Transcript The Technicalities of Active Response

The Technicalities of Active
Response
Sergio Caltagirone
April 26, 2005
CS 523 – Net Sec
What Is Active Response?
Design
Protect
Detect
Respond
Forensics
Any action sequence deliberately performed by an
individual or organization between the time an attack is
detected and the time it is determined to be finished, in
an automated or non-automated fashion, in order to
mitigate the identified threat’s negative effects upon a
particular asset set.
Taxonomy of Actions

8 Types:
–
–
–
–
–
–
–
–
No Action
Internal Notification
Internal Response
External Cooperative Response
Non-cooperative Intelligence Gathering
Non-cooperative ‘Cease and Desist’
Counter-Strike
Preemptive Defense
No Action

Under attack, conscious decision to take no
action
Internal Notification



Contact Administrators
Contact CTO, CEO, CISO
Contact Users
Internal Response

Write Firewall Rules (firewall signaling)
–

Strategic Segmentation/Disconnection
–

Block IP, range of IPs, block specific ports
Nat, change subnets, re-address, remove port
Drop Connections
–
–
–
TCP RST packet to client AND server
Use ICMP (port, host, network unreachable) – UDP
Unreliable, must come in sequence
External Cooperative Response

Contact CERT, FBI, Secret Service, Local
Police, upstream ISPs
–
–
Dshield
Symantec (UI)
Non-Cooperative Intelligence
Gathering


Direct attacker to honeynet/honeypot
Use tools to determine identity of attacker
–
Ping, finger, traceroute, lsrr packets
Non-Cooperative ‘Cease and
Desist’

Use tools to disable harmful services without
affecting usability
–
–
University scenario
Zombie Zapper by BindView
Active Counter-Strike

Active Counter-Strike (direct action)
–
–
–
Worm focusing only on attacker IP or to trace back
the attack and report
Straight hack-back
DoS back
Passive Counter-Strike (Cyber
Aikido)

Footprinting Strike-Back (DNS)


Network Recon Strike Back
–

Send endless data, send bad data for illegitimate names
(brute force) (e.g. defense networks), send SQL or bad
data for illegitimate requests
Traceroute packets (ICMP “TTL Expired”) receive
spoofed random addresses (creating any network
we want)
Exploit Strike-Back
–
Send attack code back to terminal

Set titlebar, read titlebar to command line <CR>
Preemptive Defense

Conexion vs. E-Hippies
–

Email bomb
DoD vs. Zapatista
–
Killer applet
Conclusions

Many ways to defend your systems during an
attack
–

Active response goes far beyond strike-back
Questions?