Embed Size (px)
Citation preview
Are Deeper Levels of Risk Analysis a Requirement for Enabling Optimal Tactical
Responses in INFOSEC Alert Correlation Systems ?
Stephen NevilleStephen Neville
Electrical & Computer Engineering Dept.Electrical & Computer Engineering Dept.
University of VictoriaUniversity of Victoria
OutlineOutline Introduction Introduction The Tactical Defense ProblemThe Tactical Defense Problem
• Standard Alert Correlation SolutionStandard Alert Correlation Solution• Attack ModelAttack Model• Defender ModelDefender Model
Optimal ResponsesOptimal Responses• Idealized Correlation ModelIdealized Correlation Model• Issue of one-to-one mappingsIssue of one-to-one mappings• Requirements for risk analysisRequirements for risk analysis
Relevance to Operational NetworksRelevance to Operational Networks ConclusionsConclusions
IntroductionIntroduction Cyber-security has become one of the major issues Cyber-security has become one of the major issues
facing corporations and governments. facing corporations and governments. It has grown from being considered as solely an IT It has grown from being considered as solely an IT
issue into one which senior management must issue into one which senior management must address. address.
High levels of intrinsic risk have accompanied High levels of intrinsic risk have accompanied corporations’ increased reliance on their IT corporations’ increased reliance on their IT infrastructures for key business services and infrastructures for key business services and processes.processes.
The nature of this risk though is poorly understood. The nature of this risk though is poorly understood. A fundamental need exists to place cyber-security A fundamental need exists to place cyber-security
within standard corporate frameworks for risk within standard corporate frameworks for risk management. management.
But, little research has been done on the But, little research has been done on the formalizations required within real-world contexts.formalizations required within real-world contexts.
This work looks at one aspect of the problem:This work looks at one aspect of the problem:• The generation of optimal tactical defensive responses.The generation of optimal tactical defensive responses.
• Specifically, can current approaches meet this goal?Specifically, can current approaches meet this goal?
• i.e. Alert Correlation/Security Management Systemsi.e. Alert Correlation/Security Management Systems
Why is this important?Why is this important?• Networks continue to grow across various dimensions: Networks continue to grow across various dimensions:
SizeSize
Speed Speed
ComplexityComplexity
Etc.Etc.
• Growing use and sophistication of attack tools.Growing use and sophistication of attack tools.
• Currently, reliance on human centric defenses Currently, reliance on human centric defenses Likely untenable in the near term. Likely untenable in the near term.
• Tactical response generation will be one of the first Tactical response generation will be one of the first areas where the lag in human response times will show.areas where the lag in human response times will show.
Problem Context:Problem Context:
• A standard large scale corporate network A standard large scale corporate network 1000’s of hosts1000’s of hosts
Various subnetsVarious subnets
Multiple geographically diverse locationsMultiple geographically diverse locations
Various access points (internet, wireless, etc.)Various access points (internet, wireless, etc.)
Best practice security in place (firewalls, IDS’s, Best practice security in place (firewalls, IDS’s, virus checking, etc.)virus checking, etc.)
Deployed COTs-based security (inclusive of Deployed COTs-based security (inclusive of open source).open source).
Supports multiple business critical services and Supports multiple business critical services and process. process.
Etc.Etc.
Corporate NetworkCorporate Network
InternetInternet
VPNVPN
VPNVPN
Primary NetworkPrimary Network
1000+ Hosts1000+ Hosts
Regional SubNet ARegional SubNet A
100’s of Hosts100’s of Hosts
FirewallsFirewalls
VPNVPN
Regional SubNet BRegional SubNet B
100’s of Hosts100’s of Hosts
•Business Business
PartnersPartners•SuppliersSuppliers•CustomersCustomers•Etc.Etc.
•Web ServersWeb Servers•Proxy ServersProxy Servers•Etc.Etc.
