Sachs Cyber TA ThreatOps

25 %
75 %
Information about Sachs Cyber TA ThreatOps

Published on March 5, 2008

Author: Callia



Cyber - Threat Analytics:  Cyber - Threat Analytics Threat Operations Center Washington, D.C. Marcus H. Sachs, P.E. SRI International 703-247-8717 Agenda:  Agenda Internet Threats, 2006 New Attack Methods The Need for a New Approach The CyberTA Threat Operations Center In the Beginning:  In the Beginning ARPANET was “born” in 1969 as a DoD experiment A culture of sharing and openness Government funded, academic focus Documentation based on Requests for Comments User communities Largely government/military/academia Virtually no talk of commercial or industrial use Security through obscurity was king Home users and hobbyists connected via dial-up bulletin board systems, not the ARPANET And Then There Were Packets:  And Then There Were Packets Infrastructure technologies Interface Message Processors Packet switching with gateways between networks Hosts.txt file updated a few times per month End point technologies Timesharing mainframes No personal computers, wireless, or hand-held devices Data exchange technologies and protocols FTP, telnet, SMTP, rlogin in use since mid-1970s Domain Name System introduced in 1980s Hypertext and World Wide Web proposed in late 1980s Most Early Protocols Had Known Security Issues:  Most Early Protocols Had Known Security Issues Sniffing clear-text passwords (ftp, telnet, smtp/pop, http) Spoofing (tcp and udp packet sources) Denial of service (echo vs chargen ports) Flooding attacks (SYN and RST) DNS cache poisoning (unvalidated dns responses) Mapping (traceroute using TTL and ICMP) Others Created New Problems We Deal With Today:  Others Created New Problems We Deal With Today Tunneling (data fields in packet headers) Sensor evasion (fragmentation reassembly) Fingerprinting (analysis of responses to crafted packets) Unsolicited bulk email (forged smtp headers) Phishing (unvalidated http transactions) Identity theft (open databases of personal information) Threat Groups and Actors:  Threat Groups and Actors Espionage State-sponsored or corporate electronic spying Typically “open source” data collection Terrorist groups Covert communications channels Criminal activity Credit card theft, child pornography, copyright infringement Spyware and other unauthorized cyber tracking software Phishing emails and fake websites Encrypting files followed by extortion to unencrypt Insiders Unauthorized disclosure of intellectual property Hackers Worms, viruses, malicious software, website defacements, and adolescent pranks Where are all the Worms?:  Where are all the Worms? We thought that the Internet would get wormier But in fact it has not! The trend was clear: 2001: Li0n, Code Red, Nimda 2002: Slapper, Klez 2003: SQL Slammer, Blaster, SoBig 2004: Sober, MyDoom, Witty, Sasser Since 2004 there have been no new major worm outbreaks WHY? Where is the MS06-040 or -042 worm? The Rise of the Bots:  The Rise of the Bots Bot = Robot, or autonomous software Sometimes called zombies or slaves The latest wave of malicious software introduced to the Internet Highly complex Evolving In many cases hard to detect or remove Original bots were IRC-based New vulnerabilities lead to new bots, not new worms New Frontier: “Zero-Day” Attacks:  New Frontier: “Zero-Day” Attacks Find a vulnerability in a common software package or application Do not notify the software company Develop a working exploit that takes advantage of the vulnerability and keep the exploit a secret Subvert a target organization by flooding the victim with zero-day attachments or pointers to infected web sites Microsoft products are a favorite choice Internet Explorer in August 2005, April, Aug, and Sept 2006 Windows Meta File (.wmf) in December 2005 Microsoft PowerPoint in July and August 2006 Microsoft Word in May and August 2006 So Who is Attacking Me?:  So Who is Attacking Me? 1970s: virtually no attacks Heck, the networks were hard enough to run, why attack them? 1980s: academic attacks Brain virus, Morris worm 1990s: script kiddies take charge Web site defacements, parlor tricks with Trojan horses, email viruses, worms 2000s: value-oriented attacks, espionage, and terrorists Bots, root kits and zero-day vulnerabilities Technical Terrorists and 4G Warfare:  Technical Terrorists and 4G Warfare Most terrorist groups are thought of as low-tech, not capable of cyber destruction But the next attack may not be directed against the Internet itself It might very well be directed towards our way of life Goal might be to disrupt our economy One way to achieve that goal would be to cause disruptions and havoc in our networks, grids, and communications systems 4th Generation Warfare is here “Non-state actors” with private funding, training, and goals Information operations is central to 4G warfare Recruiting:  Recruiting Most terrorist groups recruit for multiple skill sets Physical strength and endurance Intelligence Business and financial capabilities Technical skills Many al-Qaeda members have college degrees and advanced training in technical fields Terrorist groups understand the power of information control and will use it as a weapon Indications and Warnings:  Indications and Warnings Disruption of the Afghanistan center of al-Qaeda in 2001-2002 resulted in a different C2 structure Internet is a perfect place for new operations No centralized control No “legitimacy of the state” Sympathizers in other countries can “help” via on-line activity Particularly idealistic youthful hackers Airplane attacks in 2001 were predicted by intelligence analysts Is a future terrorist cyber attack also predictable? International Espionage:  International Espionage China is our number one threat University students on academic visas “Professional” hacking clubs in China Titan Rain intrusion set Source code to Microsoft Windows and Office is available in China Most of the recent zero-day attacks against Microsoft Office products came from China Hostile Word File From China:  Hostile Word File From China Organized Crime and Fraud:  Organized Crime and Fraud Dangerous combination of Spammers Hackers Professional criminals US Secret Service, FBI, RCMP, Scotland Yard, and others currently investigating fraud cases totaling in the hundreds of millions of dollars International crime rings Use zero-day vulnerabilities in browsers New attacks involve mirroring a victim’s clipboard in addition to keylogging The Criminal’s Playground:  The Criminal’s Playground The Internet is a “perfect” place for crime No taxes, therefore no tax evasion Value in everything online Anonymous access to vast resources Criminal tools look and act like lawful tools No national or political boundaries Laws and law enforcement are limited Numerous opportunities for money laundering (PayPal, etc.) Millions of clueless victims A Criminal’s Tool Box:  A Criminal’s Tool Box “Script kiddies” are frustrated by the complexity of attack tools Need to bring order to the chaos of exploit development Too many vulnerabilities Too many payloads (actions on the target host) Software developers have common tools and shared libraries