder as stepping stones are used. This could identify the intruder, or at least get one hop closer… Consequence: None?Action I: Action I Hackerman is contacted by C_prime, who knows Warbucks is victim of massive DDoS. Provides Hackerman with information about suspected DDoS handlers, perhaps even attacker’s other stepping stones. Hackerman could attack these sites to try to pre-empt another round of attacks on Warbucks’ network. Consequence: ???Action J: Action J Action K: Action K Action L: Action L You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
AD workshop 091203 Charlie Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 32 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 04, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Active Defenses to Cyber Attacks: Active Defenses to Cyber Attacks UW Information School/Agora Workshop 09/12/03 Supported by a research grant from Cisco Systems Critical Infrastructure Assurance GroupAgenda: Agenda Three floating moderators “Three hour tour” format Background (~45 minutes) Open discussion of issues (~1 hour) Attack Scenario (~20 minutes) 9 potential AD actions (~2 hours) ~10-15 minutes each Desired outcome: Desired outcome Get feedback on current outline of Active Defense Get ideas on pros/cons of AD actions Identify avenues of legal/ethical/technical research Identify alternatives and possible changes in laws, public/private CompSec policies Have a fun time!Background: Background Topic discussed in Pre-Agora meeting June 8, 2001 and again in Q1 2003 Current USG interest Ongoing private sector interest Lack of common definitions Potential impact on national & international debateSenate debate: Senate debate "If we can find some way to do this without destroying their machines, we'd be interested in hearing about that. If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize [the seriousness of their actions.] There's no excuse for anyone violating copyright laws.” Utah Senator Orrin HatchInformation Assurance: Information Assurance Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999Attacks (Strategic level): Attacks (Strategic level) Denial of Service Theft/alteration of data Web page defacement Industrial espionage Theft of services/resources “Stepping stones”/anonymity Caching data/malware Violation of copyright (“warez”)Attacks (Tactical level): Attacks (Tactical level) Remote service exploitation Log alteration/"rootkits" Sniffers Covert channel comms Stepping stones Encryption Address forgery/hijacking Distributed attacks Reflected attacksAttack Specifics (example): Attack Specifics (example) Denial of Service Resource consumption Host Processor Memory Network services Network Bandwidth Router Resources (see Host above) Crashing RedirectionYou are here…: You are here… Defenses (Strategic level): Defenses (Strategic level) Firewalls IDS Logging/monitoring Host (e.g., accounts, processes, services) Network (flows, connections, data) Honeypots/Honeynets Augment FW/IDS DeceptionDefenses (Tactical level): Defenses (Tactical level) Topological/Access control changes Sniffing/keystroke logging Scanning Traffic redirection Traffic analysis Honeypots/Honeynets Remote exploitation Denial of ServiceBig loss over time: Big loss over time Warbucks’ lost commissions on stock tradesSmall loss over time: Small loss over time Individual selling used books on AmazonStages of Response: Stages of Response 0 - Unconscious 1 - Involved 2 - Interactive 3 - Cooperative Response 4 - Non-cooperative (AD) Response“Unconscious”: “Unconscious” Stage 0: “Right out-of-the-box” “The firm/system owner/operator takes no active role, either directly or through proxy, to modify, improve, enhance, or alter defensive capabilities inherent in the hardware, firmware, and/or software as delivered from the manufacturer or installer.”“Involved”: “Involved” Stage 1: “Doing Business” “The firm/system owner/operator establishes (either directly or via proxy) a baseline, tailored, day-to-day defensive posture involving only resources directly owned or operated by that owner/operator. The posture is maintained / kept current.” “Interactive”: “Interactive” Stage 2: “We’ve Got a Problem” “The firm/system owner/operator applies measures, in response to warning or evidence of malfeasance, to resources directly owned or operated by them. The measures are beyond the baseline because they cause some loss of flexibility, capability, or ease of use and the owner/operator does not want/intend them to become routine business practice.”“Cooperative Response”: “Cooperative Response” Stage 3: “Reach out …” “The firm/system owner/operator engages other organizations/firms/systems to take measures intended to attribute, mitigate, or eliminate the threat through cooperative efforts beyond the ability of the owner/operator to effect but within the lawful authority of the cooperating other party or parties.”“Non-cooperative Response”: “Non-cooperative Response” Stage 4: “... and Touch Someone.” “The firm/system owner/operator takes measures, with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”Active Defense: Active Defense Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4 Stage 4 has levels, though Less intrusive to more intrusive Less risky to more risky Less disruptive to more disruptive Justification for and defense of your actions may depend on how well you progress through all 4 stagesLevels of Active Defense: Levels of Active Defense 4.1 - Non-cooperative ‘intelligence’ collection External services (finger, netstat, nbtstat) Back doors/remote exploit to access internal services 4.2 - Non-cooperative ‘cease & desist’ 4.3 - Retribution or counter-strike 4.4 - Preemptive defenseWhat Do We Need to Know?: What Do We Need to Know? Are your losses and the potential risk to you at least equal to the benefit gained if you are successful? Who is it? Or “Attribution; the $64,000 question.” What are you contemplating doing? What effect do you intend to achieve? What ‘blow back’ could occur?What Do We Need to Know?: What Do We