DMZDMZ
WirelessWireless
AccessAccess
Current security technologies are primarily point–Current security technologies are primarily point–source solutions:source solutions:• FirewallsFirewalls
• Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS)
• Intrusion Prevention Systems (IPS)Intrusion Prevention Systems (IPS)
• VPN’sVPN’s
• Virus CheckingVirus Checking
• File Check Pointing File Check Pointing
• Etc.Etc.
Each is type of sensor only observes its sub-set of Each is type of sensor only observes its sub-set of the attack space.the attack space.
Systems-level integration is required maximize Systems-level integration is required maximize coverage of the attack space and to provide coverage of the attack space and to provide
tactical situational awarenesstactical situational awareness
The Tactical Defense ProblemThe Tactical Defense Problem Goal:Goal:
• Detect attack incidents as early as possibleDetect attack incidents as early as possible• Enact appropriate & timely defensesEnact appropriate & timely defenses
Detection is not enough.Detection is not enough. Attacks must be mitigated before losses are incurred.Attacks must be mitigated before losses are incurred.
• Mitigate risks & minimize lossesMitigate risks & minimize losses• Minimally impact authorized (normal) events/servicesMinimally impact authorized (normal) events/services
Defender Approach:Defender Approach:• Deploy diverse suite of point-source security sensorsDeploy diverse suite of point-source security sensors• Monitor their generated INFOSEC alert streamsMonitor their generated INFOSEC alert streams• Combine these streams into tactical assessments and Combine these streams into tactical assessments and
generated estimates of the enacted attacks generated estimates of the enacted attacks • From these attack estimates choose and enact the best From these attack estimates choose and enact the best
responseresponse
Domain of Alert Correlation SystemsDomain of Alert Correlation Systems• More recently marketed as “Security Management” SystemsMore recently marketed as “Security Management” Systems
Tactical Defense ProblemTactical Defense Problem
VPNVPN
VPNVPN
Primary NetworkPrimary Network
Regional SubNet ARegional SubNet A
FirewallsFirewalls
VPNVPN
Regional SubNet BRegional SubNet B
DMZDMZ
WirelessWireless
AccessAccess
TacticalTactical
AssessmentAssessment
DefensiveDefensive
ResponsesResponses
Alert CorrelationAlert Correlation
SystemSystem
kk
kkkkkkkk
AlertAlert11((kk))
AlertAlert22((kk))
AlertAlert33((kk))
AlertAlertnn((kk))ssnn
ss33
ss22
ss11
Defended NetworkDefended NetworkINFOSEC SensorsINFOSEC Sensors
Alert CorrelationAlert Correlation
SystemSystem
CollectedCollected
AlertsAlerts
AnlaysisAnlaysis
TacticalTactical
ResponseResponse
jj
mm
pp
kk
EstimatedEstimated
Attack(s)Attack(s)
Ostensibly, Ostensibly, A real-time pattern recognition problem A real-time pattern recognition problem
But,But,• Malicious and intelligent opponents.Malicious and intelligent opponents.• Asynchronous alert streamsAsynchronous alert streams• Ordering of alert arrivals at correlation system is a Ordering of alert arrivals at correlation system is a
random process.random process.• Possibly with:Possibly with:
Multiple simultaneous attackersMultiple simultaneous attackers Coordinated attacksCoordinated attacks
• Largely uncharacterized sensors setsLargely uncharacterized sensors sets Exactly what does each sensor trigger on?Exactly what does each sensor trigger on? How does this maps to the information reported in the How does this maps to the information reported in the
sensor’s alerts?sensor’s alerts? Severely complicates the data fusion problem.Severely complicates the data fusion problem.
• High false alarm rates High false alarm rates >90% in standard operation>90% in standard operation
• Little in the way of statistical dataLittle in the way of statistical data
Current Solution:Current Solution:Alert Correlation SystemAlert Correlation System
[Vigna and Kremmer, 2004][Vigna and Kremmer, 2004]
Input: INFOSEC Alert streamsInput: INFOSEC Alert streams Output: Prioritized Intrusion reportsOutput: Prioritized Intrusion reports
Hierarchical processHierarchical process
No feedback paths.No feedback paths.