Why not build a framework that pulls it all together for exploit developers? And make that framework open source – i.e., FREE! The Ultimate Weapon:  The Ultimate Weapon The best weapons are the simplest New wave of hacking tools are updated as new exploits are found Lethal when combined with a scanner Interface is a GUI Windows/Linux application or web application Metasploit is most popular Contains dozens of canned exploits Makes hacking as easy as a mouse click No understanding of computer science needed Gaining in popularity with both attackers and defenders Pure Evil: Metasploit:  Pure Evil: Metasploit 153 Exploits 75 Payloads Multiple targets BSD IRIX Linux Mac Microsoft Solaris Point-n-Click Interface Version 3.0 is latest The Future of Network Attacks:  The Future of Network Attacks DDoS attacks will decrease New mitigation tools are working “Real Hackers” don’t DoS Bot Armies will be used for distributed computing rather than DDoS Fraud will increase while worms decrease Too many juicy targets, including critical infrastructures and control systems Too much value in the Internet to ignore Watch for VOIP and streaming video fraud Online gaming community is a valuable target too Network components will become targets of opportunity Voice Over IP, Video Over IP: all are potential future targets In nearly all cases, future attacks will leverage historically insecure protocols and technologies! The Future of Computer Security Research:  The Future of Computer Security Research As attack tools get more complex, research funding and efforts must increase Cyber security funding will always compete with the physical threat mitigation community Chemical, Radiological, Nuclear, Biological are hot Cyber threats are “invisible” and hard to quantify Governments, private companies, universities, and citizens must look toward the future Our economic survival is at stake Research collaboration must mirror attack community collaboration levels Our Challenge:  Our Challenge Current tools to detect attacks and defend our networks are based on 1990s threat models Anti-virus Worm detection DDoS prevention Scan, probes, and other flow-based tools New tools and analysis techniques need to be developed to detect and mitigate the new attack methods We Need To::  We Need To: Create a centralized threat coordination and Internet monitoring center Including research and operational partners Distribute sensor data repositories across the consortium partnership Develop methods of sharing meta data while ensuring privacy and anonymity Develop new ways to visualize emerging threats and to understand their meanings Next-Gen Threat Analysis Centers:  Next-Gen Threat Analysis Centers Must support highly automated threat diagnosis and prioritization Must scale to alert volumes and data sources covering millions of IP addresses Must be able to rapidly distribute actionable information back to user communities Must be able to fuse data from multiple sources, most of which are not related Must also be sensitive to data privacy and anonymity concerns Cyber-TA Project Directions:  Cyber-TA Project Directions Internet-scale collaborative sharing of sensitive information to support analysis and correlation Real-time malware focused alert correlation analysis Rapid threat warning dissemination that leverages new collaborative data analysis capabilities Open-source software releases, capability demonstrations, and commercial integration Cyber-TA Research Directions:  Cyber-TA Research Directions Some existing repositories collect millions of data elements per day Latency could be an hour or more Little or no client-side correlation Cyber-TA seeks to Reduce detection and correlation latency Produce client-side meta data that will supplement local sensor alert data Discover new analysis methods to assist in identifying new malware and threat tools Ops Center Analytical Capabilities:  Ops Center Analytical Capabilities Current threat operations centers primarily focus on reactive measures such as IP blacklists Port statistics and analysis Historical trends New threat operations centers need to adopt innovative techniques such as Sensor meta-data sharing and analysis Publishing consensus-based signatures Sharing honeynet and malware collections Sharing botnet command and control data Dynamic updates to firewalls and IPSs Detecting changes to DNS, BGP, and other mechanisms Using application crash analysis tools for early detection of zero-day attacks Ops Center Usage Scenarios:  Ops Center Usage Scenarios Where the degree of trust between organizations is unknown Consensus-based release of sensor data and analysis facilitated by Out-of-band trust relationships Exchange of encryption keys Secure multi-party computation schemes Data distribution between “natural competitors” or non-sharing parties Can enemies share technical data anonymously? CTA Threat Operations Center:  CTA Threat Operations Center Alert repository database service Analysis and data coordination center Programmable interfaces for data feeds Public and private web portal Data visualization Host technology demonstrations and briefings Capable of supporting limited real-world operations with a few hours notice High Level Deployment Scenario:  High Level Deployment Scenario Immediate priority is to improve protection of DoD deployed networks Secondary are CONUS and OCONUS WANs such as NIPRNET and SIPRNET Later: domestic ad-hoc networks in support of emergency response scenarios Recommend deployment of a prototype CTA system in a mature AOR within six months of successful demonstration in CONUS Roadmap for Deployment: Sensors:  Roadmap for Deployment: Sensors Use devices already in place as sensors Firewalls Intrusion detection systems Routers and switches Host-based intrusion prevention systems Deploy a script that “scrapes” the needed data from the local sensor logs Extractions become part of CTA system Advantage: no new hardware devices or “bumps in the wire” Disadvantage: no control over signatures or configuration Cyber-TA will use both old and new sensor systems Roadmap for Deployment: C2:  Roadmap for Deployment: C2 Initial C2 will be internal to SRI SRI researchers in Menlo Park Research partners in other USA locations Prototype operations center and analysis in Washington, D.C. Later we plan to leverage existing DoD C2 relationships JTF-GNO RCERTs, ACERT, AFCERT, NAVCIRC, MARCERT, NSIRC Long term goal is to transition technologies and lessons learned to the JTF-GNO and components Operations Center Personnel:  Operations Center Personnel SRI Staff (Washington, D.C.) Site Director Deputy Director and Project Coordinator Web Site Administrator Database Administrator Network Administrator Consultants (Outside of Washington) DShield Graduate Students (Local University) Two or three CompSci/InfoSec students Equipment Block Diagram:  Equipment Block Diagram LCD Monitor LCD Monitor Sensors Mixnet Server Room Demo Room SRI-WDC Frame Room Other servers Web Site:  Web Site It’s not pretty, but stay tuned..... Contact Information:  Contact Information Marcus H. Sachs, P.E. 1100 Wilson Blvd, Ste 2800 Arlington, VA 22209 703-247-8717

