Malware Mimics for Network Security
AssessmentCDR Will Taff
LCDR Paul SalevskiMarch 7, 2011
• Motivation• Introduction• Vision• Proposal• What we did• Way Ahead
2
Agenda
3
Motivation
4
Motivation – In the Lab
• Currently, DoD relies on Red Teams (trusted adversaries) for Information Assurance (IA) testing and evaluation of military networks
• This approach is unsatisfactory:• Relies on constrained resource
(Red Teams)• Limited in scope of effects
(safety/risk to host network)• Non-uniform/inconsistent
applicationOR• Confined to laboratory setting
(not “Train Like Fight”)5
Introduction
Introduction - The Way the Navy Is
Internet
Global Informatio
n Grid (GIG)
Owned and
Operated by DISA
Network Operating Centers
SIPR
NIPRJWICS
CENTRIXS
• We propose the development of a distributed software system that can be used by either simulated adversaries (such as Red Team) or trusted agents (such as Blue Team) to create scenarios and conditions to which a network management/defense team will need to react and resolve.
7
Proposal
8
Vision
STEP SiteNorthwest, VAFt. Meade, MD
Norfolk, VAMM-Server
Global Information Grid (GIG)
Global Information Grid (GIG)
USS Arleigh BurkeMM-Clients
9
Malware Mimic
• Have the “trainer” sitting anywhere• Trainer remotely controls a network of
pre-installed software nodes on training network simulating network malware/mal-behaviors• Simulate virus• Simulate bots• Simulate Internet worms• Simulate malicious “hackers”
• “Trainee” reacts to simulated effects in same manner as actual threats
• Network nodes consist of Java software packages running on top of pre-existing and unmodified network hosts• No (unwanted) impact to users• No need for additional hardware
• Network nodes coordinate effects via Trainer controlled Command and Control Server• Local or Offsite
• Solves problem of “flying in” a red team
10
Architecture
11
Anatomy of an Attack
12
Anatomy of an Attack with MM’s
13
Architecture - Physical Layout
14
Virtual Layout
15
Results
• More Complex Network Architecture• More complex Malware Mimics• Focus on higher security• Installation and testing onto larger and
operational networks• Communication between MM-Clients
16
Way Ahead
Questions
CDR Will Taff – [email protected] Paul Salevski – [email protected]