Subsequent stages are based on the Subsequent stages are based on the alert fusion (or cluster) stage’s alert fusion (or cluster) stage’s results.results.
A Fundamental Question:A Fundamental Question: Are these clusters correct ?Are these clusters correct ?
• How can one prove correctness in operational How can one prove correctness in operational environments?environments?
• Correlation literature has primarily focused on the data Correlation literature has primarily focused on the data reduction taskreduction task
• Correctness, specifically for the case of maliciousness, Correctness, specifically for the case of maliciousness, has been unaddressed.has been unaddressed.
Requires suitable attacker and defender models.Requires suitable attacker and defender models.
Attacker ModelAttacker Model Attackers’ Goal:Attackers’ Goal:
• Enact a successful attacks with minimal effort.Enact a successful attacks with minimal effort.
• Note success is the primary goalNote success is the primary goal
• This is different than avoiding detection:This is different than avoiding detection: If one can enact a detected attack that completes prior to a If one can enact a detected attack that completes prior to a
response being enacted then one succeeds, given the response being enacted then one succeeds, given the difficulties with trace back.difficulties with trace back.
If one enacts an attack that is detected but mis-classified then If one enacts an attack that is detected but mis-classified then one may also succeed.one may also succeed.
Assumptions:Assumptions:• Attackers may be internal or external.Attackers may be internal or external.
• Multiple attackers may exist.Multiple attackers may exist.
• Attacks & attackers may be coordinated.Attacks & attackers may be coordinated.
• Attackers are Attackers are intelligentintelligent and and rational, rational, as per game as per game theory’s definitions.theory’s definitions.
Game Theory:Game Theory:
• View security as a game between the defender and an View security as a game between the defender and an unknown number of attackers.unknown number of attackers.
• Each chooses moves in response to their estimates of Each chooses moves in response to their estimates of the environment and the others actions.the environment and the others actions.
• A game in which each side only has partial (i.e., A game in which each side only has partial (i.e., incomplete) informationincomplete) information
• Each player has the potential to learn more about the Each player has the potential to learn more about the environment and their opponent as the game environment and their opponent as the game progresses.progresses.
Digression: Game TheoryDigression: Game Theory
Rationality:Rationality:• Attackers make moves that maximize their utility Attackers make moves that maximize their utility
• i.e. one assumes they make the best moves they can based on their current i.e. one assumes they make the best moves they can based on their current information.information.
• One cannot assume the attackers will choose to make “poor” moves.One cannot assume the attackers will choose to make “poor” moves.
Intelligence:Intelligence:• Strictly speaking, means the attackers and defenders have same Strictly speaking, means the attackers and defenders have same
knowledge regarding the game (i.e. equal players)knowledge regarding the game (i.e. equal players)
• Within the security context this is more accurately viewed as the attacker Within the security context this is more accurately viewed as the attacker having the potential to have the same level of knowledge as the most having the potential to have the same level of knowledge as the most knowledgeable defender. knowledgeable defender.
• Directly implies “security-by-obscurity” is untenableDirectly implies “security-by-obscurity” is untenable
• Defender needs to assume they are “playing” against the best attacker. Defender needs to assume they are “playing” against the best attacker.
A note on cryptography:A note on cryptography: Assume that if properly used then breaking the key is computationally infeasibleAssume that if properly used then breaking the key is computationally infeasible But, the attacker may be the corporate personal entrusted with the key(s)But, the attacker may be the corporate personal entrusted with the key(s) So cryptography is the solution iff it itself is provably the “weak” linkSo cryptography is the solution iff it itself is provably the “weak” link
• Security is achieved since the “weak” link is computationally infeasible to circumvent.Security is achieved since the “weak” link is computationally infeasible to circumvent.