Add a comment

Related presentations

Related pages

Cyber TA Threat Operations Center

Cyber - Threat Analytics Threat Operations Center Washington, D.C. Marcus H. Sachs, P.E. SRI International 703-247-8717
Read more | PageGlance

Sachs Cyber TA Threatops Ppt Presentation - A PowerPoint presentation ... Cyber - Threat Analytics: Cyber - Threat Analytics Threat Operations Center ...
Read more

Microsoft C New Opportunities or a Threat ? | Many PPT

Microsoft C New Opportunities or a Threat ? ... Preview. Download. Filesize: 5049 KB ...
Read more

Intrusion Prevention and Detection Systems - Computer and ...

Intrusion prevention and detection systems are ... M. H. Sachs, “Cyber-threat analytics,” ...
Read more

Cyber-TA Project Home Page | |

Cyber-TA Project Home Page An extendible multipurpose alert log processing system for text-based INFOSEC log analysis
Read more

Cyber – Threat Analytics | Many PPT

Cyber - Threat Analytics Not approved for public release . Slide 1 . Cyber - Threat Analytics . Threat Operations Center. Washington, D.C.
Read more

Cyber Threats | PPT Directory

Cyber Threats Key Judgments . Financial gain is the primary emerging motivation for hacking; Computer expertise is not necessary; Emergence of a division of
Read more

tcp operations in afghanistan PPT Powerpoint Presentations ...

tcp operations in afghanistan - PPT slides, PowerPoint presentations for download - XVIII Abn Corps Operations Readiness Adaptability Operations Operation ...
Read more