Need to Know? What are your personal and organizational risks? Who can help? Who are you going to call if you do this? Who/what is the target? How do you know? Who defines what active defense is for you? Was there another way? Or “Creative Response versus Active Defense”Best Practice is to Think Ahead: Best Practice is to Think Ahead Risk Mitigation Strategy: Early, early, early Pre-arranged ‘moves’ with your ISP Business interruption insurance Before-the-fact discussions with the Law Pre-arranged responses within Time things out Range of response options for the CEO Who provides the oversight of this decision?Other Points: Other Points If this hurts your head, be glad you’re not in Congress Dark Noise: It’s there and it’s useful People with the power of nation states Roles of government Can it provide recourse? Can it ever get fast enough? Agora as mentorUnintended consequences: Unintended consequences Xerox PARC, 1978 Researchers use worms to automate tasks on Alto network Innocuous code corrupted >200 systems crash, reboot, crash… Morris worm in 1988 also buggy Even Nachi isn’t perfectOudot’s reaction to Blaster: Oudot’s reaction to Blaster Used “honeyd” to pretend to be vulnerable Windows box Opened fake worm port (4444/tcp) Captured worm payload using tftp Provided prototype cleanup code (that worked!) SysAdmins at UW polled: 76 respondentsOpen Discussion: Open Discussion Attack Scenario: Attack Scenario Players Warbucks Financial Services Target Medical Center at the University of Hard Knocks Francis X. Hackerman C_primeWarbucks Financial Services: Warbucks Financial Services Boutique stock services for high $$$ clients Real-time quotes from their web site CRM system used in-house Voice over IP comms Laptops for ul/dl data and email All systems tightly integrated for speed, flexibility, customized serviceHard Knocks U: Hard Knocks U Large State U w/four campuses Combined Academic/Clinical Med Center (Target Medical Center) TMC has Computerized Physician Order Entry (CPOE) system connected to Electronic Medical Record (EMR) system TMC used as DDoS agents HKU used as stepping stone, cache and DDoS handler (on different campuses)Francis X. Hackerman: Francis X. Hackerman CISO of Warbucks Recent graduate of HKU School of Information Management Was notorious hacker in High School Considers himself a highly skilled “hired gun” when it comes to computer networksC_prime: C_prime Security Engineer at Hard Knocks University Senior member of incident response team Represents HKU on Higher Ed ISAC Her background includes mathematics, programming, system administrationAttack: Attack Attacker owns 2000-3000 hosts world-wide (stepping stones, DDoS agents) Attacker choses to take out all services at Warbucks via massive rolling DDoS attack (100-300 hosts at a time) Warbucks’ network is inoperative - difficulty tracing attack sources, but notes some at TMC, HKU, many other .edus, etc. HKU IRT was already investigating intrusions to hosts on their net (have isolated malware) Possible consequence of a disruptive AD action towards TMC’s network is death of a patientResponse: Response Hackerman and C_prime both go through Stages 1 to 3 DDoS traffic cannot be entirely blocked by their upstream network provider DDoS network too large/dynamic to contact all sites involved Explore options at Stage 4…Action A: Action A C_prime finds a sniffer log on a compromised TMC system. This log exposes an account and password on a host in Canada (used as a cache and stepping stone by the attacker). She has the ability to enter the Canadian system with root privilege, and could periodically run operating system commands to monitor use and/or copy files off the system.Action B: Action B Using this same password, she could also shut this host down temporarily or semi-permanently, requiring administrator intervention. This could disable some/all of the DDoS network (can’t be sure…) Consequence: Host goes downAction C: Action C C_prime identifies means of controlling (even disabling) DDoS agents on other hosts. This knowledge could be used to shut down just the DDoS agents on all affected hosts at once during a DDoS attack. Consequence: DDoS agents stoppedAction D: Action D Hackerman scans the entire network at TMC, identifying all nodes (IP address, operating system type, all services enabled, versions of services.) Sends results to TMC network contact. Gets no reply.Action E: Action E Hackerman’s scan finds a router vulnerable to a one or more remote DoS attacks. Has the option of using exploits to disable this router. Consquence: Outage would affect all hosts on TMC’s network that share this router. (Possible result: Patient dies)Action F: Action F Hackerman scans just the identified DDoS agents at HKU & TMC (identifying operating system type, all services enabled, versions of services). Finds they are vulnerable to a remote exploit. Could use this means to enter and disable network access to these hosts. Similar to what RIAA/MPAA were proposing for copyright violators Consequence: Host losses network access (Similar to E)Action G: Action G Hackerman’s scan shows a large number of Windows desktops vulnerable to various DCOM flaws. Could modify publicly available exploits/worms to affect only systems on the HKU, TMC networks, shutting them down. Consequence: Many hosts go down (Similar to E)Action H: Action H Another alternative for Hackerman could be to use DCOM exploits to take over control of one or more systems on TMC’s network, using them to sniff traffic of the intruder as stepping stones are used. This could identify the intruder, or at least get one hop closer… Consequence: None?Action I: Action I Hackerman is contacted by C_prime, who knows Warbucks is victim of massive DDoS. Provides Hackerman with information about suspected DDoS handlers, perhaps even attacker’s other stepping stones. Hackerman could attack these sites to try to pre-empt another round of attacks on Warbucks’ network. Consequence: ???Action J: Action J Action K: Action K Action L: Action L