Attacker Model (cont.)Attacker Model (cont.) More formally:More formally:
• Set of atomic attacks Set of atomic attacks = {= {11,,22,…,,…,NN} } exists.exists.
• Composite attacks composed of sequences of atomic Composite attacks composed of sequences of atomic attacks (attacks (i.e.,i.e., JJ= {= {ii,,jj,…,,…,kk} } ))
• JJ an index set on an index set on {1,…,N}{1,…,N} (with non-unique entries (with non-unique entries allowable)allowable)
• On each turn the attacker “plays” their next atomic On each turn the attacker “plays” their next atomic attack which maximizes their perceived utility.attack which maximizes their perceived utility.
This choice must be based on their current degree of This choice must be based on their current degree of knowledge about the game knowledge about the game
• (i.e. all the information they possess regarding the state of the (i.e. all the information they possess regarding the state of the network, its defenses, and the defensive tactics being network, its defenses, and the defensive tactics being employed).employed).
Also based on the subset of the attack space Also based on the subset of the attack space that is that is known to the given attacker(s)known to the given attacker(s)
Attacker Notation:Attacker Notation:
AAkka given attackera given attacker
T(T(jj))Time required for Time required for AAkk to enact to enact attack attack j j (after this point the (after this point the defender has incurred a loss)defender has incurred a loss)
GGkkAAkk’s current goal’s current goal
NNkk(t)(t)AAkk’s current information regarding ’s current information regarding the targeted network (inclusive of the targeted network (inclusive of defenses)defenses)
kk((jj,t| G,t| Gk, k, NNkk(t))(t))AAkk’s perceived utility gain ’s perceived utility gain obtained from enacting obtained from enacting jjat time at time tt..
Attacker Notation (cont.):Attacker Notation (cont.):
cckk((jj,t),t) AAkk’s perceived cost to enact ’s perceived cost to enact jjat at time time tt
CCkk**
AAkk’s maximum palatable cost to ’s maximum palatable cost to
achieve to the goal achieve to the goal GGkk..
Note: Note: • This model can be trivially extended by allowing This model can be trivially extended by allowing
GGkk and and CCkk** to be time dependent parameters.to be time dependent parameters.
• Thereby reflecting the attacker’s information Thereby reflecting the attacker’s information gains (or their perceived gains).gains (or their perceived gains).
• In this manner, opportunistic changes in the In this manner, opportunistic changes in the attacker’s objectives can be accounted for. attacker’s objectives can be accounted for.
AAkk’s’s Goal: Goal:
• At each decision point At each decision point ttmm choose the choose the jj satisfyingsatisfying
• Subject to the constraintSubject to the constraint*
)(
)|(ˆ)),((ˆ kt
Jkjk CtcttcmJj
))}(ˆ,|,(ˆ{maxarg mkkmjk tNGtj
kk
(.)
kA
)(ˆ tNk
Targeted Targeted
NetworkNetwork
NkG
*kC
j
If If GGkk not reached & not reached &
CCkk** not exceeded not exceeded
j
km
np
j
m
np
k
j
km
np
j
km
n
(.)
)(ˆ1tNk
)|(ˆ 1 Jk tc
1t
(.)
)(ˆ2tNk
)|(ˆ 2 Jk tc
2t
(.)
)(ˆ3tNk
)|(ˆ 3 Jk tc
3t
*kC
kG
nt
k
p
CostCost
TimeTime
Defender ModelDefender Model Formally:Formally:
• Set of deployed sensors Set of deployed sensors SS= {s= {s11,s,s22,…,s,…,sNN}}..
• An An jj is detected if it triggers at least one alert, is detected if it triggers at least one alert, alertalertkk((jj)) from a deployed sensor, from a deployed sensor, sskk
SS describes the defender’s observability describes the defender’s observability jj’s not covered ’s not covered SS by go undetected. by go undetected. Only part of Only part of may be observable by may be observable by SS..
• Each sensor produces an asynchronous stream Each sensor produces an asynchronous stream of alerts, of alerts, alerts(alerts(JJ)), in response to an attack, in response to an attack
• Goal: correlate these alerts to generate a Goal: correlate these alerts to generate a tactical assessmenttactical assessment
Defender Notation:Defender Notation:
A cluster of alerts existing at A cluster of alerts existing at time time tt..
Current set of generated Current set of generated alert clustersalert clusters
Defender’s estimate ofDefender’s estimate of A Akk’s ’s current goalcurrent goal
Defender’s estimate of the Defender’s estimate of the state of the network at state of the network at t.t.
Defender’s current estimate Defender’s current estimate ofof A Akk’s perceived utility gain ’s perceived utility gain in their enacting in their enacting jjat time at time tt conditioned on the conditioned on the defender’s estimates of defender’s estimates of GGk k
and and NNkk(t)(t)..
kG
)(ˆ tNd
))(ˆ,ˆ|,ˆ(ˆ tNGt ddjd
jj tt )}({)(
}{)( kj alertt
Defender Notation (cont.):Defender Notation (cont.):
Loss incurred by attackLoss incurred by attack jj
Estimated loss incurred due to the Estimated loss incurred due to the estimated attackestimated attack
Total estimated losses given the Total estimated losses given the estimated attacks up to time estimated attacks up to time tt..
Response from the set of Response from the set of available response available response RRdd
Response that minimizes losses Response that minimizes losses incurred from attack incurred from attack jj
)( j
)ˆ(ˆ j
)(ˆ
),ˆ(ˆ
))(|(ˆ
tj
j
t
ttL
dj Rr *
jr
j
Defender Notation (cont.):Defender Notation (cont.):
Estimated cost of Estimated cost of enacting response enacting response rrjj at at time time tt. .
Estimated total cost of Estimated total cost of enacting a set of enacting a set of responses at time responses at time tt. .
))(ˆ|,(ˆ tNtrc djd
){
})ˆ{),(ˆ|,(ˆ
})ˆ{),(ˆ|},({ˆ
jj rrjdjd
jdj
tNtrc
tNtrC
Defender’s Goal:Defender’s Goal:• At each decision point At each decision point ttmm choose the choose the {r{rjj}}
that satisfiesthat satisfies
• Where Where g(.)g(.) is a defender chosen function is a defender chosen function that balances the expectation of loss that balances the expectation of loss against the estimated costs of enacting against the estimated costs of enacting the chosen responses.the chosen responses.
• Obviously, the optimum will be achieved Obviously, the optimum will be achieved iff at each decision point iff at each decision point
})]}ˆ{),(ˆ|},({ˆ
)),(|(ˆ[{minarg }{
jdj
mr
tNtrC
ttLgj
}{}{ *jj rr
dd
D
)(ˆ tNd
Defended Defended
NetworkNetwork
NdR }{ jr
1s 2sns
n k q
)(ˆ1tNd
))(|(ˆ22 ttL
})ˆ{),(ˆ|},({ˆ22 jdj tNtrC
2t
1t
)(ˆ1tNd
))(|(ˆ11 ttL
})ˆ{),(ˆ|},({ˆ11 jdj tNtrC
3t
)(ˆ3tNd
))(|(ˆ33 ttL
})ˆ{),(ˆ|},({ˆ33 jdj tNtrC
CostCost
LossLoss
1
}{tjr
2
}{tjr
0
}{tjr
Returning to Correctness Returning to Correctness Even with this model general correctness cannot be assessed.Even with this model general correctness cannot be assessed. Further simplify the problem,Further simplify the problem,
• Assume a defender idealized case:Assume a defender idealized case: No false alarmsNo false alarms All attacks trigger at least one alert All attacks trigger at least one alert
• i.e., complete observability over the union of all attackers’ attack spacesi.e., complete observability over the union of all attackers’ attack spaces
The correlation system and the sensor suites are themselves The correlation system and the sensor suites are themselves unassailableunassailable
• Now the attackers’ only option is to manipulate their attacks to Now the attackers’ only option is to manipulate their attacks to cause the defender to select a sub-optimal responsecause the defender to select a sub-optimal response
• This is impossible if there is aThis is impossible if there is a one-to-one one-to-one mapping between mapping between enacted attacks and generated clusters.enacted attacks and generated clusters.
• If there is a one-to-many mapping then the defender must choose If there is a one-to-many mapping then the defender must choose which response to perform which response to perform
Risk analysis allows for such a selection.Risk analysis allows for such a selection. Assumption is that enacting all supportable responses comes at a Assumption is that enacting all supportable responses comes at a
higher cost.higher cost.
When would can one-to-one mappings be When would can one-to-one mappings be guaranteed ?guaranteed ?• Trivial case: (guaranteed)Trivial case: (guaranteed)
All attacks trigger at least one uniquely identifiable alert All attacks trigger at least one uniquely identifiable alert
Problem reduces to focusing only on these unique alertsProblem reduces to focusing only on these unique alerts
• No alert clustering is required.No alert clustering is required.
• One-to-one mapping guaranteed.One-to-one mapping guaranteed.
• No possibility for sub-optimal responseNo possibility for sub-optimal response
• Would required provably orthogonal alerts Would required provably orthogonal alerts
• Non-Trivial case: (not guaranteed)Non-Trivial case: (not guaranteed) Attacks are identifiable through sets of non-unique alertsAttacks are identifiable through sets of non-unique alerts
• Denote these as the attack’s Denote these as the attack’s critical alertscritical alerts
• Can focus solely on what happens to these alertsCan focus solely on what happens to these alerts
• These alerts must be provably correctly clustered to for there These alerts must be provably correctly clustered to for there to be a one-to-one mappingto be a one-to-one mapping
But, cannot prove this even in the idealized case since the But, cannot prove this even in the idealized case since the attacker can influence how critical alerts are clustered.attacker can influence how critical alerts are clustered.
Standard Clustering AlgorithmStandard Clustering Algorithm Two stage algorithm:Two stage algorithm:
• Each arriving Each arriving alertalertkk is placed into all clusters within the clustering is placed into all clusters within the clustering stage it is “close to”.stage it is “close to”.
““Close” defined by an implemented similarity metric Close” defined by an implemented similarity metric d(alertd(alertkk,,jj))
• New cluster is started iff the given New cluster is started iff the given alertalertk k does not match any of the does not match any of the existing clusters.existing clusters.
• Once the age of a cluster has exceeded a pre-defined threshold, Once the age of a cluster has exceeded a pre-defined threshold, LL, , the cluster is passed onto the merging stage.the cluster is passed onto the merging stage.
In general, this threshold would be attack class specific.In general, this threshold would be attack class specific.
• If this cluster is “close” to one of the existing merging stage clusters If this cluster is “close” to one of the existing merging stage clusters then the two clusters are merged. then the two clusters are merged.
• Otherwise it becomes the newest merging stage cluster.Otherwise it becomes the newest merging stage cluster.
AlertAlert
StreamsStreamsClusteringClustering
StageStage
ClusterCluster
MergingMerging
StageStage
to Higherto Higher
AnalysisAnalysis
LayersLayers
Attacker’s Influence Attacker’s Influence How can the attacker cause a mis-clustering of at How can the attacker cause a mis-clustering of at
least one of the critical alerts?least one of the critical alerts? Assume the similarity metrics are idealAssume the similarity metrics are ideal
Attacker can influence the cluster contents by exploiting Attacker can influence the cluster contents by exploiting the timing characteristics introduced by the timing characteristics introduced by LL..
Fundamentally, the first critical alert arriving from an Fundamentally, the first critical alert arriving from an attack must not correctly initiate its cluster. attack must not correctly initiate its cluster.
Guaranteed to happens if there exist pre-existing Guaranteed to happens if there exist pre-existing clusters that can “absorb” this alert.clusters that can “absorb” this alert.
If the attacker initiates such clusters before hand.If the attacker initiates such clusters before hand.
The defender then must mis-assign at least one of the The defender then must mis-assign at least one of the critical alertscritical alerts
Therefore, at least one sub-optimal response will be Therefore, at least one sub-optimal response will be made. made.
Relevance to Operational NetworksRelevance to Operational Networks Such attacks could only be exploited by Such attacks could only be exploited by
knowledgeable attackers.knowledgeable attackers.• Outside the realm of “script-kiddies”Outside the realm of “script-kiddies”
• Principal advantage: Principal advantage: Provides an attack methodology that would not trigger the Provides an attack methodology that would not trigger the
“arms race”.“arms race”.
Worthwhile for highly skilled attackers.Worthwhile for highly skilled attackers.
Intrinsic issue within the design of correlation systemsIntrinsic issue within the design of correlation systems
• Cannot be solved by adding more sensorsCannot be solved by adding more sensors
• Requires that the potential for one-to-many mappings be addressed.Requires that the potential for one-to-many mappings be addressed.
• Adding deeper levels of risk analysis would at least allow that Adding deeper levels of risk analysis would at least allow that defender to minimize their expectation of loss conditioned on their defender to minimize their expectation of loss conditioned on their current information. current information.
• Hard real-time tactical defense constraint requires a response to be Hard real-time tactical defense constraint requires a response to be made before made before T(T(jj)) expires. expires.
ConclusionsConclusions Correctness is as important as data reduction.Correctness is as important as data reduction.
Maliciousness: Maliciousness: • Makes correctness hard to asses.Makes correctness hard to asses.
• Engenders the need to prove one-to-one mappings exist in the real-world Engenders the need to prove one-to-one mappings exist in the real-world
• Or, to develop techniques to address one-to-many mapping.Or, to develop techniques to address one-to-many mapping. Deeper levels of risk analysis being on such technique.Deeper levels of risk analysis being on such technique.
Defender has no information to allow a selection from the plausible attacks Defender has no information to allow a selection from the plausible attacks
based on the observed evidence.based on the observed evidence.
Hard real-time constraints mean the defender cannot wait until this Hard real-time constraints mean the defender cannot wait until this information comes in.information comes in.
• Assuming losses accumulate as attacks progress.Assuming losses accumulate as attacks progress.
Minimizing the expectation of loss directly implies a need to perform risk Minimizing the expectation of loss directly implies a need to perform risk analysis if one-to-one mapping cannot be proven.analysis if one-to-one mapping cannot be proven.
Conclusions (cont.)Conclusions (cont.)Otherwise, Otherwise,
A knowledgeable attacker can gain a significant advantageA knowledgeable attacker can gain a significant advantage
• Specifically, an attack methodology that will not trigger the “arms Specifically, an attack methodology that will not trigger the “arms race”.race”.
• The defender thinks they stopped the attack, so why change the The defender thinks they stopped the attack, so why change the defensesdefenses
• Only the attacker knows the true attack. Only the attacker knows the true attack.
• Such a class of attacks is outside the observability of current methods.Such a class of attacks is outside the observability of current methods.
• A “holy grail” for the attackersA “holy grail” for the attackers An attack that is simultaneously: An attack that is simultaneously:
• Detected by the sensorsDetected by the sensors• But is outside the defender’s observability (if one-to-one mappings are assumed).But is outside the defender’s observability (if one-to-one mappings are assumed).
• Potentially costly to find, but likely worth the effort for higher end Potentially costly to find, but likely worth the effort for higher end targets.targets.
• May be easier than trying to discover new attacks against hardened May be easier than trying to discover new attacks against hardened targets. targets.
Questions ?Questions ?
